From nobody Wed Apr 17 03:16:35 2024 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VK5ff5SXHz5Hgf0 for ; Wed, 17 Apr 2024 03:16:42 +0000 (UTC) (envelope-from mike@karels.net) Received: from mail2.karels.net (mail2.karels.net [3.19.118.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "freebsd", Issuer "freebsd" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VK5ff3jSlz4NSb; Wed, 17 Apr 2024 03:16:42 +0000 (UTC) (envelope-from mike@karels.net) Authentication-Results: mx1.freebsd.org; none Received: from mail2.karels.net (localhost [IPv6:0:0:0:0:0:0:0:1]) by mail2.karels.net (8.18.1/8.18.1) with ESMTP id 43H3GFMH021763; Tue, 16 Apr 2024 22:16:35 -0500 (CDT) (envelope-from mike@karels.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karels.net; s=mail2; t=1713323795; bh=s//gGDrPMB4+QtuFpB5iRU/MIWwkvm+sjVx6vHJL/Z8=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=b5o0OppcW/+8H4ve0QArCMraQ4OEa7+Nwv2AsV124jYeg5vdByUV+sQr+DvaPKlkm PnZYdWtxfwFtzpV2c4OuiZfRGFZ94ho/0ZfijaKoKEuFFRwhlo6inUsiN/DGu0fTYZ QRIed0oV8HKwnjCIGQ3+xIZwXFRDZtfZyCbpFd1saXJpa8o+pdyKq30jIh1cENLQqz 14QW1MzxLoso1DUDlTkVAKMiGApZQmCMxk4Y0/3ERKNr0fCklq6nL06aRaL08rpuTh +U8xiUqspIBtYQiZL6+nnSKgBeAu9gWarGfGbh7C+DflJWZiJL+8J8zVpyliZ9M4YS IBQ2lUWhsWsGQ== Received: from [10.0.2.130] ([73.62.165.147]) by mail2.karels.net with ESMTPSA id +RIPGP8+H2YBVQAAs/W3XQ:T2 (envelope-from ); Tue, 16 Apr 2024 22:16:35 -0500 From: Mike Karels To: Mark Johnston Cc: freebsd-arch@freebsd.org Subject: Re: requiring reserved NFS client ports by default Date: Tue, 16 Apr 2024 22:16:35 -0500 X-Mailer: MailMate (1.14r6028) Message-ID: <8666AC5F-F797-489F-944D-CD7B4D373766@karels.net> In-Reply-To: References: List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.16.0.0/14, country:US] X-Rspamd-Queue-Id: 4VK5ff3jSlz4NSb On 16 Apr 2024, at 18:05, Mark Johnston wrote: > It's common practice for NFS clients to bind to reserved ports (i.e., <= > 1023) since some NFS servers require this as a weak security measure > against attackers with network access to a server but without local > privileges. FreeBSD's NFS server does not require clients to use > privileged ports by default, but this can be changed by setting > nfs_reserved_port_only=YES in rc.conf. > > I would like to propose flipping the default for nfs_reserved_port_only. > This raises the bar a bit for a malicious agent able to execute > unprivileged code on a machine with network access to an unauthenticated > NFS server running FreeBSD. This behaviour would match the defaults on > Linux (the per-export "secure" attribute) and OpenBSD. > > The downside is increased pressure on the limited range of reserved port > numbers. However, the server will complain on the console if a request > arrives on an unreserved port, so diagnosis should be easy, and most > clients sport an option to not use a reserved port number (noresvport on > FreeBSD), so one can configure client mounts to use them only where > needed. And, the option is easy to disable on the server should that be > necessary. My aim here is to provide a safer out-of-the-box behaviour. > > Any comments, objections, feedback? I think this is a good idea. It should block one class of surreptitious access by unprivileged users on a machine in the export list, and there doesn't seem to be much downside. Mike