264 lines
4.1 KiB
HTML
264 lines
4.1 KiB
HTML
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>The /etc/exports file</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Securing and Optimizing Linux"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="UP"
|
||
|
TITLE="General System Security"
|
||
|
HREF="gen-syssecured.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="The root account"
|
||
|
HREF="chap5sec32.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE="Disable console program access"
|
||
|
HREF="chap5sec34.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="section"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="chap5sec32.html"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
>Chapter 5. General System Security</TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="chap5sec34.html"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="section"
|
||
|
><H1
|
||
|
CLASS="section"
|
||
|
><A
|
||
|
NAME="AEN3264"
|
||
|
>5.5. The <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/exports</TT
|
||
|
> file</A
|
||
|
></H1
|
||
|
><P
|
||
|
> If you are exporting file systems using <SPAN
|
||
|
CLASS="acronym"
|
||
|
>NFS</SPAN
|
||
|
> service, be sure to configure the <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/exports</TT
|
||
|
> file with the most restrictive access possible. This means not using wildcards, not allowing root write access, and mounting read-only wherever possible.
|
||
|
<DIV
|
||
|
CLASS="example"
|
||
|
><A
|
||
|
NAME="AEN3270"
|
||
|
></A
|
||
|
><P
|
||
|
><B
|
||
|
>Example 5-1. Export file systems using <SPAN
|
||
|
CLASS="acronym"
|
||
|
>NFS</SPAN
|
||
|
></B
|
||
|
></P
|
||
|
><P
|
||
|
> Edit the exports file vi <TT
|
||
|
CLASS="filename"
|
||
|
>/etc/exports</TT
|
||
|
> and add:
|
||
|
<TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><PRE
|
||
|
CLASS="programlisting"
|
||
|
> /dir/to/export host1.mydomain.com(ro,root_squash)
|
||
|
/dir/to/export host2.mydomain.com(ro,root_squash)
|
||
|
</PRE
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
Where:
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
STYLE="list-style-type: opencircle"
|
||
|
><P
|
||
|
> <TT
|
||
|
CLASS="filename"
|
||
|
>/dir/to/export</TT
|
||
|
> is the directory you want to export.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
STYLE="list-style-type: opencircle"
|
||
|
><P
|
||
|
> <TT
|
||
|
CLASS="literal"
|
||
|
>host<TT
|
||
|
CLASS="prompt"
|
||
|
>#</TT
|
||
|
>.mydomain.com</TT
|
||
|
> is the machine allowed to log in this directory.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
STYLE="list-style-type: opencircle"
|
||
|
><P
|
||
|
> The <TT
|
||
|
CLASS="literal"
|
||
|
>ro</TT
|
||
|
> option mean mounting read-only.
|
||
|
</P
|
||
|
></LI
|
||
|
><LI
|
||
|
STYLE="list-style-type: opencircle"
|
||
|
><P
|
||
|
> The <TT
|
||
|
CLASS="literal"
|
||
|
>root_squash</TT
|
||
|
> option for not allowing root write access in this directory.
|
||
|
</P
|
||
|
></LI
|
||
|
></UL
|
||
|
>
|
||
|
</P
|
||
|
></DIV
|
||
|
>
|
||
|
For this change to take effect you will need to run the following command on your terminal:
|
||
|
<TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><PRE
|
||
|
CLASS="screen"
|
||
|
> [root@deep]# /usr/sbin/exportfs -a
|
||
|
</PRE
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
>
|
||
|
</P
|
||
|
><DIV
|
||
|
CLASS="note"
|
||
|
><BLOCKQUOTE
|
||
|
CLASS="note"
|
||
|
><P
|
||
|
><B
|
||
|
><SPAN
|
||
|
CLASS="inlinemediaobject"
|
||
|
><IMG
|
||
|
SRC="./images/Note.gif"
|
||
|
ALT="Note"
|
||
|
></IMG
|
||
|
></SPAN
|
||
|
>: </B
|
||
|
>
|
||
|
Please be aware that having an <SPAN
|
||
|
CLASS="acronym"
|
||
|
>NFS</SPAN
|
||
|
> service available on your system can be a security risk. Personally, I don't recommend using it.
|
||
|
</P
|
||
|
></BLOCKQUOTE
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="chap5sec32.html"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="chap5sec34.html"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>The root account</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="gen-syssecured.html"
|
||
|
>Up</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>Disable console program access</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|