Re: requiring reserved NFS client ports by default

On 16 Apr 2024, at 18:05, Mark Johnston wrote:

> It's common practice for NFS clients to bind to reserved ports (i.e., <=
> 1023) since some NFS servers require this as a weak security measure
> against attackers with network access to a server but without local
> privileges.  FreeBSD's NFS server does not require clients to use
> privileged ports by default, but this can be changed by setting
> nfs_reserved_port_only=YES in rc.conf.
>
> I would like to propose flipping the default for nfs_reserved_port_only.
> This raises the bar a bit for a malicious agent able to execute
> unprivileged code on a machine with network access to an unauthenticated
> NFS server running FreeBSD.  This behaviour would match the defaults on
> Linux (the per-export "secure" attribute) and OpenBSD.
>
> The downside is increased pressure on the limited range of reserved port
> numbers.  However, the server will complain on the console if a request
> arrives on an unreserved port, so diagnosis should be easy, and most
> clients sport an option to not use a reserved port number (noresvport on
> FreeBSD), so one can configure client mounts to use them only where
> needed.  And, the option is easy to disable on the server should that be
> necessary.  My aim here is to provide a safer out-of-the-box behaviour.
>
> Any comments, objections, feedback?

I think this is a good idea.  It should block one class of surreptitious
access by unprivileged users on a machine in the export list, and there
doesn't seem to be much downside.

		Mike