Date: Tue, 20 Oct 2020 14:37:14 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Peter Eriksson <pen@lysator.liu.se> Cc: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: review of new mountd option disabling use of rpcbind Message-ID: <YTBPR01MB3966ACA7043640A8C835ACFFDD1F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <7F127C98-8E05-45D7-A652-C29D656B4B56@lysator.liu.se> References: <YTBPR01MB3966935BC7208D065C7EF0F9DD1F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>, <7F127C98-8E05-45D7-A652-C29D656B4B56@lysator.liu.se>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter Eriksson wrote:=0A=
> Suggestion:=0A=
> Add a check for sysctl vfs.nfsd.server_min_nfsvers and if set to 4 or hig=
her - =0A=
> automatically enable the =93-R=94 option.=0A=
I actually have patches to the /etc/rc.d scripts that both set=0A=
vfs.nfsd.server_min_nfsvers=3D4 and the "-R" option.=0A=
=0A=
The reason I went with an explicit "-R" is that I thought having mountd=0A=
magically stop registering with rpcbind might be considered a POLA=0A=
violation.=0A=
--> With the explicit "-R" option, it will only happen if the "-R" flag is=
=0A=
set or if nfsv4_server_only=3D"YES" is put in /etc/rc.conf (which is =
new,=0A=
so it will be expected to result in different behaviour).=0A=
A second reason where the explicit "-R" might be preferred is:=0A=
if the nfsd is a loadable module, it is loaded by mountd.=0A=
However, to set the sysctl, it must be loaded before starting mountd.=0A=
(This is done by the /etc/rc.d/mountd script, so it is not a big issue, but=
=0A=
might affect someone?)=0A=
=0A=
However, nfsd already chooses to not register when with rpcbind when=0A=
vfs.nfsd.server_min_nfsvers, so I can also see an argument for doing=0A=
what you suggest, since it is consistent with wat nfsd does.=0A=
=0A=
I don't have a strong opinion either way.=0A=
What do others think?=0A=
=0A=
Thanks for the comment, rick=0A=
=0A=
- Peter=0A=
=0A=
=0A=
> On 20 Oct 2020, at 02:56, Rick Macklem <rmacklem@uoguelph.ca> wrote:=0A=
>=0A=
> Hi,=0A=
>=0A=
> I've put a patch up on phabricator that adds a new option to mountd=0A=
> which disables use of rpcbind. This can be done for NFSv4 only servers.=
=0A=
> It appears that rpcbind is now considered a security risk by some.=0A=
>=0A=
> I listed freqlabs@ as a reviewer, but if anyone else would like to review=
=0A=
> it, please do so. (Someone has reviewed the man page update already.=0A=
> Thanks bcr@.)=0A=
>=0A=
> It's D26746.=0A=
>=0A=
> rick=0A=
> _______________________________________________=0A=
> freebsd-current@freebsd.org mailing list=0A=
> https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A=
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"=0A=
=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3966ACA7043640A8C835ACFFDD1F0>