--D6z0c4W1rkZNF4Vu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Nov 08, 2004 at 09:18:37PM -0500, Thor Lancelot Simon wrote:
> On Mon, Nov 08, 2004 at 05:31:14PM -0800, Jason Thorpe wrote:
> > Am I the only one who thinks that the privileged port requirement (that=
=20
> > can be disabled on a per-export basis with -noresvport) is just a=20
> > little silly in this day and age?
> >=20
> > I would really like to make -noresvport the default, and maybe add a=20
> > -resvport option for people who are under the false impression that the=
=20
> > privileged port requirement actually buys them extra security.
> >=20
> > Thoughts?
>=20
> I don't think it's silly; I rely on NFS only in environments in which I
> control the private interconnect it runs across and the kernels and
> environment on each machine that uses it.
>=20
> In that environment, the privileged port requirement does, in fact, buy
> me "extra" security; in fact, it buys me "any security at all"; without
> it, I cannot treat the machines as a single security domain, which is my
> intent; with it, barring a bug in the kernel, I can in fact do so, and
> do so safely.

So then perhaps the thing to do is add the -resvport option, and add=20
a command arguement to set -noresvport as the option if not otherwise=20
specified?

Take care,

Bill

--D6z0c4W1rkZNF4Vu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFBkC9UWz+3JHUci9cRAqSrAKCMhrXTD+cEPy9Gk4E//jQHXCGQFACePvh6
wmU/anopbcbf9zSwSUq5bUk=
=UrqN
-----END PGP SIGNATURE-----

--D6z0c4W1rkZNF4Vu--