Page MenuHomeFreeBSD
Differential D44906

nfs: Default to nfs_reserved_port_only="YES"
ClosedPublic
Actions

Authored by markj on Apr 22 2024, 8:26 PM.
Tags
None
Referenced Files
F102865120: D44906.diff
Mon, Nov 18, 4:19 AM
Unknown Object (File)
Wed, Nov 13, 12:59 PM
Unknown Object (File)
Oct 10 2024, 12:35 AM
Unknown Object (File)
Oct 6 2024, 4:51 PM
Unknown Object (File)
Sep 29 2024, 5:00 PM
Unknown Object (File)
Sep 24 2024, 3:55 AM
Unknown Object (File)
Sep 23 2024, 7:38 PM
Unknown Object (File)
Sep 18 2024, 12:22 PM
View All 41 Files
Subscribers
bz
imp
olce

Details

Reviewers
emaste
rmacklem
bz
Commits
rG6d5ce2bb6344: nfsserver: Default to nfs_reserved_port_only="YES"
Summary

This setting causes the NFS server to check that all RPCs are sent from
a privileged (<= 1023) port, rejecting those that are not. This
slightly raises the bar for a user with network access to an
unauthenticated NFS server to access exported NFS filesystems.

Users that use traditional NFS clients (e.g., those provided by FreeBSD
or Linux) should not see any difference, assuming that unprivileged
filesystem mounting is disallowed.

Note that the setting is per-VNET, so may be overridden in VNET jails
without affecting the rest of the system.

Discussed with: freebsd-arch@
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 57303
Build 54191: arc lint + arc unit

Event Timeline

markj created this revision.Apr 22 2024, 8:26 PM
Herald added a subscriber: imp. · View Herald TranscriptApr 22 2024, 8:26 PM
markj requested review of this revision.Apr 22 2024, 8:26 PM
Harbormaster completed remote builds in B57282: Diff 137520.Apr 22 2024, 8:26 PM
rmacklem accepted this revision.Apr 22 2024, 9:52 PM

lgtm. I cannot recall if there is any man page change
needed for this?

This revision is now accepted and ready to land.Apr 22 2024, 9:52 PM
bz accepted this revision.Apr 22 2024, 9:54 PM
bz added a subscriber: bz.
In D44906#1023836, @rmacklem wrote:

lgtm. I cannot recall if there is any man page change
needed for this?

man 5 rc.conf doesn't seem to specify a default; so at least that is fine.

emaste accepted this revision.Apr 23 2024, 1:09 AM

Should we change the in-kernel default as well? It will normally be overridden by the rc.conf setting so it doesn't have a practical impact but probably good for consistency.

bz added a comment.Apr 23 2024, 1:16 AM
In D44906#1023886, @emaste wrote:

Should we change the in-kernel default as well? It will normally be overridden by the rc.conf setting so it doesn't have a practical impact but probably good for consistency.

Would NFS Root be affected by that? Hmm it's a tunable so less of a problem in case people do have trouble. That should probably be documented somewhere then though..

markj added a comment.Apr 23 2024, 1:19 AM
In D44906#1023888, @bz wrote:
In D44906#1023886, @emaste wrote:

Should we change the in-kernel default as well? It will normally be overridden by the rc.conf setting so it doesn't have a practical impact but probably good for consistency.

Would NFS Root be affected by that? Hmm it's a tunable so less of a problem in case people do have trouble.

This is a server setting, so I wouldn't expect so.

olce added a subscriber: olce.Apr 23 2024, 1:22 AM

There's also NFS_REQRSVPORT, but it is unrelated I guess?

In D44906#1023886, @emaste wrote:

Should we change the in-kernel default as well? It will normally be overridden by the rc.conf setting so it doesn't have a practical impact but probably good for consistency.

+1

bz added a comment.Apr 23 2024, 1:26 AM
In D44906#1023889, @markj wrote:
In D44906#1023888, @bz wrote:
In D44906#1023886, @emaste wrote:

Should we change the in-kernel default as well? It will normally be overridden by the rc.conf setting so it doesn't have a practical impact but probably good for consistency.

Would NFS Root be affected by that? Hmm it's a tunable so less of a problem in case people do have trouble.

This is a server setting, so I wouldn't expect so.

