On Mon, Nov 08, 2004 at 05:31:14PM -0800, Jason Thorpe wrote:
> Am I the only one who thinks that the privileged port requirement (that 
> can be disabled on a per-export basis with -noresvport) is just a 
> little silly in this day and age?
> 
> I would really like to make -noresvport the default, and maybe add a 
> -resvport option for people who are under the false impression that the 
> privileged port requirement actually buys them extra security.
> 
> Thoughts?

I don't think it's silly; I rely on NFS only in environments in which I
control the private interconnect it runs across and the kernels and
environment on each machine that uses it.

In that environment, the privileged port requirement does, in fact, buy
me "extra" security; in fact, it buys me "any security at all"; without
it, I cannot treat the machines as a single security domain, which is my
intent; with it, barring a bug in the kernel, I can in fact do so, and
do so safely.

Thor