From owner-freebsd-fs@freebsd.org Mon Dec 14 15:05:50 2020 Return-Path: Delivered-To: freebsd-fs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B5A564BC4B7 for ; Mon, 14 Dec 2020 15:05:50 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660054.outbound.protection.outlook.com [40.107.66.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Cvl7x4MRyz3DqZ for ; Mon, 14 Dec 2020 15:05:49 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QQCjvAvhWXVOiJT+4wQ5vDEPJeryofH38TEqDAiwEbM14z8JEAq++ValrWq7FkR/QP36dzMg1jYk9OLQ52FdCPDqZXtDSVwXrwD1PuaxzTKPifdW+TMdbnkCt+i2UJZVwOvx6OyfGlHfyzFKH5tnmSzn5uNt5r9JSALpVE4Dlt4StcxfB/QGrVnfQxEx4LjGL4budIu51Avzv1J28D90o4Nt2NMo1mj98asIZz0HqIxCKbfznbe/SGQ3UO+QZp9t5OjSSq4/zyFGEsDdjlAwzsd8lGirF2FVfCqtfsnlfE8+WU5jGNH9lbc3fWjcFC2Tyfw9CqZq/tpE/Y0uUXvFEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TUHMpfDQNWV58mt9xEnnNY8ECB6QDfPmzr6XI8vjrhk=; b=mTlVUagyEzrL52C1YK5maDC5bcRfsE1DV8fNcuRe6ec+r54+mvsvskyLIyOOHSHO/TSPoTu487UuxYLZ52IgG84rNyDuw8OFkVS73ajxERMEfGB2NnzuId5rmSLvrpe8pCOYllPQ0yieY2LgkhpAO5KWKmvr0Cxa1Lf8318eVL53RWzAO72Lf1e6N20q02d9HQhhra1lF0JWdurRNY2vpke3l2XK5UC2aIuNp2GKicJjzrEQo8YpK+G/EApPXU236FlX2EhUJhl4ujZTM0X/cjrZ6l+mWsAfn+xMtpytNFpLMlvTtnnmLbXc+m0kKgF7Z1AfHhglrW82FG6tAFR3fA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoguelph.ca; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TUHMpfDQNWV58mt9xEnnNY8ECB6QDfPmzr6XI8vjrhk=; b=gebmKswuwpcLYsAroKhAK8DR1hU3kDmxDdrTCcW9HNbeF966YW9lRTQVH7iqv0qVvgWKlj/52T4hwB+NxORfLhlX71D3lvm1EBEoe02BRFSRects3FSblDiO4bq2TAEQYNDOdycnMh/14FfshCpUFwdF7prVzRJen+VyzEoEq562epCNnnvMVOiV64SrDNXxv35oKy2ChxD0dSSiDw6eMynSaNrWnA9JH16D8OFOZSoV99eIuj57Zo+l2Ukc6xb+4YX9mhIYOzQNMnjGm58U55YH0ZgpB//vB4JdSz5tOmfdZADbPkVArqyK0VmGffacWZqTsTtcFzZRbfCxRMJalQ== Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:19::29) by QB1PR01MB2913.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c00:3d::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.17; Mon, 14 Dec 2020 15:05:43 +0000 Received: from YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94]) by YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM ([fe80::7d6b:aa68:78f4:5d94%7]) with mapi id 15.20.3654.025; Mon, 14 Dec 2020 15:05:43 +0000 From: Rick Macklem To: "freebsd-fs@freebsd.org" , Alexander Leidinger Subject: Re: Major issues with nfsv4 Thread-Topic: Major issues with nfsv4 Thread-Index: AQHWzw/HDat+dHoH9kKG5K3Xpd53kqnxDteQgAFi0QCAABTa84ADuMmAgAB0YUo= Date: Mon, 14 Dec 2020 15:05:43 +0000 Message-ID: References: , <20201214085703.Horde.gA1tADBpbqeZbvgO3plk1f-@webmail.leidinger.net> In-Reply-To: <20201214085703.Horde.gA1tADBpbqeZbvgO3plk1f-@webmail.leidinger.