NFS not secure on MBL with WD TV Live

I have a MBL Duo and a WD TV Live.  I have a few private shares on the MBL which i have restricted access to for streaming media as well (with Townky i restricted out the private shares).  I thought that my WD TV Live was completely cut off from the private shares. Nope, there is a hole in the security.  The NFS on the MBL is accessable from the WD TV Live without having to enter a user/password, and it displays all private and public shares. Even worse is that the WD TV LIve has the options to cut. copy, move, rename or delete files in these private shares!!! 

If the WD TV Live can access the private shares without needing to enter user/password, then any device that works with NFS can access the MBL’s private shares

How do I get this hole plugged???

Afaik one of the benefits of nfs is its use of simple UID’s to authenticate users rather than username/password combinations. When I tried to stream media from the MBL to my xbmc machine, it didn’t work and I had to use this guide to change the etc/exports config file using winscp. Hope this helps.

Link to guide (can’t use hyperlink, probably because I am typing on my iPad.)
http://wiki.xbmc.org/?title=NFS

That’s correct.   NFS doesn’t have UID / Password authentication.  NFS “in general” is not secure.   It’s not an MBL limitation, per se…  It’s a limitation of the protocol.

This is the contents of my /etc/exports config file. In order to secure the NFS from all users, what should I change?

# Use guest user (uid 500) for nfs guest. This is restricted from private
# shares by trustees.
#
/nfs *(rw,all_squash,sync,no_subtree_check,insecure,anonuid=500,anongid=1000)

 Do i make differently lines of code for each share? something like:

/nfs/public (rw,all_squash,sync,no_subtree_check,insecure,anonuid=500,anongid=1000)
/nfs/public2 (rw,all_squash,sync,no_subtree_check,insecure,anonuid=500,anongid=1000)

# /nfs/private (rw,all_squash,sync,no_subtree_check,insecure,anonuid=500,anongid=1000)

or perhaps I should just edit the line to be (taking out ‘insecure’)

# /nfs *(rw,all_squash,sync,no_subtree_check,anonuid=500,anongid=1000)

I have moslty windows machines on the network, but i do have a few Macs. Ideally, i would like to restrict the NFS completely, as long as it did not interfere with the Macs.

You only have to edit the nfs line. I don’t know whether you need to make a line per share. Unfortunately i can’t tel you how to make this the way you want it. I’d have to look it up myself. But you could google every single parameter in this line. The guide should have the information you need if i’m not mistaken.

The easiest solution is to just comment out the nfs line and then add some lines for the public folders that you don’t mind being open. I have confirmed that it works and that it does not preclude the Mac machines from accessing the private shares.  On my WD TV LIve, now only the public shares are visible via the NFS server.  I rebooted the MBL for it all to take effect.

# Use guest user (uid 500) for nfs guest. This is restricted from private
# shares by trustees.
#
# /nfs *(rw,all_squash,sync,no_subtree_check,insecure,anonuid=500,anongid=1000)/nfs/public *(rw,all_squash,sync,no_subtree_check,insecure,anonuid=500,anongid=1000)