On Sat, Aug 23, 2014 at 06:47:38PM +0059, Jason McIntyre wrote:
> On Sat, Aug 23, 2014 at 05:30:55AM -0700, Julian Hsiao wrote:
> > In the man page for mountd(8), it states that with the "-n" option it
> > would "...not require that clients make mount requests from reserved
> > ports." However, you still can't connect from non-reserved ports
> > because nfsrv_fhtovp() rejects said connections anyway. Some work was
> > done back in 2006 to suppor this, but it got reverted a day later
> > because it "broke a few architectures".
deraadt@ confirmed that the non-reserved ports should be removed.
> Index: mountd.8
> ===================================================================
> RCS file: /cvs/src/sbin/mountd/mountd.8,v
> retrieving revision 1.17
> diff -u -r1.17 mountd.8
> --- mountd.8 19 Jan 2014 10:39:00 -0000 1.17
> +++ mountd.8 23 Aug 2014 17:47:37 -0000
> @@ -38,7 +38,7 @@
> .Nd service remote NFS mount requests
> .Sh SYNOPSIS
> .Nm mountd
> -.Op Fl dn
> +.Op Fl d
> .Op Ar exportsfile
> .Sh DESCRIPTION
> .Nm
> @@ -58,14 +58,6 @@
> .Nm
> will not detach from the controlling terminal and will print
> debugging messages to stderr.
> -.It Fl n
> -Do not require that clients make mount requests from reserved ports.
> -(Normally, only mount requests from reserved ports are accepted.)
> -This option should only be specified if there are clients, such as PCs,
> -that need it.
> -The use of
> -.Fl n
> -is STRONGLY discouraged, as it opens up a wide range of security problems.
> .It Ar exportsfile
> The
> .Ar exportsfile
> @@ -111,3 +103,12 @@
> .Nm
> utility first appeared in
> .Bx 4.4 .
> +.Pp
> +The
> +.Fl n
> +flag historically allowed clients to use non-reserved ports
> +when communicating with
> +.Nm .
> +In
> +.Ox ,
> +a reserved port is always used.
OK for the man diff.
I suggest this one for mountd.c since it removes the dead code.
OK?
Index: sbin/mountd/mountd.c
===================================================================
RCS file: /cvs/src/sbin/mountd/mountd.c,v
retrieving revision 1.75
diff -u -p -d -r1.75 mountd.c
--- sbin/mountd/mountd.c 16 May 2014 17:30:28 -0000 1.75
+++ sbin/mountd/mountd.c 23 Aug 2014 18:59:12 -0000
@@ -184,7 +184,6 @@ struct xucred def_anon = {
.cr_ngroups = 0,
.cr_groups = { 0, }
};
-int resvport_only = 1;
int opt_flags;
/* Bits for above */
#define OP_MAPROOT 0x01
@@ -204,7 +203,6 @@ volatile sig_atomic_t gotterm;
* The optional arguments are the exports file name
* default: _PATH_EXPORTS
* "-d" to enable debugging
- * and "-n" to allow nonroot mount.
*/
int
main(int argc, char *argv[])
@@ -219,13 +217,11 @@ main(int argc, char *argv[])
debug = 1;
break;
case 'n':
- resvport_only = 0;
- break;
case 'r':
/* Compatibility */
break;
default:
- fprintf(stderr, "usage: mountd [-dn] [exportsfile]\n");
+ fprintf(stderr, "usage: mountd [-d] [exportsfile]\n");
exit(1);
}
argc -= optind;
@@ -373,7 +369,7 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *t
if (debug)
fprintf(stderr, "Got mount request from %s\n",
inet_ntoa(transp->xp_raddr.sin_addr));
- if (sport >= IPPORT_RESERVED && resvport_only) {
+ if (sport >= IPPORT_RESERVED) {
syslog(LOG_NOTICE,
"Refused mount RPC from host %s port %d",
inet_ntoa(transp->xp_raddr.sin_addr), sport);
@@ -471,7 +467,7 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *t
syslog(LOG_ERR, "Can't send reply");
return;
case RPCMNT_UMOUNT:
- if (sport >= IPPORT_RESERVED && resvport_only) {
+ if (sport >= IPPORT_RESERVED) {
svcerr_weakauth(transp);
return;
}
@@ -487,7 +483,7 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *t
del_mlist(inet_ntoa(transp->xp_raddr.sin_addr), dirpath);
return;
case RPCMNT_UMNTALL:
- if (sport >= IPPORT_RESERVED && resvport_only) {
+ if (sport >= IPPORT_RESERVED) {
svcerr_weakauth(transp);
return;
}
