From owner-svn-src-stable@freebsd.org Fri Dec 28 00:10:32 2018 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 24FAA14275E4; Fri, 28 Dec 2018 00:10:32 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A73EC6B0F7; Fri, 28 Dec 2018 00:10:31 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 976DD1B128; Fri, 28 Dec 2018 00:10:31 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wBS0AVfS034595; Fri, 28 Dec 2018 00:10:31 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wBS0AVkE034594; Fri, 28 Dec 2018 00:10:31 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <201812280010.wBS0AVkE034594@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 28 Dec 2018 00:10:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r342561 - stable/12/sys/fs/nfsserver X-SVN-Group: stable-12 X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: stable/12/sys/fs/nfsserver X-SVN-Commit-Revision: 342561 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: A73EC6B0F7 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_LONG(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.95)[-0.955,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Dec 2018 00:10:32 -0000 Author: rmacklem Date: Fri Dec 28 00:10:31 2018 New Revision: 342561 URL: https://svnweb.freebsd.org/changeset/base/342561 Log: MFC: r342286 Fix the NFSv4 server to obey vfs.nfsd.nfs_privport. When the NFSv4 server was coded, I believed that the specification authors did not want NFSv4 servers to require a client to use a reserved port#. However, recently it has been noted that the Linux NFSv4 server does support a check for a reserved port#. Since both the FreeBSD and Linux NFSv4 clients use a reserved port# by default, enabling vfs.nfsd.nfs_privport to require a reserved port# for NFSv4 the same as it does for NFSv2, 3 seems reasonable. The only case where this could cause a POLA violation is a FreeBSD NFSv4 server with vfs.nfsd.nfs_privport set, but with NFSv4 clients doing mounts without using a reserved port# (< 1024). Modified: stable/12/sys/fs/nfsserver/nfs_nfsdkrpc.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/fs/nfsserver/nfs_nfsdkrpc.c ============================================================================== --- stable/12/sys/fs/nfsserver/nfs_nfsdkrpc.c Thu Dec 27 23:27:48 2018 (r342560) +++ stable/12/sys/fs/nfsserver/nfs_nfsdkrpc.c Fri Dec 28 00:10:31 2018 (r342561) @@ -90,7 +90,7 @@ SVCPOOL *nfsrvd_pool; static int nfs_privport = 0; SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_RWTUN, &nfs_privport, 0, - "Only allow clients using a privileged port for NFSv2 and 3"); + "Only allow clients using a privileged port for NFSv2, 3 and 4"); static int nfs_minvers = NFS_VER2; SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_min_nfsvers, CTLFLAG_RWTUN, @@ -166,7 +166,7 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) nd.nd_mreq = NULL; nd.nd_cred = NULL; - if (nfs_privport && (nd.nd_flag & ND_NFSV4) == 0) { + if (nfs_privport != 0) { /* Check if source port is privileged */ u_short port; struct sockaddr *nam = nd.nd_nam;