Date: Tue, 20 Oct 2020 14:37:14 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Peter Eriksson <pen@lysator.liu.se> Cc: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: review of new mountd option disabling use of rpcbind Message-ID: <YTBPR01MB3966ACA7043640A8C835ACFFDD1F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <7F127C98-8E05-45D7-A652-C29D656B4B56@lysator.liu.se> References: <YTBPR01MB3966935BC7208D065C7EF0F9DD1F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>, <7F127C98-8E05-45D7-A652-C29D656B4B56@lysator.liu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Eriksson wrote:=0A= > Suggestion:=0A= > Add a check for sysctl vfs.nfsd.server_min_nfsvers and if set to 4 or hig= her - =0A= > automatically enable the =93-R=94 option.=0A= I actually have patches to the /etc/rc.d scripts that both set=0A= vfs.nfsd.server_min_nfsvers=3D4 and the "-R" option.=0A= =0A= The reason I went with an explicit "-R" is that I thought having mountd=0A= magically stop registering with rpcbind might be considered a POLA=0A= violation.=0A= --> With the explicit "-R" option, it will only happen if the "-R" flag is= =0A= set or if nfsv4_server_only=3D"YES" is put in /etc/rc.conf (which is = new,=0A= so it will be expected to result in different behaviour).=0A= A second reason where the explicit "-R" might be preferred is:=0A= if the nfsd is a loadable module, it is loaded by mountd.=0A= However, to set the sysctl, it must be loaded before starting mountd.=0A= (This is done by the /etc/rc.d/mountd script, so it is not a big issue, but= =0A= might affect someone?)=0A= =0A= However, nfsd already chooses to not register when with rpcbind when=0A= vfs.nfsd.server_min_nfsvers, so I can also see an argument for doing=0A= what you suggest, since it is consistent with wat nfsd does.=0A= =0A= I don't have a strong opinion either way.=0A= What do others think?=0A= =0A= Thanks for the comment, rick=0A= =0A= - Peter=0A= =0A= =0A= > On 20 Oct 2020, at 02:56, Rick Macklem <rmacklem@uoguelph.ca> wrote:=0A= >=0A= > Hi,=0A= >=0A= > I've put a patch up on phabricator that adds a new option to mountd=0A= > which disables use of rpcbind. This can be done for NFSv4 only servers.= =0A= > It appears that rpcbind is now considered a security risk by some.=0A= >=0A= > I listed freqlabs@ as a reviewer, but if anyone else would like to review= =0A= > it, please do so. (Someone has reviewed the man page update already.=0A= > Thanks bcr@.)=0A= >=0A= > It's D26746.=0A= >=0A= > rick=0A= > _______________________________________________=0A= > freebsd-current@freebsd.org mailing list=0A= > https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= "=0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3966ACA7043640A8C835ACFFDD1F0>