NFS Security – nfs_portmon to restrict client source port to privileged ports

Network File System (NFS) security in Sun Solaris can be enhanced by restricting the source ports for the client connections for NFS to be only privileged ports. The privileged port range is from 512 to 1023. Enabling this security feature for NFS in solaris, checks if the source ports from the clients from privilege ports. This prevents malicious users from gaining access to files exported/shared by the NFS server by preventing custom RPC based scripts or applications being used on unprivileged ports.

In Sun Solaris 10 this is enabled by default. In Solaris 9 and earlier, this can be enabled by simply editing the /etc/system file and adding an entry for nfs_portmon.

Edit the /etc/system file

sunsolaris# vi /etc/system

Add the following line

set nfssrv:nfs_portmon = 1

If you by any chance run Solaris 2.5 or earlier then

set nfs:nfs_portmon = 1

This change requires a reboot of the server for it to take effect.

Reboot the server

sunsolaris# init 6

When the server reboots, the changes take effect.

In Solaris 8 and later, run the following to confirm the change:

sunsolaris# adb -k

nfs_portmon /D

If this returns “1” indicates nfs_portmon is enabled else if it returns “0” indicates nfs_portmon is not enabled.

Leave a Comment

Your email address will not be published. Required fields are marked *