8:31 a.m.
That's okay with me. "secure" hasn't meant anything since the first
unix on x86 came out, and anyone could be root on their local machine.
30+ years is a long time to keep a security theater setting, so anything
that relaxes it is fine with me.
Daniel
On 06/15/2018 09:18 AM, Frank Filz wrote:
Hmm, should we make a similar change in Ganesha?
On the one hand it seems reasonable, but it may also not be a factor in our
environments.
Frank
-----Original Message-----
From: linux-nfs-owner(a)vger.kernel.org
[mailto:linux-nfs-owner@vger.kernel.org] On Behalf Of J. Bruce Fields
Sent: Thursday, June 14, 2018 6:33 AM
To: Steve Dickson <steved(a)redhat.com>
Cc: linux-nfs(a)vger.kernel.org
Subject: [PATCH] exports: document change to "insecure" export option
From: "J. Bruce Fields" <bfields(a)redhat.com>
We're changing the kernel to allow gss requests from high ports even when
"secure" is set.
If the change gets backported to distro kernels, the kernel version may be
an imperfect predictor of the behavior, but I think it's the best we can do.
Signed-off-by: J. Bruce Fields <bfields(a)redhat.com>
---
utils/exportfs/exports.man | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man index
4f95f3a2197e..e3a16f6b276a 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -131,10 +131,12 @@ this way are ro, rw, no_root_squash, root_squash, and
all_squash.
understands the following export options:
.TP
.IR secure
-This option requires that requests originate on an Internet port less -than
IPPORT_RESERVED (1024). This option is on by default. To turn it -off,
specify
+This option requires that requests not using gss originate on an
+Internet port less than IPPORT_RESERVED (1024). This option is on by
default.
+To turn it off, specify
.IR insecure .
+(NOTE: older kernels (before upstream kernel version 4.17) enforced
+this requirement on gss requests as well.)
.TP
.IR rw
Allow both read and write requests on this NFS volume. The
--
2.17.1
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the
body of a message to majordomo(a)vger.kernel.org More majordomo info at
http://vger.kernel.org/majordomo-info.html
_______________________________________________
Devel mailing list -- devel(a)lists.nfs-ganesha.org
To unsubscribe send an email to devel-leave(a)lists.nfs-ganesha.org