[Bug 234106] nfsv4 server ignores nfs_reserved_port_only="YES"
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Dec 17 22:40:58 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234106
--- Comment #3 from Rick Macklem <rmacklem at FreeBSD.org> ---
When NFSv4 was being developed, I recall the specification authors
clearly stating the "a reserved port# does not provide security and
is not to be required for NFSv4 client mounts".
I recall this being stated in the RFC, but I wasn't able to find
it on a quick search (they are 275->500+ page documents).
As such, the code does not require a reserved port# for NFSv4 mounts.
(And I agree with the authors that it does not enhance security,
since all it tells the server is that the "mounter" is root on
the client. I suppose you can argue that there are machines that
are "root secure" but with untrusted users that might try and
run malicious fake NFSv4 clients on these machines, but...)
If you want any sort of security for NFS mounts, you need to use
sec=krb5[ip].
There is work now in progress for NFS over TLS, but that isn't
implemented yet. (Just an internet draft at this point.)
As such, I consider it a feature and not a bug, rick
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list