From owner-freebsd-fs@freebsd.org Mon Dec 14 07:57:35 2020 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id AA2C54B2712 for ; Mon, 14 Dec 2020 07:57:35 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from mailgate.Leidinger.net (mailgate.leidinger.net [IPv6:2a00:1828:2000:313::1:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CvYdp2wlXz4Y28 for ; Mon, 14 Dec 2020 07:57:34 +0000 (UTC) (envelope-from Alexander@leidinger.net) Received: from outgoing.leidinger.net (p5b1651f8.dip0.t-ipconnect.de [91.22.81.248]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by mailgate.Leidinger.net (Postfix) with ESMTPSA id 85E3EC41 for ; Mon, 14 Dec 2020 08:57:23 +0100 (CET) Received: from webmail.leidinger.net (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (Client did not present a certificate) by outgoing.leidinger.net (Postfix) with ESMTPS id E3C633786 for ; Mon, 14 Dec 2020 08:57:03 +0100 (CET) Date: Mon, 14 Dec 2020 08:57:03 +0100 Message-ID: <20201214085703.Horde.gA1tADBpbqeZbvgO3plk1f-@webmail.leidinger.net> From: Alexander Leidinger To: freebsd-fs@freebsd.org Subject: Re: Major issues with nfsv4 References: In-Reply-To: Accept-Language: de,en Content-Type: multipart/signed; boundary="=_Q0_GaX2mtXoTVaWwq6I6wBY"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 X-Rspamd-Queue-Id: 4CvYdp2wlXz4Y28 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2a00:1828:2000:313::1:5:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[leidinger.net:+]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1828:2000:313::1:5:from]; ASN(0.00)[asn:34240, ipnet:2a00:1828::/32, country:DE]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-fs]; RECEIVED_SPAMHAUS_PBL(0.00)[91.22.81.248:received] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 07:57:35 -0000 This message is in MIME format and has been PGP signed. --=_Q0_GaX2mtXoTVaWwq6I6wBY Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Rick Macklem (from Fri, 11 Dec 2020=20=20 23:28:30=20+0000): >> While it's certainly possible to configure NFS not to require reserved >> ports, the slightest possibility of a non-root user establishing a >> session to the NFS server kills that as an option. > Personally, I've never thought the reserved port# requirement provided > any real security for most situations. Unless you set "vfs.usermount=3D1" > only root can do the mount. For non-root to mount the NFS server > when "vfs.usermount=3D0", a user would have to run their own custom hacke= d > userland NFS client. Although doable, I have never heard of it being done= . 22 years ago I wrote an userland NFS client (it triggered my first=20=20 contribution/bugfix=20to rpcgen in FreeBSD which was MFCed to FreeBSD=20=20 2.2.8)=20as an university project (an exprimental computer with PRAM=20=20 technology=20didn't had a network stack but a host-interface to a=20=20 controlling=20server, and people wanted to access network shares, so the=20= =20 controling=20host was a NFS proxy, and I did this with a NFS userland=20=20 client).=20IIRC it was NFSv3. I had a little test-tool with a CUI in=20=20 which=20I was able to interactively list directories and open files (I=20= =20 used=20that for testing). As this more or less was my first software=20=20 project=20I realized alone, and it was scheduled to be something to be=20= =20 realized=20with a few man-hours per week during half a year, I would say=20= =20 it=20is easy to do for someone with interest / motivation. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_Q0_GaX2mtXoTVaWwq6I6wBY Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJf1xrPAAoJEBINsJsD+NiGT4MQAIfMGk5j/6dJ5mp/99/6LtpR 0wiCPNXGdvYjKb/Ws5lsqKeGZVKQmLh7M2aIyUBC8UeoIuE4Itxbieouw1f+zpIo rNZUdyGCUmiZUVbCPvVd4s4OEhCRU1U0+8UQIV2F+BpW43vnq5zEfXUzTJG1nbXF SwG+zePQbvawX6rMZWVsGfBaSlg2Hk2GQf2hxsQ8hXRYc3MTI6RS/RrQSRyLi1QC RIz79UhrBmKa5PV5DGQG5Cx2VwTNFkG9I3zgjnx1eX7BwSLG6o52OXdvdGdDd/02 AufedYciwy3Vz7/Z8e3/pOhGkCXnvJfcdIAUZ+BGjoBL7msBJ796cuEQ01FLPNyp h9KgMNPqpoJhzpRb5seyRkb7w1kg0nE8lianLslvMFMn3y1eGpNx2wO7W+aad9Gx gHtVYNp7AfzqBJxAZyTFufNVSv62zv6umIz455c7jpWhbV7kViP0vYpPXiUTwUIX sKUCzFMOC6DJEelKVD8Ne2LFlaCGlVm51xm/EAmyWbS3hBrvJjkZ2HznOmv+GOVS sFUj1bOxncvcrChoL6Zh6XYIdtHadsS7QigW3I7HuYo6/gltyjEXfkmVkS15QvnJ UpDTlNMuploa0hQzZkktG1FPw49DHFeu7Yj0xkJtur6+YubgE1lipJtJqJVKcp19 8ZL1DZBCE4W6j6VE7qSc =eeyk -----END PGP SIGNATURE----- --=_Q0_GaX2mtXoTVaWwq6I6wBY--