Date: Mon, 14 Dec 2020 15:05:43 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: "freebsd-fs@freebsd.org" <freebsd-fs@freebsd.org>, Alexander Leidinger <Alexander@leidinger.net> Subject: Re: Major issues with nfsv4 Message-ID: <YQXPR0101MB096858DF787F845BB9398BDFDDC70@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <20201214085703.Horde.gA1tADBpbqeZbvgO3plk1f-@webmail.leidinger.net> References: <CABXB=RRB2nUk0pPDisBQPdicUA3ooHpg8QvBwjG_nFU4cHvCYw@mail.gmail.com> <YQXPR0101MB096849ADF24051F7479E565CDDCA0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM> <CABXB=RSyN%2Bo2yXcpmYw8sCSUUDhN-w28Vu9v_cCWa-2=pLZmHg@mail.gmail.com> <YQXPR0101MB09680D155B6D685442B5E25EDDCA0@YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM>, <20201214085703.Horde.gA1tADBpbqeZbvgO3plk1f-@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alexander Leidinger wrote:=0A= >Quoting Rick Macklem <rmacklem@uoguelph.ca>=0A= >>> While it's certainly possible to configure NFS not to require reserved= =0A= >>> ports, the slightest possibility of a non-root user establishing a=0A= >>> session to the NFS server kills that as an option.=0A= >> Personally, I've never thought the reserved port# requirement provided= =0A= >> any real security for most situations. Unless you set "vfs.usermount=3D1= "=0A= >> only root can do the mount. For non-root to mount the NFS server=0A= >> when "vfs.usermount=3D0", a user would have to run their own custom hack= ed=0A= >> userland NFS client. Although doable, I have never heard of it being don= e.=0A= >=0A= >22 years ago I wrote an userland NFS client (it triggered my first=0A= >contribution/bugfix to rpcgen in FreeBSD which was MFCed to FreeBSD=0A= >2.2.8) as an university project (an exprimental computer with PRAM=0A= >technology didn't had a network stack but a host-interface to a=0A= >controlling server, and people wanted to access network shares, so the=0A= >controling host was a NFS proxy, and I did this with a NFS userland=0A= >client). IIRC it was NFSv3. I had a little test-tool with a CUI in=0A= >which I was able to interactively list directories and open files (I=0A= >used that for testing). As this more or less was my first software=0A= >project I realized alone, and it was scheduled to be something to be=0A= >realized with a few man-hours per week during half a year, I would say=0A= >it is easy to do for someone with interest / motivation.=0A= It's a lot more work to do an NFSv4 one and if all your legitimate=0A= NFS mounts are v4, you can probably disable NFSv3 support on the=0A= NFS server (vfs.nfsd.server_ min_version=3D4 on FreeBSD).=0A= =0A= The NFS-over-TLS I now have in test mode for FreeBSD can help=0A= w.r.t. this since it can be configured to require the client have an=0A= X509 certificate for NFS to work. If you are interested in more info=0A= on this https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt=0A= =0A= rick=0A= =0A= =0A= =0A= Bye,=0A= Alexander.=0A= =0A= --=0A= http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF=0A= http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQXPR0101MB096858DF787F845BB9398BDFDDC70>