By Casper Dik-Oracle on Jul 07, 2015
It sounds like a lifetime ago, that I added the following question to the Solaris FAQ:
7.8) How can I make the NFS server ignore unprivileged clients?
In a restricted environment, i.e., an environment where the
administrator controls root access, you can enhance NFS security
by setting the "NFS_PORTMON" variable. This variable is set in
/etc/system, like this:
* Prior to Solaris 2.5
set nfs:nfs_portmon = 1
* Solaris 2.5 and later
set nfssrv:nfs_portmon = 1
You could wonder why this was never the default, the answer is that reserved ports are a BSD Unix invention from the time that computers where large and centrally administrated; an invention later copied to all Unix like operating system but outside of that world it makes little sense. As a result, many NFS clients can use any port and might not be able to restrict the ports they use.
The "nfs_portmon" variable was global; Solaris has evolved and now has multiple different NFS server instances (one for each zone); customers also have requested to have a per-share setting.
In Solaris 11.3 we introduce a new sharectl property:
# sharectl get -p resvport nfs
as well as a new resvport share option:
# zfs get share.nfs.sys.resvport build/casper
NAME PROPERTY VALUE SOURCE
build/casper share.nfs.sec.sys.resvport off default
The sharectl property is global for the NFS server instance; if it is set to true, this overrides per-share properties. If a system is upgraded, it will take the value from /etc/system and it will log a message that in future, sharectl(1m) should be used instaed.
When the sharectl property is set to false, you can set resvport for each share individually. As you can that this is restricted to the "sys" security mode; when proper security such as Kerberos V is used, we do not verify that the NFS client uses privileged ports.
It goes without saying that actual NFS security can only be had when using a security mode other than "sys"