From owner-freebsd-net@FreeBSD.ORG Tue Mar 1 14:49:42 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF802106564A; Tue, 1 Mar 2011 14:49:42 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 4E8B78FC0C; Tue, 1 Mar 2011 14:49:42 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id 0577346B2E; Tue, 1 Mar 2011 09:49:42 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.10]) by bigwig.baldwin.cx (Postfix) with ESMTPSA id 8D2998A02B; Tue, 1 Mar 2011 09:49:41 -0500 (EST) From: John Baldwin To: freebsd-net@freebsd.org Date: Tue, 1 Mar 2011 08:09:27 -0500 User-Agent: KMail/1.13.5 (FreeBSD/7.4-CBSD-20110107; KDE/4.4.5; amd64; ; ) References: <20110228154831.GC41129@lor.one-eyed-alien.net> In-Reply-To: <20110228154831.GC41129@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201103010809.27346.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.6 (bigwig.baldwin.cx); Tue, 01 Mar 2011 09:49:41 -0500 (EST) Cc: Brooks Davis Subject: Re: any is vfs.nfsrv.nfs_privport=0 by default X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2011 14:49:42 -0000 On Monday, February 28, 2011 10:48:32 am Brooks Davis wrote: > vfs.nfsrv.nfs_privport controls wither or not NFS enforces the > traditional RPC semantics that require that requests come from > "privileged" ports. By default this check is disabled. Hardening > guides typically suggest this be enabled, usually via the rc.conf knob > nfs_reserved_port_only=YES. > > I'm trying to find a good reason why the default is the way it is. > Digging around in the source tree it appears that the rc.conf setting > has been that way since either /etc/rc.conf or /etc/defaults/rc.conf has > been in the tree. > > I do not consider the fact that the security provided is weak at best to > be a good reason to disable it. I suspect support for PC-NFS or > something like that may be the reason, but if that's the case it really > doesn't make any sense. I think it should default to on, and that the nfs_reserved_port_only setting should just be removed. Instead, folks who want to turn this off can pass '-n' to mountd, for which there are already other rc.conf flags such as mountd_weak_authentication, etc. Maybe you leave the nfs_reserved_port_only option and have it toggle the -n option to mountd? Whatever the outcome, I think we need to collapse the multiple rc.conf variables (mountd_weak_authentication and nfs_reserved_port_only) down to 1 variable and have the kernel default to requiring a privileged port. -- John Baldwin