Author: rmacklem Date: Fri Nov 6 16:33:42 2020 New Revision: 367423 URL: https://svnweb.freebsd.org/changeset/base/367423
Log: Add support for the new mountd -R option. r376026 added a new "-R" option to mountd, which tells it to not support the Mount protocol (not used by NFSv4) and not register with rpcbind. Rpcbind is considered a security issue by some sites now. This patch adds a new yes/no variable called nfsv4_server_only. When that is set, make vfs.nfsd.server_min_vers=4 and set "=R" for mountd. Setting vfs.nfsd.server_min_vers=4 tells nfsd to not register with rpcbind. While here, add a check for "load_kld nfsd" failing to nfsd. Reviewed by: 0mp MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D26938 Modified: head/libexec/rc/rc.conf head/libexec/rc/rc.d/mountd head/libexec/rc/rc.d/nfsd Modified: head/libexec/rc/rc.conf ============================================================================== --- head/libexec/rc/rc.conf Fri Nov 6 16:12:06 2020 (r367422) +++ head/libexec/rc/rc.conf Fri Nov 6 16:33:42 2020 (r367423) @@ -380,6 +380,7 @@ rpc_ypupdated_enable="NO" # Run if NIS master and Secu keyserv_enable="NO" # Run the SecureRPC keyserver (or NO). keyserv_flags="" # Flags to keyserv (if enabled). nfsv4_server_enable="NO" # Enable support for NFSv4 +nfsv4_server_only="NO" # Set NFS server to NFSv4 only nfscbd_enable="NO" # NFSv4 client side callback daemon nfscbd_flags="" # Flags for nfscbd nfsuserd_enable="NO" # NFSv4 user/group name mapping daemon Modified: head/libexec/rc/rc.d/mountd ============================================================================== --- head/libexec/rc/rc.d/mountd Fri Nov 6 16:12:06 2020 (r367422) +++ head/libexec/rc/rc.d/mountd Fri Nov 6 16:33:42 2020 (r367423) @@ -20,13 +20,33 @@ extra_commands="reload" mountd_precmd() { - force_depend rpcbind || return 1 + # Load the modules now, so that the vfs.nfsd sysctl + # oids are available. + load_kld nfsd || return 1 + + # Do not force rpcbind to be running for an NFSv4 only server. + # + if checkyesno nfsv4_server_only; then + echo 'NFSv4 only server' + sysctl vfs.nfsd.server_min_nfsvers=4 > /dev/null + sysctl vfs.nfsd.server_max_nfsvers=4 > /dev/null + rc_flags="${rc_flags} -R" + else + force_depend rpcbind || return 1 + fi + # mountd flags will differ depending on rc.conf settings # - if checkyesno nfs_server_enable ; then + if checkyesno nfs_server_enable || checkyesno nfsv4_server_only; then if checkyesno weak_mountd_authentication; then - rc_flags="${mountd_flags} -n" + if checkyesno nfsv4_server_only; then + echo -n 'weak_mountd_authentication ' + echo -n 'incompatible with nfsv4_server_only, ' + echo 'ignored' + else + rc_flags="${rc_flags} -n" + fi fi else if checkyesno mountd_enable; then Modified: head/libexec/rc/rc.d/nfsd ============================================================================== --- head/libexec/rc/rc.d/nfsd Fri Nov 6 16:12:06 2020 (r367422) +++ head/libexec/rc/rc.d/nfsd Fri Nov 6 16:33:42 2020 (r367423) @@ -26,7 +26,7 @@ nfsd_precmd() # Load the modules now, so that the vfs.nfsd sysctl # oids are available. - load_kld nfsd + load_kld nfsd || return 1 if checkyesno nfs_reserved_port_only; then echo 'NFS on reserved port only=YES' @@ -41,12 +41,15 @@ nfsd_precmd() if checkyesno nfsv4_server_enable; then sysctl vfs.nfsd.server_max_nfsvers=4 > /dev/null - else + elif ! checkyesno nfsv4_server_only; then echo 'NFSv4 is disabled' sysctl vfs.nfsd.server_max_nfsvers=3 > /dev/null fi - force_depend rpcbind || return 1 + if ! checkyesno nfsv4_server_only; then + force_depend rpcbind || return 1 + fi + force_depend mountd || return 1 if [ -n "${nfs_server_vhost}" ]; then command_args="-V \"${nfs_server_vhost}\"" _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
