mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-04 23:50:27 +00:00
nfsserver: Default to nfs_reserved_port_only="YES"
This setting causes the NFS server to check that all RPCs are sent from a privileged (<= 1023) port, rejecting those that are not. This slightly raises the bar for a user with network access to an unauthenticated NFS server to access exported NFS filesystems. Users that use traditional NFS clients (e.g., those provided by FreeBSD or Linux) should not see any difference, assuming that unprivileged filesystem mounting is disallowed. Note that the setting is per-VNET, so may be overridden in VNET jails without affecting the rest of the system. Discussed with: freebsd-arch@ Reviewed by: rmacklem, bz, emaste Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D44906
This commit is contained in:
parent
fb2ab7ce52
commit
6d5ce2bb63
|
@ -386,7 +386,7 @@ nfs_server_maxio="131072" # Maximum I/O size for the nfsd.
|
|||
mountd_enable="NO" # Run mountd (or NO).
|
||||
mountd_flags="-r -S" # Flags to mountd (if NFS server enabled).
|
||||
weak_mountd_authentication="NO" # Allow non-root mount requests to be served.
|
||||
nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).
|
||||
nfs_reserved_port_only="YES" # Provide NFS only on secure port (or NO).
|
||||
nfs_bufpackets="" # bufspace (in packets) for client
|
||||
rpc_lockd_enable="NO" # Run NFS rpc.lockd needed for client/server.
|
||||
rpc_lockd_flags="" # Flags to rpc.lockd (if enabled).
|
||||
|
|
|
@ -82,7 +82,7 @@ int newnfs_nfsv3_procid[NFS_V3NPROCS] = {
|
|||
|
||||
SYSCTL_DECL(_vfs_nfsd);
|
||||
|
||||
NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 0;
|
||||
NFSD_VNET_DEFINE_STATIC(int, nfs_privport) = 1;
|
||||
SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_NFSD_VNET | CTLFLAG_RWTUN,
|
||||
&NFSD_VNET_NAME(nfs_privport), 0,
|
||||
"Only allow clients using a privileged port for NFSv2, 3 and 4");
|
||||
|
|
Loading…
Reference in a new issue