Re: regarding support of NFS versions (Re: Changing NGROUPS_MAX to 1024?)

To: od2uvb%0w.se@localhost, tech-kern%netbsd.org@localhost
Subject: Re: regarding support of NFS versions (Re: Changing NGROUPS_MAX to 1024?)
From: Matthias Petermann <mp%petermann-it.de@localhost>
Date: Mon, 20 Apr 2026 08:55:38 +0200

Hello,

On 4/20/26 08:41, od2uvb%0w.se@localhost wrote:

To allow a compromise of a single unit attached to a "protected network"
to make most of the data accessible? It makes sense, when the value of
the data is so low that no attacker would ever care, or when the network
is really small and under total control.
This excludes any large/heterogeneous installation with nontrivial data.

(yes, adding Kerberos to NFSv3 would improve this, but would leave its

other limitations in place)

Hi,

I’m currently running a bit of NFS again on NetBSD for simple privateuse cases in my now Windows-free home network. The setup is fairlytypical: a NetBSD server exporting via NFSv3, with a few Linux clients.

The security concerns you mentioned apply quite directly here. Even in a“trusted” LAN, the implicit trust model of NFSv3 feels increasingly outof place, especially once the network is no longer trivial in size orcomposition.

What I’m currently considering is to move the trust boundary away fromthe LAN itself and instead enforce it via a WireGuard overlay.Concretely, all clients (even those on the local network) would accessthe NFS server exclusively through WireGuard.


This would allow me to:

- assign stable, server-controlled IP addresses to each client withinthe WireGuard network- restrict exports based on those addresses, effectively tighteninghost-level access control

- differentiate read/write permissions per client in a more controlled way
- avoid relying on the ambient trust of the LAN

It’s still a fairly simple model, but it at least contains the blastradius: a compromised LAN node would not automatically gain NFS accessunless it also holds valid WireGuard credentials.

I haven’t pushed the idea much further yet, but at the moment it seemslike a reasonable compromise between keeping NFSv3 for its simplicityand mitigating its weakest security properties without introducingsignificantly more complex infrastructure.


Curious if others have taken a similar approach or see obvious pitfalls.

Best regards
Matthias

--
Für alle, die digitale Systeme verstehen und gestalten wollen:
jede Woche neue Beiträge zu Architektur, Souveränität und Systemdesign.
👉 https://www.petermann-digital.de/blog

References:
- Re: Changing NGROUPS_MAX to 1024?
  - From: Konrad Schroder
- Re: Changing NGROUPS_MAX to 1024?
  - From: Taylor R Campbell
- Re: Changing NGROUPS_MAX to 1024?
  - From: Michael van Elst
- Re: Changing NGROUPS_MAX to 1024?
  - From: Brett Lymn
- Re: Changing NGROUPS_MAX to 1024?
  - From: Edgar Fuß
- Re: Changing NGROUPS_MAX to 1024?
  - From: Jason Thorpe
- Re: Changing NGROUPS_MAX to 1024?
  - From: od2uvb
- Re: Changing NGROUPS_MAX to 1024?
  - From: Mouse
- Re: Changing NGROUPS_MAX to 1024?
  - From: od2uvb
- Re: Changing NGROUPS_MAX to 1024?
  - From: Mouse
- regarding support of NFS versions (Re: Changing NGROUPS_MAX to 1024?)
  - From: od2uvb

Prev by Date: Re: tprof(8) ABI
Next by Date: [PATCH] Add posix_spawn_file_actions_addclosefrom_np
Previous by Thread: regarding support of NFS versions (Re: Changing NGROUPS_MAX to 1024?)
Next by Thread: tprof(8) ABI
Indexes:

Home | Main Index | Thread Index | Old Index