Date: Tue, 16 Apr 2024 19:05:54 -0400 From: Mark Johnston <markj@freebsd.org> To: freebsd-arch@freebsd.org Subject: requiring reserved NFS client ports by default Message-ID: <Zh8EUh2YiTpGT0mi@nuc>
next in thread | raw e-mail | index | archive | help
It's common practice for NFS clients to bind to reserved ports (i.e., <= 1023) since some NFS servers require this as a weak security measure against attackers with network access to a server but without local privileges. FreeBSD's NFS server does not require clients to use privileged ports by default, but this can be changed by setting nfs_reserved_port_only=YES in rc.conf. I would like to propose flipping the default for nfs_reserved_port_only. This raises the bar a bit for a malicious agent able to execute unprivileged code on a machine with network access to an unauthenticated NFS server running FreeBSD. This behaviour would match the defaults on Linux (the per-export "secure" attribute) and OpenBSD. The downside is increased pressure on the limited range of reserved port numbers. However, the server will complain on the console if a request arrives on an unreserved port, so diagnosis should be easy, and most clients sport an option to not use a reserved port number (noresvport on FreeBSD), so one can configure client mounts to use them only where needed. And, the option is easy to disable on the server should that be necessary. My aim here is to provide a safer out-of-the-box behaviour. Any comments, objections, feedback?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Zh8EUh2YiTpGT0mi>