Hello everyone,
I'd like to make a suggestion regarding NFS in OpenBSD; let me apologize in
advance if this isn't the right place to make this suggestion.
Currently (at least on 5.8, I haven't upgraded yet), the nfs daemon refuses to
accept a mount request if it comes from a non-privileged port (>=
IPPORT_RESERVED). As I understand, this was once a 'security feature' in the
time of mainframes, when access to computer was restricted. In any case, I
believe this behaviour should be changed as it does not provide security, and
also leads to problems: for example, it means one has to use the markably
slower SMB protocol when using an OpenBSD server as a remote mount on a FireTV
stick (my use case).
I therefore propose to remove this source port check from the nfs code, or
alternatively, to add an option to export nfs volumes without this check. The
first thing can e.g. be accomplished by modifying the OpenBSD source in two
places, as follows (patches for 5.8):
patch /usr/src/sbin/mountd/mountd.c < mountd.patch
patch /usr/src/sys/nfs/nfs_subs.c < nfs_subs.patch
where
### start of mountd.patch ###
369c369
< if (sport >= IPPORT_RESERVED) {
---
> if (0 == 1) { // don't fail when sport >= IPPORT_RESERVED
467c467
< if (sport >= IPPORT_RESERVED) {
---
> if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED
483c483
< if (sport >= IPPORT_RESERVED) {
---
> if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED
### end of mountd.patch ###
### start of nfs_subs.patch ###
1455c1455
< (ntohs(saddr->sin_port) >= IPPORT_RESERVED ||
---
> (0 == 1 || // don't fail when sport >= IPPORT_RESERVED
### end of nfs_subs.patch ###
Best,
Nicolas Schmidt
