Disable suid/sgid program execution and/or access to system devices via permissions set on any mounted NFS filesystem. Rationale: Setting the nosuid and nodev options means that files on the NFS server cannot be used to gain privileged access on the client. This hampers a malicious user from creating an attack vector on the server and then log onto an NFS client as a standard user and use the suid/sgid program to effectively become another user (especially root) on that client. The nodev options blocks malicious/accidental (raw) access to system devices (e.g., /dev/kmem, /dev/rhdisk0). Access to devices is not exclusive to the /dev directory. Device access is so-called special-files that are defined as a Major, Minor device id's.
Solution
For each NFS mount, disable suid programs and device access. List the current NFS mounts: lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nosuid' | while read remote local host rest; do chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z done lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nodev' | while read remote local host rest; do chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z done NOTE: The NFS mount needs is re-mounted automatically by chnfsmnt. NOTE: The second loop might not do anything as both loops set both nosuid (-y) and nodev (-z) Default Value: N/A