On Tue, 13 May 2025 at 15:50, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > Back in the 80's someone thought it was a good idea to carve out a set > of ports that only privileged users could use. When NFS was originally > conceived, Sun made its server require that clients use low ports. > Since Linux was following suit with Sun in those days, exportfs has > always defaulted to requiring connections from low ports. > > These days, anyone can be root on their laptop, so limiting connections > to low source ports is of little value. > > Make the default be "insecure" when creating exports. > > Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx> > --- > In discussion at the Bake-a-thon, we decided to just go for making > "insecure" the default for all exports. This patch is one of the WORST ideas in recent times. While your assessment might be half-true for the average home office, sites like universities, scientific labs and enterprise networks consider RPC traffic being restricted to a port below 1024 as a layer of security. The original idea was that only trusted people have "root" access, and only uid=0/root can allocate TCP ports below 1024. That is STILL TRUE for universities and other sides, and I think most admins there will absolutely NOT appreciate that you disable a layer of security just to please script kiddles and wanna-be hackers. I am going to fight this patch, to the BITTER end, with blood and biting. Lionel
