git: 6d5ce2bb6344 - main - nfsserver: Default to nfs_reserved_port_only="YES"

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 23 Apr 2024 16:56:07 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=6d5ce2bb63445e9c09c3b5c29fb18983e1e2628c

commit 6d5ce2bb63445e9c09c3b5c29fb18983e1e2628c
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-04-23 16:51:03 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-04-23 16:54:46 +0000

    nfsserver: Default to nfs_reserved_port_only="YES"
    
    This setting causes the NFS server to check that all RPCs are sent from
    a privileged (<= 1023) port, rejecting those that are not.  This
    slightly raises the bar for a user with network access to an
    unauthenticated NFS server to access exported NFS filesystems.
    
    Users that use traditional NFS clients (e.g., those provided by FreeBSD
    or Linux) should not see any difference, assuming that unprivileged
    filesystem mounting is disallowed.
    
    Note that the setting is per-VNET, so may be overridden in VNET jails
    without affecting the rest of the system.
    
    Discussed with: freebsd-arch@
    Reviewed by:    rmacklem, bz, emaste
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D44906
---
 libexec/rc/rc.conf              | 2 +-
 sys/fs/nfsserver/nfs_nfsdkrpc.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 96dd0c534dc2..6a8b6e257b17 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -386,7 +386,7 @@ nfs_server_maxio="131072"	# Maximum I/O size for the nfsd.
 mountd_enable="NO"		# Run mountd (or NO).
 mountd_flags="-r -S"		# Flags to mountd (if NFS server enabled).
 weak_mountd_authentication="NO"	# Allow non-root mount requests to be served.
-nfs_reserved_port_only="NO"	# Provide NFS only on secure port (or NO).
+nfs_reserved_port_only="YES"	# Provide NFS only on secure port (or NO).
 nfs_bufpackets=""		# bufspace (in packets) for client
 rpc_lockd_enable="NO"		# Run NFS rpc.lockd needed for client/server.
 rpc_lockd_flags=""		# Flags to rpc.lockd (if enabled).
diff --git a/sys/fs/nfsserver/nfs_nfsdkrpc.c b/sys/fs/nfsserver/nfs_nfsdkrpc.c
index 022f7403d28b..ce1189d40425 100644
--- a/sys/fs/nfsserver/nfs_nfsdkrpc.c
+++ b/sys/fs/nfsserver/nfs_nfsdkrpc.c
@@ -82,7 +82,7 @@ int newnfs_nfsv3_procid[NFS_V3NPROCS] = {
 
 SYSCTL_DECL(_vfs_nfsd);
 
-NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 0;
+NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 1;
 SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN,
     &NFSD_VNET_NAME(nfs_privport), 0,
     "Only allow clients using a privileged port for NFSv2, 3 and 4");