Default Use of Privileged Ports Changed
By erickustarz on Aug 15, 2005
Noel recently changed (putback in snv_22) the Solaris NFS client's default behavior for port selection. Previously, the client would default to using privileged ports via the variables 'clnt_cots_do_bindresvport' for TCP and 'clnt_clts_do_bindresvport' for UDP.
Why did we set the default set for privileged ports in the first place way back when? It served its purpose in the older days of insecure NFS, where servers would automatically deny client requests using a non-reserved port. Now with RPCSEC_GSS, we can move forward.
Another piece to this puzzle, is nfs_portmon. It has this comment in the code:
/\* \* If nfs_portmon is set, then clients are required to use privileged \* ports (ports < IPPORT_RESERVED) in order to get NFS services. \* \* N.B.: this attempt to carry forward the already ill-conceived notion \* of privileged ports for TCP/UDP is really quite ineffectual. Not only \* is it transport-dependent, it's laughably easy to spoof. If you're \* really interested in security, you must start with secure RPC instead. \*/ static int nfs_portmon = 0;
And can be found in nfsd(1M). Turning it on forces the server to only accept privileged ports. Since i dislike nfs_portmon so much, i'm leaving it up to the reader to figure out how to turn it on.
So Noel's fix is to have the client (by default) try using a non-privileged port, and if that fails with AUTH_TOOWEAK due to someone (unfortunately) having nfs_portmon turned, then it will retry the request using a privileged port (assuming the client has some available).
Technorati Tag: OpenSolaris
Technorati Tag: Solaris
Technorati Tag: nfs