MFC: r342286

Fix the NFSv4 server to obey vfs.nfsd.nfs_privport. When the NFSv4 server was coded, I believed that the specification authors did not want NFSv4 servers to require a client to use a reserved port#. However, recently it has been noted that the Linux NFSv4 server does support a check for a reserved port#. Since both the FreeBSD and Linux NFSv4 clients use a reserved port# by default, enabling vfs.nfsd.nfs_privport to require a reserved port# for NFSv4 the same as it does for NFSv2, 3 seems reasonable. The only case where this could cause a POLA violation is a FreeBSD NFSv4 server with vfs.nfsd.nfs_privport set, but with NFSv4 clients doing mounts without using a reserved port# (< 1024).
HardenedBSD · Dec 28, 2018 · 4b90988 · 4b90988
1 parent fcc50d9
commit 4b90988
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/sys/fs/nfsserver/nfs_nfsdkrpc.c b/sys/fs/nfsserver/nfs_nfsdkrpc.c
@@ -87,7 +87,7 @@ SVCPOOL		*nfsrvd_pool;
 static int	nfs_privport = 0;
 SYSCTL_INT(_vfs_nfsd, OID_AUTO, nfs_privport, CTLFLAG_RWTUN,
     &nfs_privport, 0,
-    "Only allow clients using a privileged port for NFSv2 and 3");
+    "Only allow clients using a privileged port for NFSv2, 3 and 4");
 
 static int	nfs_minvers = NFS_VER2;
 SYSCTL_INT(_vfs_nfsd, OID_AUTO, server_min_nfsvers, CTLFLAG_RWTUN,
@@ -159,7 +159,7 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
 	nd.nd_mreq = NULL;
 	nd.nd_cred = NULL;
 
-	if (nfs_privport && (nd.nd_flag & ND_NFSV4) == 0) {
+	if (nfs_privport != 0) {
 		/* Check if source port is privileged */
 		u_short port;
 		struct sockaddr *nam = nd.nd_nam;