From owner-freebsd-bugs@freebsd.org  Mon Dec 17 22:40:58 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 34E1C134E0E4
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Mon, 17 Dec 2018 22:40:58 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id AB1968D9E0
 for <freebsd-bugs@freebsd.org>; Mon, 17 Dec 2018 22:40:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 6615E134E0E3; Mon, 17 Dec 2018 22:40:57 +0000 (UTC)
Delivered-To: bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5462D134E0E2
 for <bugs@mailman.ysv.freebsd.org>; Mon, 17 Dec 2018 22:40:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id E76848D9DF
 for <bugs@FreeBSD.org>; Mon, 17 Dec 2018 22:40:56 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 348D951A3
 for <bugs@FreeBSD.org>; Mon, 17 Dec 2018 22:40:56 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id wBHMeukJ017214
 for <bugs@FreeBSD.org>; Mon, 17 Dec 2018 22:40:56 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id wBHMeuHQ017213
 for bugs@FreeBSD.org; Mon, 17 Dec 2018 22:40:56 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 234106] nfsv4 server ignores nfs_reserved_port_only="YES"
Date: Mon, 17 Dec 2018 22:40:55 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: misc
X-Bugzilla-Version: 11.2-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: rmacklem@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-234106-227-UPiZRKad5C@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-234106-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-234106-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 22:40:58 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234106

--- Comment #3 from Rick Macklem <rmacklem@FreeBSD.org> ---
When NFSv4 was being developed, I recall the specification authors
clearly stating the "a reserved port# does not provide security and
is not to be required for NFSv4 client mounts".
I recall this being stated in the RFC, but I wasn't able to find
it on a quick search (they are 275->500+ page documents).

As such, the code does not require a reserved port# for NFSv4 mounts.
(And I agree with the authors that it does not enhance security,
 since all it tells the server is that the "mounter" is root on
 the client. I suppose you can argue that there are machines that
 are "root secure" but with untrusted users that might try and
 run malicious fake NFSv4 clients on these machines, but...)
If you want any sort of security for NFS mounts, you need to use
sec=3Dkrb5[ip].
There is work now in progress for NFS over TLS, but that isn't
implemented yet. (Just an internet draft at this point.)

As such, I consider it a feature and not a bug, rick

--=20
You are receiving this mail because:
You are the assignee for the bug.=