4.1.4.3 NFS - enable both nosuid and nodev options on NFS client mounts

Information

Disable suid/sgid program execution and/or access to system devices via permissions set on any mounted NFS filesystem.

Rationale:

Setting the nosuid and nodev options means that files on the NFS server cannot be used to gain privileged access on the client.

This hampers a malicious user from creating an attack vector on the server and then log onto an NFS client as a standard user and use the suid/sgid program to effectively become another user (especially root) on that client.

The nodev options blocks malicious/accidental (raw) access to system devices (e.g., /dev/kmem, /dev/rhdisk0). Access to devices is not exclusive to the /dev directory. Device access is so-called special-files that are defined as a Major, Minor device id's.

Solution

For each NFS mount, disable suid programs and device access. List the current NFS mounts:

lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nosuid' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done

lsnfsmnt -l | /usr/bin/egrep -v '^Name' | /usr/bin/grep -v 'nodev' | while read remote local host rest; do
chnfsmnt -d ${remote} -f ${local} -h ${host} -y -z
done

NOTE: The NFS mount needs is re-mounted automatically by chnfsmnt.
NOTE: The second loop might not do anything as both loops set both nosuid (-y) and nodev (-z)

Default Value:

N/A

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: Unix

Control ID: d61838d1bf1008522b33d47c2ca14f184c9bc67372554102a4f9678dd10773e4