Re: requiring reserved NFS client ports by default
- Reply: Cy Schubert : "Re: requiring reserved NFS client ports by default"
- In reply to: Mark Johnston : "requiring reserved NFS client ports by default"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 17 Apr 2024 03:16:35 UTC
On 16 Apr 2024, at 18:05, Mark Johnston wrote: > It's common practice for NFS clients to bind to reserved ports (i.e., <= > 1023) since some NFS servers require this as a weak security measure > against attackers with network access to a server but without local > privileges. FreeBSD's NFS server does not require clients to use > privileged ports by default, but this can be changed by setting > nfs_reserved_port_only=YES in rc.conf. > > I would like to propose flipping the default for nfs_reserved_port_only. > This raises the bar a bit for a malicious agent able to execute > unprivileged code on a machine with network access to an unauthenticated > NFS server running FreeBSD. This behaviour would match the defaults on > Linux (the per-export "secure" attribute) and OpenBSD. > > The downside is increased pressure on the limited range of reserved port > numbers. However, the server will complain on the console if a request > arrives on an unreserved port, so diagnosis should be easy, and most > clients sport an option to not use a reserved port number (noresvport on > FreeBSD), so one can configure client mounts to use them only where > needed. And, the option is easy to disable on the server should that be > necessary. My aim here is to provide a safer out-of-the-box behaviour. > > Any comments, objections, feedback? I think this is a good idea. It should block one class of surreptitious access by unprivileged users on a machine in the export list, and there doesn't seem to be much downside. Mike