I am using NFS server version 4.x on a CentOS/RHEL based system. I’m mounting my shared /var/www/ directory on five Apache based nodes using the following syntax:

mount -t nfs4 -o rw,intr,hard,proto=tcp rocknas02:/httproot/www /var/www/

I noticed that due to bug in my app user can sometime upload executable or other device files to get out of chrooted Apache server. How can I prevent such security issues on a CentOS or RHEL based NFS client and sever setup?


Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements NFS v4.x
Est. reading time 10m
[/donotprint]First, you need to fix your application. Next, you can pass the following three options to mount command to increase overall security on Apache/Nginx/Lighttpd nfs based client:

  1. noexec – Prevents execution of binaries on mounted file systems. This prevents remote users from executing unwanted binaries on your system.
  2. nosuid – Disables set-user-identifier or set-group-identifier bits. This prevents remote users from gaining higher privileges by running a setuid program.
  3. nodev – Prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices. This prevents remote users from getting out of chrooted server jails.

Modify your mount command as follows:
# mount -t nfs4 -o rw,intr,hard,proto=tcp,nodev,noexec,nosuid rocknas02:/httproot/www /var/www/
OR attempt to remount an already-mounted nfsv4.0 filesystem:
# mount -t nfs4 -o remount,rw,intr,hard,proto=tcp,nodev,noexec,nosuid rocknas02:/httproot/www /var/www/

Test it

To verify new settings, enter:
# mount
# mount | grep rocknas02

Sample outputs:

rocknas02:/httproot/www on /var/www type nfs4 (rw,noexec,nosuid,nodev,sync,intr,hard,proto=tcp,addr=,clientaddr=

Copy /bin/ls to rocknas02:/httproot/www i.e. type the following on your nfsv4.0 server called rocknas02
# cp /bin/ls /httproot/www
On client, type:

cd /var/www
## run /bin/ls
ls -l
# Run uploaded ls

Sample outputs:

Fig. 01: Running ls command on nfs client

Fig. 01: Running ls command on nfs client

Updating /etc/fstab is left as an exercise for the reader.

Mount the filesystem read-only

If possible mount the filesystem in read-only mode. Modify your mount command as follows:
# mount -t nfs4 -o ro,intr,hard,proto=tcp,nodev,noexec,nosuid rocknas02:/httproot/www /var/www/
OR attempt to remount an already-mounted nfsv4.0 filesystem:
# mount -t nfs4 -o remount,ro,intr,hard,proto=tcp,nodev,noexec,nosuid rocknas02:/httproot/www /var/www/

Recommend file/directory permission for Apache

I suggest the following schema:

Run Apache as apache user and group

You must run httpd as root initially and it will switch to apache user and group:
# egrep -i '^(User|Group)' /etc/httpd/conf/httpd.conf
Sample outputs:

User apache
Group apache

NFS server file/directory permission for /var/www/

Create a user called www-files using useradd command:
# useradd -d /var/www -M -s /sbin/nologin www-files
Make sure you lock www-files account using passwd command:
# passwd -l www-files
Change file owner and group to www-files for /var/www directory use the following passwd command:
# chown -R www-files:www-files /var/www/
Finally changes the file mode bits of each given file and directory according to mode:

## By default all files & dirs permissions are set to read-only ###
chmod -R 0444 /var/www
## Allow, apache/nginx/lighttpd to serve files from directory by settings others to x bit ###
find /var/www -type d -print0 | xargs -0 -I {} chmod 0445 "{}"
## Optional certain directory may need additional permissions such as /var/www/uploads ###
#chmod  0777 -R /var/www/uploads

Use ls -l command to verify file permissions:
# cd /var/www
# ls -l

Sample outputs:

total 32
-r--r--r--. 1 www-files www-files  606 Dec 21  2011 best_resources.php
-r--r--r--. 1 www-files www-files 1068 Sep  4  2011 cdn_info_linux_unix_setup.php
dr--r--r-x. 2 www-files www-files 4096 Aug  5  2012 data
-r--r--r--. 1 www-files www-files 1550 Jun 22  2012 service-per-vm-guide.php
See also
This entry is 15 of 15 in the Linux / UNIX NFS File Server Tutorial series. Keep reading the rest of the series:
  1. CentOS / Redhat: Setup NFS v4.0 File Server
  2. Debian / Ubuntu Linux: Setup NFSv4 File Server
  3. Mac Os X: Mount NFS Share / Set an NFS Client
  4. RHEL: How Do I Start and Stop NFS Service?
  5. How To Restart Linux NFS Server Properly When Network Become Unavailable
  6. Linux Iptables Allow NFS Clients to Access the NFS Server
  7. Debian / Ubuntu Linux Disable / Remove All NFS Services
  8. Linux: Tune NFS Performance
  9. Mount NFS file system over a slow and busy network
  10. Linux Track NFS Directory / Disk I/O Stats
  11. Linux Disable / Remove All NFS Services
  12. Linux: NFS4 mount Error reason given by server: No such file or directory
  13. Linux NFS Mount: wrong fs type, bad option, bad superblock on fs2:/data3 Error And Solution
  14. CentOS / RHEL CacheFS: Speed Up Network File System (NFS) File Access
  15. Increase NFS Client Mount Point Security

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum