-
Notifications
You must be signed in to change notification settings - Fork 2
4_4 Subtree Check
Michael Eder edited this page Dec 29, 2024
·
1 revision
The subtree_check option only exists on Linux.
By default NFS clients can access files which are outside an exported directory but on the same file system.
For example, if the storage device of a server is mounted in /mnt/storage and the directory /mnt/storage/share is configured as an export, malicious clients can in some cases also access files that are located in /mnt/storage/private.
An attacker can also replace the share directory and replace it with a symlink to any other directory on the server.
To prevent this, only export the root of a file system or enable the subtree_check option on the export.
One improperly configured subdirectory export can give an attacker access to all files on the server.