Sorry for the noise. 3:20AM and just had a NFS Root client "hang" for the 5min timeout. Time to stop for yestoday.

markj added a comment.Apr 23 2024, 1:29 AM
In D44906#1023891, @olce wrote:

There's also NFS_REQRSVPORT, but it is unrelated I guess?

Oh hmm, not unrelated, but at a glance I think it is superseded by the privport check. That is, all code paths which lead there first have to go through the privport check. But I could be wrong about this.

olce added a comment.Apr 23 2024, 1:38 AM
In D44906#1023893, @markj wrote:

Oh hmm, not unrelated, but at a glance I think it is superseded by the privport check. That is, all code paths which lead there first have to go through the privport check. But I could be wrong about this.

It feels like NFS_REQRSVPORT is older but apparently it was introduced by the same (initial) commit as the if (nfs_privport ... check (9ec7b004d0edb). Maybe replacing NFS_REQRSVPORT by a runtime check for nfs_privport would make sense, but I don't really know this code. It may be instead that the code under NFS_REQRSVPORT is redundant, I'm not sure either. In any case, this would be a separate change.

rmacklem added a comment.Apr 23 2024, 5:22 AM
In D44906#1023894, @olce wrote:
In D44906#1023893, @markj wrote:

Oh hmm, not unrelated, but at a glance I think it is superseded by the privport check. That is, all code paths which lead there first have to go through the privport check. But I could be wrong about this.

It feels like NFS_REQRSVPORT is older but apparently it was introduced by the same (initial) commit as the if (nfs_privport ... check (9ec7b004d0edb). Maybe replacing NFS_REQRSVPORT by a runtime check for nfs_privport would make sense, but I don't really know this code. It may be instead that the code under NFS_REQRSVPORT is redundant, I'm not sure either. In any case, this would be a separate change.

Wow, this one is embarrassing... 25+ years ago I was using OpenBSD for various things and
put this code in (OpenBSD didn't have a port# check). Then, 25 years ago, I did the first
rendition of NFSv4 starting from that OpenBSD code. The comment comes from the fact
that the NFSv4 working group was anti-reserved port# in those days.

It's cruft that has never been built for FreeBSD. I can get rid of it (or Mark can).

markj added a comment.Apr 23 2024, 4:05 PM
In D44906#1023898, @rmacklem wrote:
In D44906#1023894, @olce wrote:
In D44906#1023893, @markj wrote:

Oh hmm, not unrelated, but at a glance I think it is superseded by the privport check. That is, all code paths which lead there first have to go through the privport check. But I could be wrong about this.

It feels like NFS_REQRSVPORT is older but apparently it was introduced by the same (initial) commit as the if (nfs_privport ... check (9ec7b004d0edb). Maybe replacing NFS_REQRSVPORT by a runtime check for nfs_privport would make sense, but I don't really know this code. It may be instead that the code under NFS_REQRSVPORT is redundant, I'm not sure either. In any case, this would be a separate change.

Wow, this one is embarrassing... 25+ years ago I was using OpenBSD for various things and
put this code in (OpenBSD didn't have a port# check). Then, 25 years ago, I did the first
rendition of NFSv4 starting from that OpenBSD code. The comment comes from the fact
that the NFSv4 working group was anti-reserved port# in those days.

It's cruft that has never been built for FreeBSD. I can get rid of it (or Mark can).

I'll leave it to you. :)

markj updated this revision to Diff 137554.Apr 23 2024, 4:06 PM

Initialize the sysctl to 1 as well.

This revision now requires review to proceed.Apr 23 2024, 4:06 PM
Harbormaster completed remote builds in B57303: Diff 137554.Apr 23 2024, 4:06 PM
rmacklem accepted this revision.Apr 23 2024, 4:08 PM

lgtm

This revision is now accepted and ready to land.Apr 23 2024, 4:08 PM
emaste accepted this revision.Apr 23 2024, 4:49 PM
Closed by commit rG6d5ce2bb6344: nfsserver: Default to nfs_reserved_port_only="YES" (authored by markj). · Explain WhyApr 23 2024, 4:56 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG6d5ce2bb6344: nfsserver: Default to nfs_reserved_port_only="YES".

Revision Contents
Changeset List

PathSize
9 lines
libexec/
rc/
2 lines
sys/
fs/
nfsserver/
2 lines

Diff 137554

View Options

RELNOTES

Loading...
View Options

libexec/rc/rc.conf

Loading...
View Options

sys/fs/nfsserver/nfs_nfsdkrpc.c

Loading...