From: Jeff Layton <jlayton@kernel.org>
To: NeilBrown <neil@brown.name>
Cc: Steve Dickson <steved@redhat.com>, Tom Haynes <loghyr@gmail.com>,
linux-nfs@vger.kernel.org
Subject: Re: [PATCH nfs-utils] exportfs: make "insecure" the default for all exports
Date: Wed, 14 May 2025 07:17:29 -0400 [thread overview]
Message-ID: <91b04852a612c651533c62f6f9fc4bd61e97be62.camel@kernel.org> (raw)
In-Reply-To: <174718970409.62796.16127055429561662161@noble.neil.brown.name>
On Wed, 2025-05-14 at 12:28 +1000, NeilBrown wrote:
> On Wed, 14 May 2025, NeilBrown wrote:
> > On Tue, 13 May 2025, Jeff Layton wrote:
> > > Back in the 80's someone thought it was a good idea to carve out a set
> > > of ports that only privileged users could use. When NFS was originally
> > > conceived, Sun made its server require that clients use low ports.
> > > Since Linux was following suit with Sun in those days, exportfs has
> > > always defaulted to requiring connections from low ports.
> > >
> > > These days, anyone can be root on their laptop, so limiting connections
> > > to low source ports is of little value.
> >
> > But who is going to export any filesystem to their laptop?
> >
> > >
The point is that most NFS servers are run on networks where the admin
may not have 100% control over every host on the network. Once you're
that situation, relying on low port values for security is basically
worthless.
> > > Make the default be "insecure" when creating exports.
> >
> > So you want to break lots of configurations that are working perfectly
> > well?
>
> Sorry - I was wrong. You aren't breaking working configurations, but
> you are removing a protection that people might be expecting. It might
> not be much protection, but it is not zero.
>
True. Anyone relying on this "protection" is fooling themselves though.
> >
> > I don't see any really motivation for this change. Could you provide it
> > please?
>
> Or to put it another way: who benefits?
>
Anyone running NFS clients behind NAT?
The main discussion came about when we were testing against a
hammerspace deployment. They were using knfsd as their DS's, and had
forgotten to add "insecure" to the export options. When the (NAT'ed)
client tried to talk to the DS's, it got back NFSERR3_PERM because of
this. It took a little while to ascertain the cause.
Note that Solaris' NFS server stopped checking source ports many years
ago. We're only doing this now because we followed suit from how they
behaved in the 90s and never changed it.
> >
> > Thanks,
> > NeilBrown
> >
> > >
> > > Signed-off-by: Jeff Layton <jlayton@kernel.org>
> > > ---
> > > In discussion at the Bake-a-thon, we decided to just go for making
> > > "insecure" the default for all exports.
> > > ---
> > > support/nfs/exports.c | 7 +++++--
> > > utils/exportfs/exports.man | 4 ++--
> > > 2 files changed, 7 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/support/nfs/exports.c b/support/nfs/exports.c
> > > index 21ec6486ba3d3945df0800972ba1dfd03bd65375..69f8ca8b5e2ed50b837ef287ca0685af3e70ed0b 100644
> > > --- a/support/nfs/exports.c
> > > +++ b/support/nfs/exports.c
> > > @@ -34,8 +34,11 @@
> > > #include "reexport.h"
> > > #include "nfsd_path.h"
> > >
> > > -#define EXPORT_DEFAULT_FLAGS \
> > > - (NFSEXP_READONLY|NFSEXP_ROOTSQUASH|NFSEXP_GATHERED_WRITES|NFSEXP_NOSUBTREECHECK)
> > > +#define EXPORT_DEFAULT_FLAGS (NFSEXP_READONLY | \
> > > + NFSEXP_ROOTSQUASH | \
> > > + NFSEXP_GATHERED_WRITES |\
> > > + NFSEXP_NOSUBTREECHECK | \
> > > + NFSEXP_INSECURE_PORT)
> > >
> > > struct flav_info flav_map[] = {
> > > { "krb5", RPC_AUTH_GSS_KRB5, 1},
> > > diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
> > > index 39dc30fb8290213990ca7a14b1b3971140b0d120..0b62bb3a82b0e74bc2a7eb84301c4ec97b14d003 100644
> > > --- a/utils/exportfs/exports.man
> > > +++ b/utils/exportfs/exports.man
> > > @@ -180,8 +180,8 @@ understands the following export options:
> > > .TP
> > > .IR secure
> > > This option requires that requests not using gss originate on an
> > > -Internet port less than IPPORT_RESERVED (1024). This option is on by default.
