Date: Wed, 17 Apr 2024 13:14:27 -0700 From: Cy Schubert <Cy.Schubert@cschubert.com> To: Mike Karels <mike@karels.net> Cc: Mark Johnston <markj@freebsd.org>, freebsd-arch@freebsd.org Subject: Re: requiring reserved NFS client ports by default Message-ID: <20240417201427.C547810C@slippy.cwsent.com> In-Reply-To: <8666AC5F-F797-489F-944D-CD7B4D373766@karels.net> References: <Zh8EUh2YiTpGT0mi@nuc> <8666AC5F-F797-489F-944D-CD7B4D373766@karels.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <8666AC5F-F797-489F-944D-CD7B4D373766@karels.net>, Mike Karels write s: > On 16 Apr 2024, at 18:05, Mark Johnston wrote: > > > It's common practice for NFS clients to bind to reserved ports (i.e., <= > > 1023) since some NFS servers require this as a weak security measure > > against attackers with network access to a server but without local > > privileges. FreeBSD's NFS server does not require clients to use > > privileged ports by default, but this can be changed by setting > > nfs_reserved_port_only=YES in rc.conf. > > > > I would like to propose flipping the default for nfs_reserved_port_only. > > This raises the bar a bit for a malicious agent able to execute > > unprivileged code on a machine with network access to an unauthenticated > > NFS server running FreeBSD. This behaviour would match the defaults on > > Linux (the per-export "secure" attribute) and OpenBSD. > > > > The downside is increased pressure on the limited range of reserved port > > numbers. However, the server will complain on the console if a request > > arrives on an unreserved port, so diagnosis should be easy, and most > > clients sport an option to not use a reserved port number (noresvport on > > FreeBSD), so one can configure client mounts to use them only where > > needed. And, the option is easy to disable on the server should that be > > necessary. My aim here is to provide a safer out-of-the-box behaviour. > > > > Any comments, objections, feedback? > > I think this is a good idea. It should block one class of surreptitious > access by unprivileged users on a machine in the export list, and there > doesn't seem to be much downside. > > Mike Agreed. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240417201427.C547810C>