Start

Sharing Data via NFS

Mac OS X can share folders of its own file system for access in the network via the NFS protocol.

Note: NFS and UNIX systems often use the word export to refer to an NFS share. This manual and NFS Manager are using the term share only.

Due to the architecture of NFS to be designed as a distributed file system, it is common

• to share whole disk volumes or specific “top-level” folders of volumes and
• to share private home folders.

The access privileges for users and groups are controlled by the permission settings of each single file and folder, not by settings for the share. A share can only define access restrictions for computers.

Creating or changing NFS shares

To work with NFS shares, select the item NFS Server > Share Definitions in the left overview column of the control window, or select the menu item Configuration > Show Share Definitions. The list of shared folders will be displayed in a table at the right side of the window. After selecting a line in the table, detail information about this share will be shown below the table. This data can be modified as desired.

• To delete a share, select the respective line in the list and press the button - under the table.
• To create a new share, press the button + under the table. A new share entry will be created with defaults, which you'll have to overwrite.

Perform the following steps to adjust the settings of a share to your needs:

1. Press the button Select… next the to the line Folder to share to choose a local folder which should be made available to the network. Please also see the notes below in the section Limitations of NFS shares.
2. Use the other controls to define the settings for this share.

If all write operations to this share should be blocked even if the respective user would have write permission, leave the checkmark at the field Share “read only” set. Otherwise you'll have to remove the checkmark.

After a certain folder has been selected for sharing, its absolute path will become the share name other computers must use for mounting. Other computers will see the whole file hierarchy in (or “below”) that folder. If computers should additionally be allowed to mount a subfolder of the shared folder, check the option Allow clients to also mount objects in the shared folder. Example: Instead of /share other systems may also mount /share/subfolder if desired.

Mapping user and group accounts between client and server

The pop-up button User Mapping defines how users and groups of accessing computers should be mapped to users and groups of the sharing computer. The security model of NFS allows certain limitations:

• Map “root” to unprivileged user (“nobody”): The top system administrator (root) of a foreign computer should be seen as unauthorized user by the NFS server, mapping him to the account nobody which usually doesn't have any rights. This is the recommended setting to avoid security holes.
• Map all users to unprivileged user (“nobody”): In this mode all users and groups of an accessing computer will be mapped to the account nobody. This is a very secure setting.
• Don't map users: This settings causes users and groups of the accessing computer to be mapped one-to-one to users and groups of the NFS server. This means the UIDs and GIDs will be used without further inspection or interpretation. In particular, the top system adminstrator (root) of each accessing computer will automatically be seen as top system administrator (root) of the NFS server. This can be a major security hole.
• Use customized setting (see advanced options): This setting allows to define advanced mappings manually. The button Show advanced options has to pressed (see below).

Security settings when using Kerberos

If your network defines a Kerberos realm and a respective Kerberos Key Distribution Center is available, NFS shares can be protected by additional security features and data transfer can be encrypted. The pop-up button Minimum Security specifes what security features an accessing computer (and Kerberos user) have to support at least to be granted access to this share.

• System standard only: This setting specifies that the usage of Kerberos is not required. Mount and access operations will be performed in “classic UNIX style“, using UID and GID identifications only.
• Any available security mechanism: The client is allowed to freely choose between classic access and any methods protected by Kerberos.
• Kerberos 5 authentication: Only clients using Kerberos are granted access. The user and/or computer performing the mount has to be authenticated as being valid by Kerberos.
• Kerberos 5 authentication with integrity checks: Kerberos is required. In addition to the authentication of user and computer via Kerberos, the client has to ensure that each transferred NFS packet is protected against manipulation.
• Kerberos 5 with checks and encryption: Only clients which use Kerberos to authenticate users and computers, which perform integrity checks on each data package, and which additionally encrypt all packages are granted access. This is the most secure way to operate NFS. Due to the costly operations performed on each data packet, the overhead on both sides of the connection will increase however, the performance and effective speed might significantly decrease.

