svn commit: r368165 - in stable/12/libexec/rc: . rc.d
Rick Macklem
rmacklem at FreeBSD.org
Sun Nov 29 23:23:09 UTC 2020
Author: rmacklem
Date: Sun Nov 29 23:23:08 2020
New Revision: 368165
URL: https://svnweb.freebsd.org/changeset/base/368165
Log:
MFC: r367423
Add support for the new mountd -R option.
r376026 added a new "-R" option to mountd, which tells it to
not support the Mount protocol (not used by NFSv4) and not
register with rpcbind.
Rpcbind is considered a security issue by some sites now.
This patch adds a new yes/no variable called nfsv4_server_only.
When that is set, make vfs.nfsd.server_min_vers=4 and set "=R"
for mountd.
Setting vfs.nfsd.server_min_vers=4 tells nfsd to not register with rpcbind.
While here, add a check for "load_kld nfsd" failing to nfsd.
Modified:
stable/12/libexec/rc/rc.conf
stable/12/libexec/rc/rc.d/mountd
stable/12/libexec/rc/rc.d/nfsd
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/libexec/rc/rc.conf
==============================================================================
--- stable/12/libexec/rc/rc.conf Sun Nov 29 19:43:33 2020 (r368164)
+++ stable/12/libexec/rc/rc.conf Sun Nov 29 23:23:08 2020 (r368165)
@@ -375,6 +375,7 @@ rpc_ypupdated_enable="NO" # Run if NIS master and Secu
keyserv_enable="NO" # Run the SecureRPC keyserver (or NO).
keyserv_flags="" # Flags to keyserv (if enabled).
nfsv4_server_enable="NO" # Enable support for NFSv4
+nfsv4_server_only="NO" # Set NFS server to NFSv4 only
nfscbd_enable="NO" # NFSv4 client side callback daemon
nfscbd_flags="" # Flags for nfscbd
nfsuserd_enable="NO" # NFSv4 user/group name mapping daemon
Modified: stable/12/libexec/rc/rc.d/mountd
==============================================================================
--- stable/12/libexec/rc/rc.d/mountd Sun Nov 29 19:43:33 2020 (r368164)
+++ stable/12/libexec/rc/rc.d/mountd Sun Nov 29 23:23:08 2020 (r368165)
@@ -20,13 +20,33 @@ extra_commands="reload"
mountd_precmd()
{
- force_depend rpcbind || return 1
+ # Load the modules now, so that the vfs.nfsd sysctl
+ # oids are available.
+ load_kld nfsd || return 1
+
+ # Do not force rpcbind to be running for an NFSv4 only server.
+ #
+ if checkyesno nfsv4_server_only; then
+ echo 'NFSv4 only server'
+ sysctl vfs.nfsd.server_min_nfsvers=4 > /dev/null
+ sysctl vfs.nfsd.server_max_nfsvers=4 > /dev/null
+ rc_flags="${rc_flags} -R"
+ else
+ force_depend rpcbind || return 1
+ fi
+
# mountd flags will differ depending on rc.conf settings
#
- if checkyesno nfs_server_enable ; then
+ if checkyesno nfs_server_enable || checkyesno nfsv4_server_only; then
if checkyesno weak_mountd_authentication; then
- rc_flags="${mountd_flags} -n"
+ if checkyesno nfsv4_server_only; then
+ echo -n 'weak_mountd_authentication '
+ echo -n 'incompatible with nfsv4_server_only, '
+ echo 'ignored'
+ else
+ rc_flags="${rc_flags} -n"
+ fi
fi
else
if checkyesno mountd_enable; then
Modified: stable/12/libexec/rc/rc.d/nfsd
==============================================================================
--- stable/12/libexec/rc/rc.d/nfsd Sun Nov 29 19:43:33 2020 (r368164)
+++ stable/12/libexec/rc/rc.d/nfsd Sun Nov 29 23:23:08 2020 (r368165)
@@ -26,7 +26,7 @@ nfsd_precmd()
# Load the modules now, so that the vfs.nfsd sysctl
# oids are available.
- load_kld nfsd
+ load_kld nfsd || return 1
if checkyesno nfs_reserved_port_only; then
echo 'NFS on reserved port only=YES'
@@ -41,12 +41,15 @@ nfsd_precmd()
if checkyesno nfsv4_server_enable; then
sysctl vfs.nfsd.server_max_nfsvers=4 > /dev/null
- else
+ elif ! checkyesno nfsv4_server_only; then
echo 'NFSv4 is disabled'
sysctl vfs.nfsd.server_max_nfsvers=3 > /dev/null
fi
- force_depend rpcbind || return 1
+ if ! checkyesno nfsv4_server_only; then
+ force_depend rpcbind || return 1
+ fi
+
force_depend mountd || return 1
if [ -n "${nfs_server_vhost}" ]; then
command_args="-V \"${nfs_server_vhost}\""
More information about the svn-src-all
mailing list