From: Jeff Layton <jlayton@kernel.org>
To: Lionel Cons <lionelcons1972@gmail.com>, linux-nfs@vger.kernel.org
Subject: Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Tue, 13 May 2025 11:35:32 -0400 [thread overview]
Message-ID: <65ce8ea07b55824f198d50d9fe123c5f6218a5c9.camel@kernel.org> (raw)
In-Reply-To: <CAPJSo4W8cN6ZGuFDs4Dda6KDs29ggCrBOq4CJC5FGrXh+bYGGQ@mail.gmail.com>
On Tue, 2025-05-13 at 17:14 +0200, Lionel Cons wrote:
> On Tue, 13 May 2025 at 15:50, Jeff Layton <jlayton@kernel.org> wrote:
> >
> > Back in the 80's someone thought it was a good idea to carve out a set
> > of ports that only privileged users could use. When NFS was originally
> > conceived, Sun made its server require that clients use low ports.
> > Since Linux was following suit with Sun in those days, exportfs has
> > always defaulted to requiring connections from low ports.
> >
> > These days, anyone can be root on their laptop, so limiting connections
> > to low source ports is of little value.
> >
> > Make the default be "insecure" when creating exports.
> >
> > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > ---
> > In discussion at the Bake-a-thon, we decided to just go for making
> > "insecure" the default for all exports.
>
> This patch is one of the WORST ideas in recent times.
>
> While your assessment might be half-true for the average home office,
> sites like universities, scientific labs and enterprise networks
> consider RPC traffic being restricted to a port below 1024 as a layer
> of security.
>
> The original idea was that only trusted people have "root" access, and
> only uid=0/root can allocate TCP ports below 1024.
> That is STILL TRUE for universities and other sides, and I think most
> admins there will absolutely NOT appreciate that you disable a layer
> of security just to please script kiddles and wanna-be hackers.
>
> I am going to fight this patch, to the BITTER end, with blood and biting.
>
Get your teeth ready then.
Are your university networks segregated such that you have control over
every client? If not, then the current regime of limiting connections
to ports lower than 1024 is absolutely meaningless. As soon as you have
one unmanaged client that can access the server via socket that measure
is easily defeated. Windows machines (for instance) have no such
restriction on opening low ports, and on *nix most users can easily be
root on their own host these days.
Also, if you're that concerned about security, why are you not using
krb5? Note that using gssapi also disables the restriction to low
ports, so I assume you must be using AUTH_UNIX? That's easily spoofable
as well by an unmanaged client.
Finally, I'm not disabling anything. We're simply setting the default
to the value that _most_ users will want to use. If you feel that you
have need to keep preventing inbound connections from ports lower than
1024, you can just set "secure" on your exports and go about your day.
Cheers,
--
Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2025-05-13 15:35 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 13:50 [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Jeff Layton
2025-05-13 14:17 ` Chuck Lever
2025-05-13 15:14 ` Lionel Cons
2025-05-13 15:35 ` Jeff Layton [this message]
2025-05-13 16:11 ` Chuck Lever
2025-06-04 17:12 ` Cedric Blancher
2025-06-04 18:20 ` Chuck Lever
2025-05-14 2:16 ` NeilBrown
2025-05-14 2:28 ` NeilBrown
2025-05-14 11:17 ` Jeff Layton
2025-05-14 11:43 ` NeilBrown
2025-05-14 12:02 ` Jeff Layton
2025-05-14 21:58 ` NeilBrown
2025-05-14 12:56 ` Chuck Lever
2025-05-14 21:47 ` NeilBrown
2025-05-15 12:01 ` Chuck Lever
2025-05-15 21:44 ` NeilBrown
2025-05-16 12:09 ` Chuck Lever
2025-05-19 6:02 ` NeilBrown
2025-05-19 11:39 ` Jeff Layton
2025-05-19 14:16 ` Chuck Lever
[not found] ` <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>
2025-05-19 20:51 ` Chuck Lever
2025-05-20 1:44 ` Rick Macklem
2025-05-20 13:20 ` Chuck Lever
2025-05-25 17:29 ` Chuck Lever
2025-05-26 0:09 ` NeilBrown
2025-05-26 1:47 ` Rick Macklem
2025-05-26 1:52 ` Rick Macklem
2025-05-26 2:29 ` NeilBrown
2025-05-28 0:57 ` Rick Macklem
2025-05-27 13:28 ` Chuck Lever
2025-05-27 15:05 ` Chuck Lever
2025-05-27 15:58 ` Rick Macklem
2025-05-27 16:29 ` Rick Macklem
2025-05-27 16:58 ` Chuck Lever
2025-05-28 1:06 ` Rick Macklem
2025-05-27 19:18 ` Benjamin Coddington
2025-05-27 19:41 ` Chuck Lever
2025-05-27 20:25 ` Benjamin Coddington
2025-05-28 14:07 ` Chuck Lever
2025-05-28 1:24 ` NeilBrown
2025-05-28 2:48 ` Rick Macklem
2025-05-14 11:46 ` Chuck Lever
2025-05-14 12:28 ` Thomas Haynes
2025-05-14 21:49 ` NeilBrown
2025-05-14 2:38 ` NeilBrown
2025-05-14 11:20 ` Jeff Layton
2025-05-15 1:32 ` Christopher Bii
2025-05-21 9:06 ` Sebastian Feld
2025-05-21 12:25 ` Jeff Layton
2025-05-21 13:14 ` Chuck Lever
2025-05-21 13:43 ` Chuck Lever
2025-06-04 17:07 ` Cedric Blancher
2025-06-04 18:26 ` Steve Dickson
2025-06-04 18:45 ` Cedric Blancher
2025-06-04 19:17 ` Jeff Layton
2025-06-04 19:53 ` Steve Dickson
2025-06-05 16:48 ` Trond Myklebust
2025-06-05 18:09 ` Chuck Lever
2025-06-05 8:20 ` Cedric Blancher
2025-06-05 13:54 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=65ce8ea07b55824f198d50d9fe123c5f6218a5c9.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=lionelcons1972@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox