On Wed, 14 May 2025, Thomas Haynes wrote:
>
> > On May 13, 2025, at 10:16 PM, NeilBrown <neil@xxxxxxxxxx> wrote:
> >
> > On Tue, 13 May 2025, Jeff Layton wrote:
> >> Back in the 80's someone thought it was a good idea to carve out a set
> >> of ports that only privileged users could use. When NFS was originally
> >> conceived, Sun made its server require that clients use low ports.
> >> Since Linux was following suit with Sun in those days, exportfs has
> >> always defaulted to requiring connections from low ports.
> >>
> >> These days, anyone can be root on their laptop, so limiting connections
> >> to low source ports is of little value.
> >
> > But who is going to export any filesystem to their laptop?
> >
> >>
> >> Make the default be "insecure" when creating exports.
> >
> > So you want to break lots of configurations that are working perfectly
> > well?
> >
> > I don't see any really motivation for this change. Could you provide it
> > please?
>
>
> Consider a pNFS Flex File deployment with 1000s of data servers. The
> metadata server needs access to each data server. If it needs to be on
> a secure port, then the metadata server can easily run out of room.
>
What is the cost of specifying "insecure" on each export line?
If this really is a burden, I suggest adding a "default-export-options"
or similar to /etc/nfs.conf. Then you can put
default-export-options = secure
in your /etc/nfs.conf and be happy.
Thanks,
NeilBrown
