From owner-freebsd-current@freebsd.org  Tue Oct 20 14:37:27 2020
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id E70D94329D3
 for <freebsd-current@mailman.nyi.freebsd.org>;
 Tue, 20 Oct 2020 14:37:27 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com
 (mail-eopbgr670067.outbound.protection.outlook.com [40.107.67.67])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CFx6Z4qQ3z4NSc
 for <freebsd-current@FreeBSD.org>; Tue, 20 Oct 2020 14:37:26 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=KcPuLFnjLSAjPdEIe9FCSXgVLRv82A5KlBmMGHV/6HY0nDRi+b9uHTv6EWaFJKBmYlsI1ru/qsw3hGlQnUqAmRdIfNdRLz40vjZ7qfQLtBqvhApHeldmXW4vmwExVK4+NBFRh7WCQDMuaUZZHfe0xYX8HY/VUXmJ/ZU/TTvY9xphsdcznlMVCYBAHHkuUxf6Pgf/vwDqOirdyPO1WBElQXZ7e91bN7UlUbEt8JDGLgZwk3Z7dVrF0xH9Geu8jD9RNUdAnt32B2O+xuUlCpGw1vM9aVBN+A3WanJXFdXF+NqVdkLVsy73AYw/K8Y5OjGmA/Qr/BVk7e9to4yD/vMT6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=uMRXGxRJnrTS84qqzfygBNEHyZcj0F1VezSer3wh1EQ=;
 b=El8W4WKMmzjTP8/mDPsZBX1CIRxQUlIfeyVBuQauEgWk+e4a3GT3n/sFh/37oqnjFdJWD6fhSMl2oEJJjrxqTt9ucGQ65uk7bt9TjBmtcjE5FRge4orLeGgkA5bnqsOpA8p8A5MnAgoy8tL1tpMAY+43p6yZuu/Bw3WOoAqFfXrq4w1WuW2iNHrovsIzczqZ77sDfQbFEjMbqlq4k1eaiwHdIfBs45DwpyLiaUjqORm4cZSQMBP1GUZWu71s+jAy+fm3acuIVbsXVjI+YSFcrpZvBQ7kSx6hc60FL6eEcX72LhALDq9nB8OHc9FHGAniCgYiLEfSdS9DVRtDuKGgng==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca;
 dkim=pass header.d=uoguelph.ca; arc=none
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:24::27)
 by YT1PR01MB2666.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:a::28) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.25; Tue, 20 Oct
 2020 14:37:23 +0000
Received: from YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20]) by YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
 ([fe80::687f:d85a:a0a3:bd20%6]) with mapi id 15.20.3499.018; Tue, 20 Oct 2020
 14:37:15 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Peter Eriksson <pen@lysator.liu.se>
CC: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org>
Subject: Re: review of new mountd option disabling use of rpcbind
Thread-Topic: review of new mountd option disabling use of rpcbind
Thread-Index: AQHWpnttt8iTz/9j60mb0Wbz7GHaDqmgjBkAgAAAOOw=
Date: Tue, 20 Oct 2020 14:37:14 +0000
Message-ID: <YTBPR01MB3966ACA7043640A8C835ACFFDD1F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
References: <YTBPR01MB3966935BC7208D065C7EF0F9DD1F0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>,
 <7F127C98-8E05-45D7-A652-C29D656B4B56@lysator.liu.se>
In-Reply-To: <7F127C98-8E05-45D7-A652-C29D656B4B56@lysator.liu.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 88007958-4f42-42fa-4c2e-08d87505a381
x-ms-traffictypediagnostic: YT1PR01MB2666:
x-microsoft-antispam-prvs: <YT1PR01MB26665253425BCA64D3BEAD47DD1F0@YT1PR01MB2666.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7kkYuBWngMSK2wDwEcpn0msf8eG5KjAzSY3ADVCKPospzV+AuZrXOAdOtDSMB6YwTu/2w2akV1gn8NMsnjNlx7EYc+ob80fgvD67lLlKrLKfxk+f9p94sf9zWKzJCr6XW0WkBGR6CMTR3Qh3FwJ3kQUaZB88s9N70mszrIzY+BZTzSjsrKLHI9kZmnJYPKtHn1nwraCs4zCGk4gNzVLlfxJ4sS2bjJLP1P9rlbMsXQxT5anChREo/SUxTZKWti7MXz/vsuocMfhR2Dx28+Hgt79XkYw6fQttMsEST2OQ4iVK8hGpvE7EIsQJ1buHTRhfphHQvJAvCbrN65a+fI+oLNJt/2e3DEm8kRZXp4jnjAsDiz//cu0463LMyAeHsB10d0RTLlOnFUqvFUPvRhfUrQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(396003)(39860400002)(136003)(346002)(376002)(366004)(8676002)(66556008)(2906002)(71200400001)(5660300002)(52536014)(8936002)(83380400001)(66946007)(64756008)(76116006)(66446008)(66476007)(478600001)(4326008)(786003)(316002)(296002)(6916009)(966005)(33656002)(55016002)(9686003)(53546011)(6506007)(86362001)(186003)(7696005);
 DIR:OUT; SFP:1101; 