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 89c7da78-c484-4040-943e-08d8a041ba67 x-ms-traffictypediagnostic: QB1PR01MB2913: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6430; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: wx2FCJzBFiUukZG1/PT/zkDOwT4hvYWnJTMfljkGcapeLUKilq7s82XIGk/CsVU4iHEQN1hR2pMoa9+1GFXxWCRBLqlxmANUZKlO9D71JfAC4uOwUCWmLdZ0Vo98bEZ27hWocoLFOPg00fIe3wcDw7Cj1H7AW2JpUhwYLLsk0BFyxO+dRBlGpOIsJXF5hBI4NPqhABulzkRikBHDsMrZMEELCCIV6GjadPudSVdBc7Z0pmC84/yN6H16/dm/eDzLfeGwvexW7sf0RpV96DR+i71nlc+CFo06AELEE0/UMGihA0TZyvKpcRoyvPKMhw2LyyzhFnz6LfFBhzfFBfq/86i08GsN4NWU0r/DvSwvldqEo2REudRig6tR6kpLYDqtMsn1C35JzdEGXF4lMTZ+iQ== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(136003)(376002)(346002)(9686003)(2906002)(110136005)(7696005)(71200400001)(91956017)(86362001)(5660300002)(8676002)(83380400001)(55016002)(786003)(66946007)(8936002)(33656002)(966005)(186003)(76116006)(6506007)(508600001)(64756008)(66556008)(66446008)(66476007)(52536014); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?LQo9k4UZXO6Vg9xg017Bc3Fq5vJz04S+cVjSGG0zGMVFDoS3CjF9b65uGX?= =?iso-8859-1?Q?kGSsWSedwHnQXZ41zn2upo24pVtsLgvn7ScFfjmpSSh6+ioaN/HviRH18E?= =?iso-8859-1?Q?UrTP6ESEg27lY0COdLEdpbEhYoeiARMeN8zUq9dy9rfbdFuXUNO9RSoWVp?= =?iso-8859-1?Q?RMtG/cAaS8T8XQOXjZjouZj/dPr/WrbO7A2OZAL+lTsd3sb0Rtqdcum04u?= =?iso-8859-1?Q?l/ScQdubt1rP+aSCeEPsqhqbEhvuZgFjM+KyUPOrW9oJDrmD2Q8CUUwZ2w?= =?iso-8859-1?Q?Ac11wNgYKX3fHh+A0jzY99pGMiECfHgsJOHUdEYsiKxRCU+iJ/5ucpqQX2?= =?iso-8859-1?Q?paRZjy6rtYu8KBu2OsNtP1pD0IbuO7S9UYUPwT5GpIQ3lCPHNV+21C1xsw?= =?iso-8859-1?Q?BCcWTSjkuGtY591ytiKDxQynrEwZBFhVOmg/hHb0xEd5yQUbvKw8JzGS7Y?= =?iso-8859-1?Q?DIx+YNYS3fNCFnmucnBI/eqfekV7l0Mmk7HUWnbB0HVdlAlgjiJ4Mv7WIF?= =?iso-8859-1?Q?aMa0WL8J0gXcwK5AXRXV5+zWIwNFV/Vk23UPyrb8Ri6IIQNGWcvB+UpCxG?= =?iso-8859-1?Q?9DnqsdZL1bskxBGARoxjetelzmv206Dd3TE7DRA928r3+gDSNM3/L9pK1y?= =?iso-8859-1?Q?+erD5MFVYbNIUM9Ajn1ZkKRN6IYzbtwXAtrWpkc+9TLpuQlAcvycR82+gw?= =?iso-8859-1?Q?yQkkwRHoW79Kt4IggfL1PShHHEJBuMPk6SE0KDOYkdQphInbCgHbvaj7nq?= =?iso-8859-1?Q?n3AWljKmgZXwsuS8IbMen1h+GSpZI+cguyqPvBNk6vQLHgZJ8zy2yQVm+E?= =?iso-8859-1?Q?kotNE/4iZULKA6cfsJn7282YV4uXeFIO/eTAKMs99h282RhQRaZP77hM3p?= =?iso-8859-1?Q?Yd2EVOBl79okGKd7JV9nz7BwUjzpjRHc76znCoGhyQ84gpj1bLqoTLbZ2+?= =?iso-8859-1?Q?DZsTP81c/WsMxtgigXHz6SQp35pXqv31exD7KWhLDvDqRkPEU9nhNE81AB?= =?iso-8859-1?Q?GnTtaCItRTVJvCM0xZMnzExsYJihvTuS+9dejYzZflOsYPUy3rJg2ZER2G?= =?iso-8859-1?Q?sjeClROjliwZ1PUuWSZEjxk=3D?= x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: YQXPR0101MB0968.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: 89c7da78-c484-4040-943e-08d8a041ba67 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2020 15:05:43.1235 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8/GXs1dD2KNOoSesjmITYPRyWbLnTIvaKxrxDXEurtBNiPvtWp5bFhtOJTPuYgAU12dw1HfkfsKK8JNN9wCpOg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: QB1PR01MB2913 X-Rspamd-Queue-Id: 4Cvl7x4MRyz3DqZ X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=uoguelph.ca header.s=selector1 header.b=gebmKswu; arc=pass (microsoft.com:s=arcselector9901:i=1); dmarc=pass (policy=none) header.from=uoguelph.ca; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.66.54 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-6.00 