On the server we can decide that we don't want to trust the client's root account. We can do that by using the root_squash option in exports:
/mn/eris/local apollon(rw,root_squash)
Now, if a user with UID 0 on the client attempts to access (read,
write, delete) the file system the server substitutes the UID of the
servers `nobody' account. Which means that the root user on the
client can't access or change files that only root on the server can
access or change. That's good, and you should probably use
root_squash
on all the file systems you export. "But the root
user on the client can still use 'su' to become any other user and
access and change that users files!" say you. To which the answer is:
Yes, and that's the way it is, and has to be with Unix and NFS. This
has one important implication: All important binaries and files should
be owned by root
, and not bin
or other non-root account,
since the only account the clients root user cannot access is the
servers root account. In the NFSd man page there are several other
squash options listed so that you can decide to mistrust whomever you
(don't) like on the clients. You also have options to squash any UID
and GID range you want to. This is described in the FreeBSD NFSd man
page.
root_squash is in fact the default with the FreeBSD NFSd, to grant
root access to a filesystem use no_root_squash
.
Another important thing is to ensure that nfsd checks that all it's requests comes from a privileged port. If it accepts requests from any old port on the client a user with no special privileges can run a program that's is easy to obtain over the Internet. It talks nfs protocol and will claim that the user is anyone the user wants to be. Spooky. The FreeBSD nfsd does this check by default, on other OSes you have to enable this check yourself. This should be described in the nfsd man page for the OS.
Another thing. Never export a file system to 'localhost' or 127.0.0.1. Trust me.