• Chuck Lever's avatar
    NFS: add "[no]resvport" mount option · d740351b
    Chuck Lever authored
    The standard default security setting for NFS is AUTH_SYS.  An NFS
    client connects to NFS servers via a privileged source port and a
    fixed standard destination port (2049).  The client sends raw uid and
    gid numbers to identify users making NFS requests, and the server
    assumes an appropriate authority on the client has vetted these
    values because the source port is privileged.
    
    On Linux, by default in-kernel RPC services use a privileged port in
    the range between 650 and 1023 to avoid using source ports of well-
    known IP services.  Using such a small range limits the number of NFS
    mount points and the number of unique NFS servers to which a client
    can connect concurrently.
    
    An NFS client can use unprivileged source ports to expand the range of
    source port numbers, allowing more concurrent server connections and
    more NFS mount points.  Servers must explicitly allow NFS connections
    from unprivileged ports for this to work.
    
    In the past, bumping the value of the sunrpc.max_resvport sysctl on
    the client would permit the NFS client to use unprivileged ports.
    Bumping this setting also changes the maximum port number used by
    other in-kernel RPC services, some of which still required a port
    number less than 1023.
    
    This is exacerbated by the way source port numbers are chosen by the
    Linux RPC client, which starts at the top of the range and works
    downwards.  It means that bumping the maximum means all RPC services
    requesting a source port will likely get an unprivileged port instead
    of a privileged one.
    
    Changing this setting effects all NFS mount points on a client.  A
    sysadmin could not selectively choose which mount points would use
    non-privileged ports and which could not.
    
    Lastly, this mechanism of expanding the limit on the number of NFS
    mount points was entirely undocumented.
    
    To address the need for the NFS client to use a large range of source
    ports without interfering with the activity of other in-kernel RPC
    services, we introduce a new NFS mount option.  This option explicitly
    tells only the NFS client to use a non-privileged source port when
    communicating with the NFS server for one specific mount point.
    
    This new mount option is called "resvport," like the similar NFS mount
    option on FreeBSD and Mac OS X.  A sister patch for nfs-utils will be
    submitted that documents this new option in nfs(5).
    
    The default setting for this new mount option requires the NFS client
    to use a privileged port, as before.  Explicitly specifying the
    "noresvport" mount option allows the NFS client to use an unprivileged
    source port for this mount point when connecting to the NFS server
    port.
    
    This mount option is supported only for text-based NFS mounts.
    
    [ Sidebar: it is widely known that security mechanisms based on the
      use of privileged source ports are ineffective.  However, the NFS
      client can combine the use of unprivileged ports with the use of
      secure authentication mechanisms, such as Kerberos.  This allows a
      large number of connections and mount points while ensuring a useful
      level of security.
    
      Eventually we may change the default setting for this option
      depending on the security flavor used for the mount.  For example,
      if the mount is using only AUTH_SYS, then the default setting will
      be "resvport;" if the mount is using a strong security flavor such
      as krb5, the default setting will be "noresvport." ]
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    [Trond.Myklebust@netapp.com: Fixed a bug whereby nfs4_init_client()
    was being called with incorrect arguments.]
    Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
    d740351b
client.c 38.3 KB