Subject: Re: NFS and privileged ports
To: Jason Thorpe <>
From: Luke Mewburn <>
List: tech-net
Date: 11/09/2004 23:12:23
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 08, 2004 at 05:31:14PM -0800, Jason Thorpe wrote:
  | Am I the only one who thinks that the privileged port requirement (that=
  | can be disabled on a per-export basis with -noresvport) is just a=20
  | little silly in this day and age?
  | I would really like to make -noresvport the default, and maybe add a=20
  | -resvport option for people who are under the false impression that the=
  | privileged port requirement actually buys them extra security.
  | Thoughts?

This would introduce a security regression for existing configurations;
you're proposing to reduce the default security level and require
that people rewrite their configuration to regain the security
environment they currently have on.  Even with tools like
etc/postinstall this migration is fragile and prone to failure.

What I would instead suggest is to leave the default _as is_,
and instead providing command-line options that allow you to
set -noresvport and -noresvmnt on a global basis.


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.6 (NetBSD)