> > > -To turn it off, specify
> > > +Internet port less than IPPORT_RESERVED (1024). This option is off by default
> > > +but can be explicitly disabled by specifying
> > > .IR insecure .
> > > (NOTE: older kernels (before upstream kernel version 4.17) enforced this
> > > requirement on gss requests as well.)
> > >
> > > ---
> > > base-commit: 2cf015ea4312f37598efe9733fef3232ab67f784
> > > change-id: 20250513-master-89974087bb04
> > >
> > > Best regards,
> > > --
> > > Jeff Layton <jlayton@kernel.org>
> > >
> > >
> > >
> >
> >
> >
--
Jeff Layton <jlayton@kernel.org>
next prev parent reply other threads:[~2025-05-14 11:17 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-13 13:50 [PATCH nfs-utils] exportfs: make "insecure" the default for all exports Jeff Layton
2025-05-13 14:17 ` Chuck Lever
2025-05-13 15:14 ` Lionel Cons
2025-05-13 15:35 ` Jeff Layton
2025-05-13 16:11 ` Chuck Lever
2025-06-04 17:12 ` Cedric Blancher
2025-06-04 18:20 ` Chuck Lever
2025-05-14 2:16 ` NeilBrown
2025-05-14 2:28 ` NeilBrown
2025-05-14 11:17 ` Jeff Layton [this message]
2025-05-14 11:43 ` NeilBrown
2025-05-14 12:02 ` Jeff Layton
2025-05-14 21:58 ` NeilBrown
2025-05-14 12:56 ` Chuck Lever
2025-05-14 21:47 ` NeilBrown
2025-05-15 12:01 ` Chuck Lever
2025-05-15 21:44 ` NeilBrown
2025-05-16 12:09 ` Chuck Lever
2025-05-19 6:02 ` NeilBrown
2025-05-19 11:39 ` Jeff Layton
2025-05-19 14:16 ` Chuck Lever
[not found] ` <4bee9565-c2a8-4b90-be57-7d1340fa9ed7@esat.kuleuven.be>
2025-05-19 20:51 ` Chuck Lever
2025-05-20 1:44 ` Rick Macklem
2025-05-20 13:20 ` Chuck Lever
2025-05-25 17:29 ` Chuck Lever
2025-05-26 0:09 ` NeilBrown
2025-05-26 1:47 ` Rick Macklem
2025-05-26 1:52 ` Rick Macklem
2025-05-26 2:29 ` NeilBrown
2025-05-28 0:57 ` Rick Macklem
2025-05-27 13:28 ` Chuck Lever
2025-05-27 15:05 ` Chuck Lever
2025-05-27 15:58 ` Rick Macklem
2025-05-27 16:29 ` Rick Macklem
2025-05-27 16:58 ` Chuck Lever
2025-05-28 1:06 ` Rick Macklem
2025-05-27 19:18 ` Benjamin Coddington
2025-05-27 19:41 ` Chuck Lever
2025-05-27 20:25 ` Benjamin Coddington
2025-05-28 14:07 ` Chuck Lever
2025-05-28 1:24 ` NeilBrown
2025-05-28 2:48 ` Rick Macklem
2025-05-14 11:46 ` Chuck Lever
2025-05-14 12:28 ` Thomas Haynes
2025-05-14 21:49 ` NeilBrown
2025-05-14 2:38 ` NeilBrown
2025-05-14 11:20 ` Jeff Layton
2025-05-15 1:32 ` Christopher Bii
2025-05-21 9:06 ` Sebastian Feld
2025-05-21 12:25 ` Jeff Layton
2025-05-21 13:14 ` Chuck Lever
2025-05-21 13:43 ` Chuck Lever
2025-06-04 17:07 ` Cedric Blancher
2025-06-04 18:26 ` Steve Dickson
2025-06-04 18:45 ` Cedric Blancher
2025-06-04 19:17 ` Jeff Layton
2025-06-04 19:53 ` Steve Dickson
2025-06-05 16:48 ` Trond Myklebust
2025-06-05 18:09 ` Chuck Lever
2025-06-05 8:20 ` Cedric Blancher
2025-06-05 13:54 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=91b04852a612c651533c62f6f9fc4bd61e97be62.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=linux-nfs@vger.kernel.org \
--cc=loghyr@gmail.com \
--cc=neil@brown.name \
--cc=steved@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox