Date: Mon, 17 Dec 2018 22:40:55 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 234106] nfsv4 server ignores nfs_reserved_port_only="YES" Message-ID: <bug-234106-227-UPiZRKad5C@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-234106-227@https.bugs.freebsd.org/bugzilla/> References: <bug-234106-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234106 --- Comment #3 from Rick Macklem <rmacklem@FreeBSD.org> --- When NFSv4 was being developed, I recall the specification authors clearly stating the "a reserved port# does not provide security and is not to be required for NFSv4 client mounts". I recall this being stated in the RFC, but I wasn't able to find it on a quick search (they are 275->500+ page documents). As such, the code does not require a reserved port# for NFSv4 mounts. (And I agree with the authors that it does not enhance security, since all it tells the server is that the "mounter" is root on the client. I suppose you can argue that there are machines that are "root secure" but with untrusted users that might try and run malicious fake NFSv4 clients on these machines, but...) If you want any sort of security for NFS mounts, you need to use sec=3Dkrb5[ip]. There is work now in progress for NFS over TLS, but that isn't implemented yet. (Just an internet draft at this point.) As such, I consider it a feature and not a bug, rick --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-234106-227-UPiZRKad5C>