Date: Tue, 1 Mar 2011 08:09:27 -0500 From: John Baldwin <jhb@freebsd.org> To: freebsd-net@freebsd.org Cc: Brooks Davis <brooks@freebsd.org> Subject: Re: any is vfs.nfsrv.nfs_privport=0 by default Message-ID: <201103010809.27346.jhb@freebsd.org> In-Reply-To: <20110228154831.GC41129@lor.one-eyed-alien.net> References: <20110228154831.GC41129@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday, February 28, 2011 10:48:32 am Brooks Davis wrote: > vfs.nfsrv.nfs_privport controls wither or not NFS enforces the > traditional RPC semantics that require that requests come from > "privileged" ports. By default this check is disabled. Hardening > guides typically suggest this be enabled, usually via the rc.conf knob > nfs_reserved_port_only=YES. > > I'm trying to find a good reason why the default is the way it is. > Digging around in the source tree it appears that the rc.conf setting > has been that way since either /etc/rc.conf or /etc/defaults/rc.conf has > been in the tree. > > I do not consider the fact that the security provided is weak at best to > be a good reason to disable it. I suspect support for PC-NFS or > something like that may be the reason, but if that's the case it really > doesn't make any sense. I think it should default to on, and that the nfs_reserved_port_only setting should just be removed. Instead, folks who want to turn this off can pass '-n' to mountd, for which there are already other rc.conf flags such as mountd_weak_authentication, etc. Maybe you leave the nfs_reserved_port_only option and have it toggle the -n option to mountd? Whatever the outcome, I think we need to collapse the multiple rc.conf variables (mountd_weak_authentication and nfs_reserved_port_only) down to 1 variable and have the kernel default to requiring a privileged port. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201103010809.27346.jhb>