From nobody Tue Apr 23 16:56:07 2024
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VP7YM4Q0yz5HdGX;
	Tue, 23 Apr 2024 16:56:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4VP7YM3rxGz4Dy4;
	Tue, 23 Apr 2024 16:56:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1713891367;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=q3J6Y3ym1t0JKNE36xoy7dcZ2HEzsB+yVwphuzTpPAE=;
	b=eR1b5dn11G8pWKYqFQv8LBvdeRRQURSLVkb7clgFN2ynec+/jKOwCdo3670Zm/ir0Th4MB
	vJLcPX6ffFeL5AbqZUtLbWG7fMD1t4alQb5C4g1AnW84Nt1RsW4wA7Wh2yiVWe8pJVJHtV
	3durl1Si8TYKGIjNnybheffIlxyKKhOI0RzSmA9tWNomCPJXi9gRXj50Uls9x91MZ4iHy/
	241U4012ggG3UarOnKigwxVbggPxWXsGvCNdxu54A3eNJFVehUl0+/fDlkrtrEv/HQesj4
	YuVt3p++UjFDs5PQnt9BQGvYsDFLVUUAU90/7NeZ6VtCh5Fiu/S9wSBcjp+MUA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1713891367; a=rsa-sha256; cv=none;
	b=LAqEnmkkO4NbbIWmBLfK2Bta+hV3q1cvBbrPRVDaVtY4JnF6gLA1gfOnQ6B7LA/6a/sw/2
	X+AeLjMEoATFB9TyartsUYkadsr3QSzy9iuCqbv2sgYb8ROPIcgTwU6aUCXW1wlKuVH2Zq
	Px/5uYzB6EQVyENMY45bYwyqcs4z2j4F01zTAisDK1mRNhu6nKBaJVvKqHs3qK51rYlPSC
	1h6NATkMds/u9/pteumXHwd76W6v9mFBkSezmjGa9Xne7O2QnjCQPIF6AxQ3S+1iKNtP9S
	fGp9Y0cSKkJQomaszQ+BhrBwNzHKBg2h0zv1CxtHITr5rjD4zdImLEiy5lXeIw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1713891367;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=q3J6Y3ym1t0JKNE36xoy7dcZ2HEzsB+yVwphuzTpPAE=;
	b=lS1bySo4IqFGwIqZxTBL/Q8krrk9w9ouL9GFb1Xk1hShfqqaX0J7bZbcnUWWkVikwF9S3p
	g8UbXlU0Vbx2+pC/+nZ4qTs6X/JxRHxZe/ufngalIB+OJsv03qQ9O/NXQHeDZy3oVk65Tx
	N3dcFxTbsWPQnvr6pCIgAGJa9IFzfFqxQ090Dd07OnEY+ZnSyKAT+qc89zCBkr9/Z3gyB9
	Sh5+WicVhrWaURE7QVdlG7+umH7Bd2hWaAeQyQIDb99oA+RMKVRP4ZuJqOUDGNW8HPMbPI
	Kaxurco0w4L0cVDw1uq4YvisaZ+7JKVxZXuPyr6MuzrnZARGNYO5Zf0j0i/mqQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VP7YM3SNgzgNy;
	Tue, 23 Apr 2024 16:56:07 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 43NGu7Pd088996;
	Tue, 23 Apr 2024 16:56:07 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 43NGu7M5088993;
	Tue, 23 Apr 2024 16:56:07 GMT
	(envelope-from git)
Date: Tue, 23 Apr 2024 16:56:07 GMT
Message-Id: <202404231656.43NGu7M5088993@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 6d5ce2bb6344 - main - nfsserver: Default to
  nfs_reserved_port_only="YES"
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 6d5ce2bb63445e9c09c3b5c29fb18983e1e2628c
Auto-Submitted: auto-generated

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=6d5ce2bb63445e9c09c3b5c29fb18983e1e2628c

commit 6d5ce2bb63445e9c09c3b5c29fb18983e1e2628c
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-04-23 16:51:03 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-04-23 16:54:46 +0000

    nfsserver: Default to nfs_reserved_port_only="YES"
    
    This setting causes the NFS server to check that all RPCs are sent from
    a privileged (<= 1023) port, rejecting those that are not.  This
    slightly raises the bar for a user with network access to an
    unauthenticated NFS server to access exported NFS filesystems.
    
    Users that use traditional NFS clients (e.g., those provided by FreeBSD
    or Linux) should not see any difference, assuming that unprivileged
    filesystem mounting is disallowed.
    
    Note that the setting is per-VNET, so may be overridden in VNET jails
    without affecting the rest of the system.
    
    Discussed with: freebsd-arch@
    Reviewed by:    rmacklem, bz, emaste
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D44906
---
 libexec/rc/rc.conf              | 2 +-
 sys/fs/nfsserver/nfs_nfsdkrpc.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 96dd0c534dc2..6a8b6e257b17 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -386,7 +386,7 @@ nfs_server_maxio="131072"	# Maximum I/O size for the nfsd.
 mountd_enable="NO"		# Run mountd (or NO).
 mountd_flags="-r -S"		# Flags to mountd (if NFS server enabled).
 weak_mountd_authentication="NO"	# Allow non-root mount requests to be served.
-nfs_reserved_port_only="NO"	# Provide NFS only on secure port (or NO).
+nfs_reserved_port_only="YES"	# Provide NFS only on secure port (or NO).
 nfs_bufpackets=""		# bufspace (in packets) for client
 rpc_lockd_enable="NO"		# Run NFS rpc.lockd needed for client/server.
 rpc_lockd_flags=""		# Flags to rpc.lockd (if enabled).
diff --git a/sys/fs/nfsserver/nfs_nfsdkrpc.c b/sys/fs/nfsserver/nfs_nfsdkrpc.c
index 022f7403d28b..ce1189d40425 100644
--- a/sys/fs/nfsserver/nfs_nfsdkrpc.c
+++ b/sys/fs/nfsserver/nfs_nfsdkrpc.c
@@ -82,7 +82,7 @@ int newnfs_nfsv3_procid[NFS_V3NPROCS] = {
 
 SYSCTL_DECL(_vfs_nfsd);
 
-NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 0;
+NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 1;
 SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN,
     &NFSD_VNET_NAME(nfs_privport), 0,
     "Only allow clients using a privileged port for NFSv2, 3 and 4");