Major issues with nfsv4
Rick Macklem
rmacklem at uoguelph.ca
Mon Dec 14 15:05:50 UTC 2020
Alexander Leidinger wrote:
>Quoting Rick Macklem <rmacklem at uoguelph.ca>
>>> While it's certainly possible to configure NFS not to require reserved
>>> ports, the slightest possibility of a non-root user establishing a
>>> session to the NFS server kills that as an option.
>> Personally, I've never thought the reserved port# requirement provided
>> any real security for most situations. Unless you set "vfs.usermount=1"
>> only root can do the mount. For non-root to mount the NFS server
>> when "vfs.usermount=0", a user would have to run their own custom hacked
>> userland NFS client. Although doable, I have never heard of it being done.
>
>22 years ago I wrote an userland NFS client (it triggered my first
>contribution/bugfix to rpcgen in FreeBSD which was MFCed to FreeBSD
>2.2.8) as an university project (an exprimental computer with PRAM
>technology didn't had a network stack but a host-interface to a
>controlling server, and people wanted to access network shares, so the
>controling host was a NFS proxy, and I did this with a NFS userland
>client). IIRC it was NFSv3. I had a little test-tool with a CUI in
>which I was able to interactively list directories and open files (I
>used that for testing). As this more or less was my first software
>project I realized alone, and it was scheduled to be something to be
>realized with a few man-hours per week during half a year, I would say
>it is easy to do for someone with interest / motivation.
It's a lot more work to do an NFSv4 one and if all your legitimate
NFS mounts are v4, you can probably disable NFSv3 support on the
NFS server (vfs.nfsd.server_ min_version=4 on FreeBSD).
The NFS-over-TLS I now have in test mode for FreeBSD can help
w.r.t. this since it can be configured to require the client have an
X509 certificate for NFS to work. If you are interested in more info
on this https://people.freebsd.org/~rmacklem/nfs-over-tls-setup.txt
rick
Bye,
Alexander.
--
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild at FreeBSD.org : PGP 0x8F31830F9F2772BF
More information about the freebsd-fs
mailing list