Re: requiring reserved NFS client ports by default

On Mon, Apr 22, 2024 at 07:04:04PM +0000, Bjoern A. Zeeb wrote:
> On Tue, 16 Apr 2024, Mark Johnston wrote:
> 
> > It's common practice for NFS clients to bind to reserved ports (i.e., <=
> > 1023) since some NFS servers require this as a weak security measure
> > against attackers with network access to a server but without local
> > privileges.  FreeBSD's NFS server does not require clients to use
> > privileged ports by default, but this can be changed by setting
> > nfs_reserved_port_only=YES in rc.conf.
> > 
> > I would like to propose flipping the default for nfs_reserved_port_only.
> > This raises the bar a bit for a malicious agent able to execute
> > unprivileged code on a machine with network access to an unauthenticated
> > NFS server running FreeBSD.  This behaviour would match the defaults on
> > Linux (the per-export "secure" attribute) and OpenBSD.
> > 
> > The downside is increased pressure on the limited range of reserved port
> 
> Does it still?  Is it not per 4-tuple these days?

Well, I'd expect port N to be unusable for an NFS client if a service is
listening on that port.  And, if a client has many mounts from the same
server, it might be difficult to find a spare port.

> > numbers.  However, the server will complain on the console if a request
> > arrives on an unreserved port, so diagnosis should be easy, and most
> > clients sport an option to not use a reserved port number (noresvport on
> > FreeBSD), so one can configure client mounts to use them only where
> > needed.  And, the option is easy to disable on the server should that be
> > necessary.  My aim here is to provide a safer out-of-the-box behaviour.
> > 
> > Any comments, objections, feedback?
> 
> Yes, please do it!

https://reviews.freebsd.org/D44906