# NFS: is /export necessary?

## grant123

I followed the Gentoo wiki to set up NFS:

http://wiki.gentoo.org/wiki/NFSv4

I skipped the /export stuff and just added the actual paths I want to share to /etc/exports.  Is that OK?  Why use /export?

----------

## massimo

I think for compatibility reasons [1].

[1] http://doc.opensuse.org/products/draft/SLES/SLES-admin_sd_draft/cha.nfs.html#sec.nfs.export.coexisting

----------

## krinn

You don't have to use /export but any directory you wish.

But if you add the actual paths and not bind them to a directory that you will fsid=0 you are just doing a nfsv3 config file and not an nfsv4 config file.

It mean everything will appears ok as long as all your clients use nfsv3 implementation. But if any use nfsv4 you'll be in trouble as the results will just be unexpected.

So it's not for compatibility reason, you must attach your directories to one that will be the root of your server because it's nfsv4 implementation.

----------

## grant123

Thanks krinn.  Am I OK to run an nfsv3 implementation or should I use nfsv4 for some reason?

----------

## szatox

You can run whatever you are comfortable with.

NFS2, NFS3, and NFS4 are all NFS (that stands for No File Security).

They are well integrated, easy to use and completly insecure. I'm happy with NFS3.

----------

## Jaglover

NFSv4 was designed to work securely on the internet. 

Read more: http://www.sans.org/reading-room/whitepapers/linux/nfs-security-trusted-untrusted-environments-1956

----------

## grant123

 *szatox wrote:*   

> You can run whatever you are comfortable with.
> 
> NFS2, NFS3, and NFS4 are all NFS (that stands for No File Security).
> 
> They are well integrated, easy to use and completly insecure. I'm happy with NFS3.

 

If /etc/exports says something like:

```
/media/music    192.168.0.0/24(subtree_check)
```

Is that sufficiently secure or am I missing something?

 *Jaglover wrote:*   

> NFSv4 was designed to work securely on the internet.

 

Are the changes it brings over NFSv3 unnecessary if it's only permitted to operate over a LAN?

----------

## szatox

As long as you trust your network No File Security v3 is absolutely fine. You don't want to expose it to general publick though, as there is no authentication, and authorisation is based on UID and GID numbers, which can be faked or even accidentaly missused. If your UID on 2 different computers doesn't match, you might access files that belong to another user - this deppends on configuration, as workarounds for this exist.

IP can be assigned manualy or spoofed. Taknig those things together, neither IP nor UID/GID restrictions provide any security.

Jaglover, thanks for link about NFS4, i'll have a look at it  :Wink: 

as a side note, funny thing is nobody cares about FTP sending username and password in clear text.

----------

## grant123

If something were to go wrong with my firewall, would my /etc/exports config above be sufficient to prevent access to the share from the internet or could that be spoofed somehow?

----------

## depontius

 *szatox wrote:*   

> as a side note, funny thing is nobody cares about FTP sending username and password in clear text.

 

Then there are those of us who don't use ftp, using scp or sftp instead.  Though usually when going over the internet it's non-login through http, or I guess login through https.

----------

## steveL

Yeah, I wouldn't say that nobody cares..

----------

