4.1.4.6 NFS - no_root_squash option

Information

For each NFS export, ensure that the anon aka root_squash option is set to -2 or -1.

Rationale:

Each NFS export on the server should have the anon=-2 option set. With this (default) value root (euid==0') is seen as the account nobody. When anon=0 the remote root user has root access on the NFS mount.

By ensuring the export option anon=-2 when a client process with euid==0 attempts to access (read, write, or delete) the NFS mount the server substitutes the UID to the server's nobody account. This means that the root user on the client cannot access or change files that only root on the server can access or change.

Many NFS servers call this root_squash. On AIX is is called anon. To be consistent with other benchmark terminalogy CIS recommends that root_squash is set on all exported filesystems.

On AIX the default value of any exported filesystem or directory for anon is -2. Thus, when anon is not set it's effective value is -2. Any other value has to be explicitly set.

As a more secure option you can set the option to anon=-1. This setting is accepted because it disables anonymous access. By default, secure NFS accepts non-secure requests as anonymous.

NOTE: The root user on the client can still use su to become any other user (change the euid) and access and change that users files, assuming that the same user exists on the NFS server and owns files and/or directories in the NFS export.

Solution

To change this value for all failing NFS exported filesystems:

lsnfsexp | grep -v 'anon=-1' | grep anon= | while read fs rest; do
chnfsexp -d ${fs} -a -2
done

The command chnfsexp re-exports the file or directory with the new settings active.

Default Value:

(blank) which is seen as -2 (nobody) effective setting root_squash by default.

See Also

https://workbench.cisecurity.org/benchmarks/13069

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: b7ab7a4b40d2963d9e2c8bd547b0c6c892b4cb7330e43af10888135abd960bb1