Skip to content

Use Root-Squashing on All Exports

An XCCDF Rule

Description

If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, and should not be disabled.

Ensure that no line in /etc/exports contains the option no_root_squash.

Rationale

If the NFS server allows root access to local file systems from remote hosts, this access could be used to compromise the system.

ID
xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports
Severity
Unknown
References
Updated