Limit access to certain computers

Because NFS is designed as distributed file system and no authentication is needed, access to shared folders should be limited to well-defined “trusted” clients. The basic settings are defined by the pop-up button Access permission:

• Allow access from any network and computer: Access will not be restricted. Any computer which can contact the NFS server via network is allowed to access the share. This is a potential security risk. If the network in which the computer is located has not been isolated by a firewall against access from other networks, basically any connected network (potentially the whole Internet) may have access to the shared files.
• Restrict access to specific IPv4 network: You have to enter a subnet address with accompanying net mask. In that case only computers using IP addresses of the specified subnet are allowed to access the share.
• Allow listed clients only (see advanced options): You can specify a list of IP addresses or DNS names. Only the listed computers are granted access. The list has to be entered in a panel which will be displayed after pressing the button Show advanced options.

Further options

Additional settings for the NFS share can be specified in a dialog window which will open after the button Show advanced options has been pressed. These options are described in detail on a separate page.

Limitations of NFS shares

When creating NFS shares, four basic rules must always be respected:

1. In principle, any physical file system (in Macintosh terminology each disk volume of a hard drive) or one of its subfolders can be shared.
2. Sharing a subfolder of a folder which is shared already is permitted only if this subfolder is located on a different physical file system. (This is the case if the shared folder contains the mount point of another volume.)
3. Sharing a superfolder of a folder which is shared already is permitted only if this superfolder is located on a different physical file system.
4. Only local file systems can be shared. (It is not permitted to share a file system mounted via network from another computer.)

Those four basic rules are based on the architecture of the NFS design. They always have to be fulfilled, no matter which operating system is being used. In addition, the following rules apply when using Mac OS X:

• Mac OS X can only share file systems supporting permissions. For example it is not possible to share MS-DOS®-formatted file systems (FAT) via NFS in the network.
• A share entry can be specified multiple times only if different sets of computers are granted access permission in each entry. No overlappings or contradictions are permitted. For example you cannot share a folder for the computers A, B, C, and additionally share the same folder with different options for usage by the computers A, D, E. In this case the role of the computer A would be undefined and contradictory.

Important: If one of these rules has been violated, Mac OS X will reject the affected or even all shares. In that case the NFS server won't work as expected. NFS Manager tries to find violations of the rules in advance. When contradictory share definitions are found, error messages will be shown.

Using the application-based private firewall of Mac OS X

If you have activated the application-based firewall on the computer which should offer NFS-shared files to the network, you'll have to make sure that NFS traffic is allowed to pass to this computer. The firewall must be reconfigured as follows:

1. Open the application System Preferences.
2. Go to Security > Firewall.
3. If the lock icon is in its closed position, click it to open and provide the necessary administrator credentials.
4. Select the item Set access for specific services and applications if it is not already selected.
5. Press the + button below the table. A file selection sheet will appear.
6. Press the key combination ⌘+⇧+G to enter the path of hidden system components.
7. Into the field Go to the folder, enter the path /usr/sbin/portmap exactly as shown and press the return key. Then press the button Add to confirm. The entry portmap will be added at the end of the table. Verify that it is set to Allow incoming connections.
8. Repeat steps (5) to (7), now specifying the path /sbin/nfsd.
9. Repeat steps (5) to (7), now specifying the path /usr/sbin/rpc.statd.
10. Repeat steps (5) to (7), now specifying the path /usr/sbin/rpc.lockd.
11. Repeat steps (5) to (7), now specifying the path /usr/libexec/rpc.rquotad.

Using the port-based private firewall of Mac OS X

If you like to use ipfw, the second private firewall available in Mac OS X, this is also possible. You can configure ipfw via the command-line or with user interfaces provided by third-party vendors. In Mac OS X Server, Apple's application Server Admin can be used to configure the ipfw firewall. The following ports must be open when you like to use the respective computer as NFS server:

• Open port 111 and the port range 600-1023 for RPC communication.
• Open port 2049 for access to the NFS server.

You may like to consider defining fixed ports for the helper services for status requests (statd), file locking (lockd) and quotas (rquotad), using the server configuration options to have better control on the RPC ports being used.