On 5/21/25 9:14 AM, Chuck Lever wrote: > On 5/21/25 5:06 AM, Sebastian Feld wrote: >> On Tue, May 13, 2025 at 3:50 PM Jeff Layton <jlayton@xxxxxxxxxx> wrote: >>> >>> Back in the 80's someone thought it was a good idea to carve out a set >>> of ports that only privileged users could use. When NFS was originally >>> conceived, Sun made its server require that clients use low ports. >>> Since Linux was following suit with Sun in those days, exportfs has >>> always defaulted to requiring connections from low ports. >>> >>> These days, anyone can be root on their laptop, so limiting connections >>> to low source ports is of little value. >>> >>> Make the default be "insecure" when creating exports. >> >> I made a poll webpage for our sysadmins about what they think about this change. > > Who are "our sysadmins" and what did you do to compensate for various > cognitive biases? > > >> Out of 26 people allowed to vote 24 voted "BAD idea, keep the secure >> option the default", and two didn't vote. >> >> So this is a change which is virtually 100% hated by the people >> primarily affected by such a change. > > I'm interested in understanding why changing the default behavior is a > problem. Is explicitly adding the "secure" export option on the exports > where it matters a heavy lift? If so, why? To be clear: asking around is a sensible thing to do. However I'd like to see more nuanced feedback than "BAD idea". -- Chuck Lever