x-ms-exchange-antispam-messagedata: mhK63QmoZNfMXi/EP0sfkWsRCNR/9OqiRhYPbK9d7VC3EQI0QDXBFqNgLa8X2naJ5NMsYJLoNTQt0YRZrmtNKkXN1GfrPGXhbhHKNdcgjlFtwm3OG48yoYeK5p32cg0hUdFzjwyIbynDQ0Thd/FeKrVl8c4ANTC5erNMvw1TNwSjApHjwgH6xxH4pixX2NBTl6ZAsq23dzHkYZHBJsMwaP/A824P7udVqnTdRp6eEx4VOHG1QJXGUF/s9Bqr1w+4FfmxloX5XQTRjzqNW5Q13JCV/Mi02X4suh0+tv21w5zWWVOkurEIpKKHnF9BQdARNCpgcSl1anIgFQK3prAr4vFhmJnWFadGuOW41qbd2USOz8s+CDviZWdnj9PivFjgem+xqmjbwwW3lyqJsQ+L1joe0scIwvSvExmBNDaTzFymF7Cb8hOkueRsCNeJzuZ7x5O3QlZhQWcIMXHYsHUGFp1XWHq/UxcltAZMgLsZ1Rx35nWm/L4OdS5dBUJiJpf40H26S5mpe3ZXmtH/S+pjeIQn07eySFlaxMDLXNmSiHv51na+cAOw31PmBnBIMZxSS/tANQy/RkrzDX8Gei3gsEcn9zi85KI83ySPEiMCRBbXzrltRya/wRVqHEpdo83qPOpYQUhsw/S4P5FsvJsMyVvCSx3EqQ6FGI3vTlMr7jHNxpuSW9Q3K2Y7/MEP+IXX2zh0tIOouuLRQpiU8C9LbQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 88007958-4f42-42fa-4c2e-08d87505a381
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2020 14:37:14.9922 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GxgGjOtTeGdo4eNNl+78wWcRUSiir6b+AOOVR/vMNs01qLGr4yZPBQ1pJEpnOn3mo2gKUeidglpiWYOKLn17FQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT1PR01MB2666
X-Rspamd-Queue-Id: 4CFx6Z4qQ3z4NSc
X-Spamd-Bar: ------
X-Spamd-Result: default: False [-6.49 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.001];
 R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1];
 FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16];
 NEURAL_HAM_LONG(-1.02)[-1.016]; MIME_GOOD(-0.10)[text/plain];
 DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none];
 NEURAL_HAM_SHORT(-1.38)[-1.376];
 RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.67.67:from];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 RCVD_TLS_LAST(0.00)[];
 ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US];
 ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1];
 MAILMAN_DEST(0.00)[freebsd-current];
 RCVD_IN_DNSWL_LOW(-0.10)[40.107.67.67:from]
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Oct 2020 14:37:28 -0000

Peter Eriksson wrote:=0A=
> Suggestion:=0A=
> Add a check for sysctl vfs.nfsd.server_min_nfsvers and if set to 4 or hig=
her - =0A=
> automatically enable the =93-R=94 option.=0A=
I actually have patches to the /etc/rc.d scripts that both set=0A=
vfs.nfsd.server_min_nfsvers=3D4 and the "-R" option.=0A=
=0A=
The reason I went with an explicit "-R" is that I thought having mountd=0A=
magically stop registering with rpcbind might be considered a POLA=0A=
violation.=0A=
--> With the explicit "-R" option, it will only happen if the "-R" flag is=
=0A=
      set or if nfsv4_server_only=3D"YES" is put in /etc/rc.conf (which is =
new,=0A=
      so it will be expected to result in different behaviour).=0A=
A second reason where the explicit "-R" might be preferred is:=0A=
if the nfsd is a loadable module, it is loaded by mountd.=0A=
However, to set the sysctl, it must be loaded before starting mountd.=0A=
(This is done by the /etc/rc.d/mountd script, so it is not a big issue, but=
=0A=
 might affect someone?)=0A=
=0A=
However, nfsd already chooses to not register when with rpcbind when=0A=
vfs.nfsd.server_min_nfsvers, so I can also see an argument for doing=0A=
what you suggest, since it is consistent with wat nfsd does.=0A=
=0A=
I don't have a strong opinion either way.=0A=
What do others think?=0A=
=0A=
Thanks for the comment, rick=0A=
=0A=
- Peter=0A=
=0A=
=0A=
> On 20 Oct 2020, at 02:56, Rick Macklem <rmacklem@uoguelph.ca> wrote:=0A=
>=0A=
> Hi,=0A=
>=0A=
> I've put a patch up on phabricator that adds a new option to mountd=0A=
> which disables use of rpcbind. This can be done for NFSv4 only servers.=
=0A=
> It appears that rpcbind is now considered a security risk by some.=0A=
>=0A=
> I listed freqlabs@ as a reviewer, but if anyone else would like to review=
=0A=
> it, please do so. (Someone has reviewed the man page update already.=0A=
> Thanks bcr@.)=0A=
>=0A=
> It's D26746.=0A=
>=0A=
> rick=0A=
> _______________________________________________=0A=
> freebsd-current@freebsd.org mailing list=0A=
> https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A=
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"=0A=
=0A=