use of non-privileged ports for MNT and NLM

use of non-privileged ports for MNT and NLM

[Chuck Lever]

Working on "resvport" mount option.  Question occurred to me:

If I specify "noresvport" on a mount, can the client also use a non- 
privileged port for the initial MNT request, and can it use it for the  
NLM connection as well?

Question applies not just to Linux servers, but servers in general.   
Brief searching on teh internets does not reveal a quick answer.  I  
think rpc.mountd will allow a non-privileged port for "insecure"  
exports.

I think the answer is "yes, non-privileged ports can be used for MNT  
and NLM if the server explicitly allows it" but I thought I would open  
this up to the list.

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

Re: use of non-privileged ports for MNT and NLM

[J. Bruce Fields]

On Tue, Aug 19, 2008 at 05:14:54PM -0400, Chuck Lever wrote:
> Working on "resvport" mount option.  Question occurred to me:
>
> If I specify "noresvport" on a mount, can the client also use a non- 
> privileged port for the initial MNT request, and can it use it for the  
> NLM connection as well?
>
> Question applies not just to Linux servers, but servers in general.   
> Brief searching on teh internets does not reveal a quick answer.  I  
> think rpc.mountd will allow a non-privileged port for "insecure"  
> exports.

>From nfs-utils/utils/mountd/auth.c:auth_authenticate_internal():

	if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) &&
                    (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
                     ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
                *error = illegal_port;
                return NULL;
        }

So assuming that function does what it name suggests, I think you're
right.

> I think the answer is "yes, non-privileged ports can be used for MNT and 
> NLM if the server explicitly allows it" but I thought I would open this 
> up to the list.

That's what I would have guessed.

And if the goal is to keep the number of reserved ports from being a
limit, it would be disappointing to eliminate only the ports used for
nfs itself.

--b.

Re: use of non-privileged ports for MNT and NLM

[Trond Myklebust]

On Tue, 2008-08-19 at 17:14 -0400, Chuck Lever wrote:
> Working on "resvport" mount option.  Question occurred to me:
> 
> If I specify "noresvport" on a mount, can the client also use a non- 
> privileged port for the initial MNT request, and can it use it for the  
> NLM connection as well?
> 
> Question applies not just to Linux servers, but servers in general.   
> Brief searching on teh internets does not reveal a quick answer.  I  
> think rpc.mountd will allow a non-privileged port for "insecure"  
> exports.
> 
> I think the answer is "yes, non-privileged ports can be used for MNT  
> and NLM if the server explicitly allows it" but I thought I would open  
> this up to the list.

How about a default that tries to connect using an insecure port first,
then falls back to a secure port if the attempt fails?

Cheers
  Trond

-- 
Trond Myklebust
Linux NFS client maintainer

NetApp
Trond.Myklebust@netapp.com
www.netapp.com