review of new mountd option disabling use of rpcbind
    Rick Macklem 
    rmacklem at uoguelph.ca
       
    Tue Oct 20 14:37:28 UTC 2020
    
    
  
Peter Eriksson wrote:
> Suggestion:
> Add a check for sysctl vfs.nfsd.server_min_nfsvers and if set to 4 or higher - 
> automatically enable the “-R” option.
I actually have patches to the /etc/rc.d scripts that both set
vfs.nfsd.server_min_nfsvers=4 and the "-R" option.
The reason I went with an explicit "-R" is that I thought having mountd
magically stop registering with rpcbind might be considered a POLA
violation.
--> With the explicit "-R" option, it will only happen if the "-R" flag is
      set or if nfsv4_server_only="YES" is put in /etc/rc.conf (which is new,
      so it will be expected to result in different behaviour).
A second reason where the explicit "-R" might be preferred is:
if the nfsd is a loadable module, it is loaded by mountd.
However, to set the sysctl, it must be loaded before starting mountd.
(This is done by the /etc/rc.d/mountd script, so it is not a big issue, but
 might affect someone?)
However, nfsd already chooses to not register when with rpcbind when
vfs.nfsd.server_min_nfsvers, so I can also see an argument for doing
what you suggest, since it is consistent with wat nfsd does.
I don't have a strong opinion either way.
What do others think?
Thanks for the comment, rick
- Peter
> On 20 Oct 2020, at 02:56, Rick Macklem <rmacklem at uoguelph.ca> wrote:
>
> Hi,
>
> I've put a patch up on phabricator that adds a new option to mountd
> which disables use of rpcbind. This can be done for NFSv4 only servers.
> It appears that rpcbind is now considered a security risk by some.
>
> I listed freqlabs@ as a reviewer, but if anyone else would like to review
> it, please do so. (Someone has reviewed the man page update already.
> Thanks bcr at .)
>
> It's D26746.
>
> rick
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
    
    
More information about the freebsd-current
mailing list