> On May 13, 2025, at 10:16 PM, NeilBrown <neil@xxxxxxxxxx> wrote:
>
> On Tue, 13 May 2025, Jeff Layton wrote:
>> Back in the 80's someone thought it was a good idea to carve out a set
>> of ports that only privileged users could use. When NFS was originally
>> conceived, Sun made its server require that clients use low ports.
>> Since Linux was following suit with Sun in those days, exportfs has
>> always defaulted to requiring connections from low ports.
>>
>> These days, anyone can be root on their laptop, so limiting connections
>> to low source ports is of little value.
>
> But who is going to export any filesystem to their laptop?
>
>>
>> Make the default be "insecure" when creating exports.
>
> So you want to break lots of configurations that are working perfectly
> well?
>
> I don't see any really motivation for this change. Could you provide it
> please?
Consider a pNFS Flex File deployment with 1000s of data servers. The
metadata server needs access to each data server. If it needs to be on
a secure port, then the metadata server can easily run out of room.
>
> Thanks,
> NeilBrown
>
>>
>> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
>> ---
>> In discussion at the Bake-a-thon, we decided to just go for making
>> "insecure" the default for all exports.
>> ---
>> support/nfs/exports.c | 7 +++++--
>> utils/exportfs/exports.man | 4 ++--
>> 2 files changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
>> index 21ec6486ba3d3945df0800972ba1dfd03bd65375..69f8ca8b5e2ed50b837ef287ca0685af3e70ed0b 100644
>> --- a/support/nfs/exports.c
>> +++ b/support/nfs/exports.c
>> @@ -34,8 +34,11 @@
>> #include "reexport.h"
>> #include "nfsd_path.h"
>>
>> -#define EXPORT_DEFAULT_FLAGS \
>> - (NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK)
>> +#define EXPORT_DEFAULT_FLAGS (NFSEXP_READONLY | \
>> + NFSEXP_ROOTSQUASH | \
>> + NFSEXP_GATHERED_WRITES |\
>> + NFSEXP_NOSUBTREECHECK | \
>> + NFSEXP_INSECURE_PORT)
>>
>> struct flav_info flav_map[] = {
>> { "krb5", RPC_AUTH_GSS_KRB5, 1},
>> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
>> index 39dc30fb8290213990ca7a14b1b3971140b0d120..0b62bb3a82b0e74bc2a7eb84301c4ec97b14d003 100644
>> --- a/utils/exportfs/exports.man
>> +++ b/utils/exportfs/exports.man
>> @@ -180,8 +180,8 @@ understands the following export options:
>> .TP
>> .IR secure
>> This option requires that requests not using gss originate on an
>> -Internet port less than IPPORT_RESERVED (1024). This option is on by default.
>> -To turn it off, specify
>> +Internet port less than IPPORT_RESERVED (1024). This option is off by default
>> +but can be explicitly disabled by specifying
>> .IR insecure .
>> (NOTE: older kernels (before upstream kernel version 4.17) enforced this
>> requirement on gss requests as well.)
>>
>> ---
>> base-commit: 2cf015ea4312f37598efe9733fef3232ab67f784
>> change-id: 20250513-master-89974087bb04
>>
>> Best regards,
>> --
>> Jeff Layton <jlayton@xxxxxxxxxx>
>>
>>
>>
>