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[uoguelph.ca:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[uoguelph.ca,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[40.107.66.54:from]; ARC_ALLOW(-1.00)[microsoft.com:s=arcselector9901:i=1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[uoguelph.ca:s=selector1]; FREEFALL_USER(0.00)[rmacklem]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; SPAMHAUS_ZRD(0.00)[40.107.66.54:from:127.0.2.255]; DWL_DNSWL_LOW(-1.00)[uoguelph.ca:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[40.107.66.54:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.66.54:from]; MAILMAN_DEST(0.00)[freebsd-fs] X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Dec 2020 15:05:50 -0000 Alexander Leidinger wrote:=0A= >Quoting Rick Macklem =0A= >>> While it's certainly possible to configure NFS not to require reserved= =0A= >>> ports, the slightest possibility of a non-root user establishing a=0A= >>> session to the NFS server kills that as an option.=0A= >> Personally, I've never thought the reserved port# requirement provided= =0A= >> any real security for most situations. Unless you set "vfs.usermount=3D1= "=0A= >> only root can do the mount. For non-root to mount the NFS server=0A= >> when "vfs.usermount=3D0", a user would have to run their own custom hack= ed=0A= >> userland NFS client. Although doable, I have never heard of it being don= e.=0A= >=0A= >22 years ago I wrote an userland NFS client (it triggered my first=0A= >contribution/bugfix to rpcgen in FreeBSD which was MFCed to FreeBSD=0A= >2.2.8) as an university project (an exprimental computer with PRAM=0A= >technology didn't had a network stack but a host-interface to a=0A= >controlling server, and people wanted to access network shares, so the=0A= >controling host was a NFS proxy, and I did this with a NFS userland=0A= >client). IIRC it was NFSv3. I had a little test-tool with a CUI in=0A= >which I was able to interactively list directories and open files (I=0A= >used that for testing). As this more or less was my first software=0A= >project I realized alone, and it was scheduled to be something to be=0A= >realized with a few man-hours per week during half a year, I would say=0A= >it is easy to do for someone with interest / motivation.=0A= It's a lot more work to do an NFSv4 one and if all your legitimate=0A= NFS mounts are v4, you can probably disable NFSv3 support on the=0A= NFS server (vfs.nfsd.server_ min_version=3D4 on FreeBSD).=0A= =0A= The NFS-over-TLS I now have in test mode for FreeBSD can help=0A= w.r.t. this since it can be configured to require the client have an=0A= X509 certificate for NFS to work. If you are interested in more info=0A= on this https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt=0A= =0A= rick=0A= =0A= =0A= =0A= Bye,=0A= Alexander.=0A= =0A= --=0A= http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF=0A= http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF=0A=