CAS-002 Question #834: Real Exam Question with Answer & Explanation

Question

Options

• AThe newly implemented security controls are in place to ensure that NFS encryption can only be
• BRemoving the no_root_squash directive grants the root user remote NFS read/write access to
• CUsers with root access on remote NFS client computers can always use the SU command to
• DAdding the nosuid directive disables regular users from accessing files owned by the root user

Explanation

Removing no_root_squash enables the NFS default that maps remote root to an anonymous user, and nosuid blocks SUID-based privilege escalation, but a user with local root on the client can still use 'su' to assume any UID and access NFS files by that identity.

Common mistakes.

• A. Removing no_root_squash and adding nosuid are NFS access control export directives governing privilege mapping and SUID binary execution; they do not configure or enforce NFS transport or data encryption.
• B. Removing the no_root_squash directive enables root squashing - the NFS default behavior that maps the remote root user to an unprivileged anonymous account - which restricts root access on the server rather than granting it.
• D. The nosuid directive prevents SUID and SGID bits from taking effect on the NFS-mounted filesystem, blocking privilege escalation via setuid binaries, but it does not prevent users from accessing files owned by root when the file's standard read or execute permissions allow it.

Concept tested. NFS root squash and nosuid export security directives

Reference. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/storage_administration_guide/nfs-serverconfig

No community discussion yet for this question.