For the longest time, I have always being running NFS on Kodi. That means when I choose how to link my Kodi to my Synology, I always choose to use NFS over SMB etc.
Table of Contents
In fact, I even have an article back in Oct 2013 on using NFS in Synology and XMBC (now Kodi).
Now recently I made some quite substantial changes to my Synology NAS. I will share some of the changes in this blog post soon. One of the changes was increasing the RAM of the DS1520+. I will write a few more soon, including the use of Synology Drive Client, moving away from Dropbox to hosting my files on my Synology etc.
But as part of these changes, I started to do some house cleaning of the Synology. This is especially so as I started to host private files in Synology (rather than Dropbox and saving money in the process). So security becomes slightly more important. I mean, in the past, it was just photos and videos. Now it has some more stuff, so I began to pay a little more attention than just simply setting up 2FA on Synology.
The Synology Security Advisor on NFS
For the longest time, I am seeing this error on my Synology Security Advisor. That my NFS permission rules are too liberal
That is because I allowed all IPs to access my NFS. If you look at the following setting, you can see that all IPs (the * in the first line) has used the admin rights to my NFS rule to access a particular share (that share is my VIDEO share folder).
This was a quick and easy way to set up NFS on Kodi and it usually worked.
Till it does not.
Why did my NFS on Kodi suddenly not worked
So as mentioned earlier, I have started to clean up my Synology a little. One of the main things I have done a long while ago (as advised by many experts) was to deactivate the “admin” and the “guest” accounts.
I did that long ago.
You can deactivate an “admin account” or a “guest account” for Synology by doing that in the users settings page.
But what I did not do (when I deactivated the account) was to remove these accounts’ access to shared folders. In other words, even though these accounts have been deactivated, apparently somehow they still have access to the shared folders that they were part of the group. Example, “admin” was part of the admin group and “guest” was part of the user group. And both groups still have access to my Video Shared Folder.
So what happened was I “broke” my Kodi NFS access to the shared folder. I removed all the “admin” and “guest” access to the shared folders and suddenly my Kodi no longer has access to the Video Shared Folder. Remember that I deactivated these two accounts a long time ago and NFS on Kodi was still working even though I deactivated these accounts. It no longer worked the moment I removed the “Shared Folder” access for these accounts.
So apparently, for this NFS setting to work, it does require the admin account to have access to the shared folder you want the NFS to work. I mean, after all, you stated that you want “admin” to have access (map root to admin).
How I solve the Guest access to NFS
So for the longest time, I had “map root to admin” for the NFS set up in the NFS setting in Synology for use with Kodi.
I changed that to “map to guest”.
That means I no longer map “root to admin” but “all users to guest”. I feel that “guest” is safer than “admin” to keep around. Maybe. Maybe not.
I then
- give guest access to the SHARED FOLDER (while keeping it deactivated).
- do not give admin access to the SHARED FOLDER (or any folders)
- continue to keep both guest and admin deactivated
Restricting IP to only the Kodi client
Okay, now I have fixed my issue of my dearest Kodi client on my Sony TV not working due to my wonderful action of removing access of “admin” (and “guest”) from the Shared Folder.
But that does not fix the security advisor issue mentioned earlier.
To that end, I decided to restrict the NFS access to just the Kodi client (instead of *.*).
To do that I need to make the Sony TV (where my Kodi client is running on Sony Android TV) to have a fixed IP. You can do that easily in the Sony TV interface. I set the Static IP address of my Sony TV to 192.168.1.33.
Then when you go to the Sony TV, you can see that Kodi client now has a fixed IP address of 192.168.1.33
Now going back to my Synology NFS setting, I set it up to only allow 192.168.1.33 to work for NFS on Kodi. In other words, only 192.168.1.33 client can use the NFS rule (and using the “guest” privilege) to access the Synology shared folder.
And indeed it worked.
My Sony TV (running 192.168.1.33) can now access the Synology Shared Folder over NFS on Kodi.
And my Security Advisor is a happier man now. All green ๐
Allowing Multiple IPs to access NFS on Kodi
But wait. We don’t always have one single Kodi client at home right. You might have it on your laptop etc. For me, I have Kodi also running on a Hisense TV (running Google TV) in the master bedroom.
So I need to also allow the Kodi client on the Hisense TV to access my Synology too.
To do that, just repeat the steps above. That means, in the Hisense TV’s Google TV OS, I set up the Hisense to have a fixed static IP. This time, the poor boy has a unlucky Chinese number of 192.168.1.44…
Again checking the Kodi interface on the Hisense TV, I can see the poor boy has a fixed IP address of 192.168.1.44
And then back to my Synology DSM, I set up the NFS again. This is a new separate line that duplicates the 192.168.1.33 settings.
Except that it is for 192.168.1.44
So now Synology allows two clients. Two specific clients running 192.168.1.33 and 192.168.1.44 to access the VIDEO SHARED FOLDER (using “guest” as its “user”) to play videos off the Synology on the Kodi clients.
And my Security Advisor is still happy ๐
Conclusion
For the longest time, I have been running a rather insecure way of using NFS on Kodi to allow my Kodi clients at home to access my Synology server at home. Recently I have kinda of close this down using fixed static IP for my Kodi clients and then restricting the permissions of NFS in Synology to just these fixed IPs. I have also only allow “guest” to access the Synology using NFS instead of “admin”.