On Tue, 2025-05-13 at 17:14 +0200, Lionel Cons wrote: > On Tue, 13 May 2025 at 15:50, Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > > > Back in the 80's someone thought it was a good idea to carve out a set > > of ports that only privileged users could use. When NFS was originally > > conceived, Sun made its server require that clients use low ports. > > Since Linux was following suit with Sun in those days, exportfs has > > always defaulted to requiring connections from low ports. > > > > These days, anyone can be root on their laptop, so limiting connections > > to low source ports is of little value. > > > > Make the default be "insecure" when creating exports. > > > > Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx> > > --- > > In discussion at the Bake-a-thon, we decided to just go for making > > "insecure" the default for all exports. > > This patch is one of the WORST ideas in recent times. > > While your assessment might be half-true for the average home office, > sites like universities, scientific labs and enterprise networks > consider RPC traffic being restricted to a port below 1024 as a layer > of security. > > The original idea was that only trusted people have "root" access, and > only uid=0/root can allocate TCP ports below 1024. > That is STILL TRUE for universities and other sides, and I think most > admins there will absolutely NOT appreciate that you disable a layer > of security just to please script kiddles and wanna-be hackers. > > I am going to fight this patch, to the BITTER end, with blood and biting. > Get your teeth ready then. Are your university networks segregated such that you have control over every client? If not, then the current regime of limiting connections to ports lower than 1024 is absolutely meaningless. As soon as you have one unmanaged client that can access the server via socket that measure is easily defeated. Windows machines (for instance) have no such restriction on opening low ports, and on *nix most users can easily be root on their own host these days. Also, if you're that concerned about security, why are you not using krb5? Note that using gssapi also disables the restriction to low ports, so I assume you must be using AUTH_UNIX? That's easily spoofable as well by an unmanaged client. Finally, I'm not disabling anything. We're simply setting the default to the value that _most_ users will want to use. If you feel that you have need to keep preventing inbound connections from ports lower than 1024, you can just set "secure" on your exports and go about your day. Cheers, -- Jeff Layton <jlayton@xxxxxxxxxx>
