From: Chuck Lever <chuck.lever@oracle.com>
To: Jeff Layton <jlayton@kernel.org>, Steve Dickson <steved@redhat.com>
Cc: Tom Haynes <loghyr@gmail.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Tue, 13 May 2025 10:17:46 -0400 [thread overview]
Message-ID: <2afad899-e2d1-4f9f-9476-36f3dfee8ada@oracle.com> (raw)
In-Reply-To: <20250513-master-v1-1-e845fe412715@kernel.org>
On 5/13/25 9:50 AM, Jeff Layton wrote:
> Back in the 80's someone thought it was a good idea to carve out a set
> of ports that only privileged users could use. When NFS was originally
> conceived, Sun made its server require that clients use low ports.
> Since Linux was following suit with Sun in those days, exportfs has
> always defaulted to requiring connections from low ports.
>
> These days, anyone can be root on their laptop, so limiting connections
> to low source ports is of little value.
>
> Make the default be "insecure" when creating exports.
>
> Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
> ---
> In discussion at the Bake-a-thon, we decided to just go for making
> "insecure" the default for all exports.
> ---
> support/nfs/exports.c | 7 +++++--
> utils/exportfs/exports.man | 4 ++--
> 2 files changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> index 21ec6486ba3d3945df0800972ba1dfd03bd65375..69f8ca8b5e2ed50b837ef287ca0685af3e70ed0b 100644
> --- a/support/nfs/exports.c
> +++ b/support/nfs/exports.c
> @@ -34,8 +34,11 @@
> #include "reexport.h"
> #include "nfsd_path.h"
>
> -#define EXPORT_DEFAULT_FLAGS \
> - (NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK)
> +#define EXPORT_DEFAULT_FLAGS (NFSEXP_READONLY | \
> + NFSEXP_ROOTSQUASH | \
> + NFSEXP_GATHERED_WRITES |\
> + NFSEXP_NOSUBTREECHECK | \
> + NFSEXP_INSECURE_PORT)
>
> struct flav_info flav_map[] = {
> { "krb5", RPC_AUTH_GSS_KRB5, 1},
> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
> index 39dc30fb8290213990ca7a14b1b3971140b0d120..0b62bb3a82b0e74bc2a7eb84301c4ec97b14d003 100644
> --- a/utils/exportfs/exports.man
> +++ b/utils/exportfs/exports.man
> @@ -180,8 +180,8 @@ understands the following export options:
> .TP
> .IR secure
> This option requires that requests not using gss originate on an
> -Internet port less than IPPORT_RESERVED (1024). This option is on by default.
> -To turn it off, specify
> +Internet port less than IPPORT_RESERVED (1024). This option is off by default
> +but can be explicitly disabled by specifying
> .IR insecure .
> (NOTE: older kernels (before upstream kernel version 4.17) enforced this
> requirement on gss requests as well.)
>
> ---
> base-commit: 2cf015ea4312f37598efe9733fef3232ab67f784
> change-id: 20250513-master-89974087bb04
>
> Best regards,
--
Chuck Lever
next prev parent reply other threads:[~2025-05-13 14:17 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 13:50 [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Jeff Layton
2025-05-13 14:17 ` Chuck Lever [this message]
2025-05-13 15:14 ` Lionel Cons
2025-05-13 15:35 ` Jeff Layton
2025-05-13 16:11 ` Chuck Lever
2025-06-04 17:12 ` Cedric Blancher
2025-06-04 18:20 ` Chuck Lever
2025-05-14 2:16 ` NeilBrown
2025-05-14 2:28 ` NeilBrown
2025-05-14 11:17 ` Jeff Layton
2025-05-14 11:43 ` NeilBrown
2025-05-14 12:02 ` Jeff Layton
2025-05-14 21:58 ` NeilBrown
2025-05-14 12:56 ` Chuck Lever
2025-05-14 21:47 ` NeilBrown
2025-05-15 12:01 ` Chuck Lever
2025-05-15 21:44 ` NeilBrown
2025-05-16 12:09 ` Chuck Lever
2025-05-19 6:02 ` NeilBrown
2025-05-19 11:39 ` Jeff Layton
2025-05-19 14:16 ` Chuck Lever
[not found] ` <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>
2025-05-19 20:51 ` Chuck Lever
2025-05-20 1:44 ` Rick Macklem
2025-05-20 13:20 ` Chuck Lever
2025-05-25 17:29 ` Chuck Lever
2025-05-26 0:09 ` NeilBrown
2025-05-26 1:47 ` Rick Macklem
2025-05-26 1:52 ` Rick Macklem
2025-05-26 2:29 ` NeilBrown
2025-05-28 0:57 ` Rick Macklem
2025-05-27 13:28 ` Chuck Lever
2025-05-27 15:05 ` Chuck Lever
2025-05-27 15:58 ` Rick Macklem
2025-05-27 16:29 ` Rick Macklem
2025-05-27 16:58 ` Chuck Lever
2025-05-28 1:06 ` Rick Macklem
2025-05-27 19:18 ` Benjamin Coddington
2025-05-27 19:41 ` Chuck Lever
2025-05-27 20:25 ` Benjamin Coddington
2025-05-28 14:07 ` Chuck Lever
2025-05-28 1:24 ` NeilBrown
2025-05-28 2:48 ` Rick Macklem
2025-05-14 11:46 ` Chuck Lever
2025-05-14 12:28 ` Thomas Haynes
2025-05-14 21:49 ` NeilBrown
2025-05-14 2:38 ` NeilBrown
2025-05-14 11:20 ` Jeff Layton
2025-05-15 1:32 ` Christopher Bii
2025-05-21 9:06 ` Sebastian Feld
2025-05-21 12:25 ` Jeff Layton
2025-05-21 13:14 ` Chuck Lever
2025-05-21 13:43 ` Chuck Lever
2025-06-04 17:07 ` Cedric Blancher
2025-06-04 18:26 ` Steve Dickson
2025-06-04 18:45 ` Cedric Blancher
2025-06-04 19:17 ` Jeff Layton
2025-06-04 19:53 ` Steve Dickson
2025-06-05 16:48 ` Trond Myklebust
2025-06-05 18:09 ` Chuck Lever
2025-06-05 8:20 ` Cedric Blancher
2025-06-05 13:54 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2afad899-e2d1-4f9f-9476-36f3dfee8ada@oracle.com \
--to=chuck.lever@oracle.com \
--cc=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=loghyr@gmail.com \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox