Date: Mon, 28 Feb 2011 09:48:32 -0600 From: Brooks Davis <brooks@freebsd.org> To: net@freebsd.org Subject: any is vfs.nfsrv.nfs_privport=0 by default Message-ID: <20110228154831.GC41129@lor.one-eyed-alien.net>
next in thread | raw e-mail | index | archive | help
--4ZLFUWh1odzi/v6L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline vfs.nfsrv.nfs_privport controls wither or not NFS enforces the traditional RPC semantics that require that requests come from "privileged" ports. By default this check is disabled. Hardening guides typically suggest this be enabled, usually via the rc.conf knob nfs_reserved_port_only=YES. I'm trying to find a good reason why the default is the way it is. Digging around in the source tree it appears that the rc.conf setting has been that way since either /etc/rc.conf or /etc/defaults/rc.conf has been in the tree. I do not consider the fact that the security provided is weak at best to be a good reason to disable it. I suspect support for PC-NFS or something like that may be the reason, but if that's the case it really doesn't make any sense. -- Brooks --4ZLFUWh1odzi/v6L Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFNa8POXY6L6fI4GtQRAkmjAJ0Wa6jwdJQNuJ5Yj8F8H/fEwSKKgQCeOcWv xu+4YoAsZhaTKlHl718Z1Vc= =inYs -----END PGP SIGNATURE----- --4ZLFUWh1odzi/v6L--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110228154831.GC41129>