>>>>> "Frank" == Frank van der Linden <frank@wins.uva.nl> writes:

    Frank> 	a) Decoupling the mount/unmount requests from the
    Frank> later NFS operations again, and reinstating the '-n' flag
    Frank> to the mountd? This would have the rather strange effect
    Frank> that you can configure your system to allow mounts from
    Frank> non-reserved ports, but that subsequent operations will
    Frank> fail anyway because they come from non-reserved ports.

    Frank> 	b) Adding a new option to the mountd which says
    Frank> "Always require reserved ports for mount requests,
    Frank> regardless of the usage of -noresport".

    Frank> Comments?

Decoupling mount validation from NFS validation is a Good Thing. After
all, they are different protocols. IMHO, it seems sensible to give
both the mount and NFS daemons the option to demand or ignore the use
of reserved ports. [The default should of course be to have whatever
security features - such as they are - enabled. That way someone has
to do something to turn off security checking rather than the other
way round.] While I'm here, maybe someone should be - already is? -
looking at some way of reducing the exposure and/or guessability of
filehandles...