aha/fs
Chuck Lever d740351bf0 NFS: add "[no]resvport" mount option
The standard default security setting for NFS is AUTH_SYS.  An NFS
client connects to NFS servers via a privileged source port and a
fixed standard destination port (2049).  The client sends raw uid and
gid numbers to identify users making NFS requests, and the server
assumes an appropriate authority on the client has vetted these
values because the source port is privileged.

On Linux, by default in-kernel RPC services use a privileged port in
the range between 650 and 1023 to avoid using source ports of well-
known IP services.  Using such a small range limits the number of NFS
mount points and the number of unique NFS servers to which a client
can connect concurrently.

An NFS client can use unprivileged source ports to expand the range of
source port numbers, allowing more concurrent server connections and
more NFS mount points.  Servers must explicitly allow NFS connections
from unprivileged ports for this to work.

In the past, bumping the value of the sunrpc.max_resvport sysctl on
the client would permit the NFS client to use unprivileged ports.
Bumping this setting also changes the maximum port number used by
other in-kernel RPC services, some of which still required a port
number less than 1023.

This is exacerbated by the way source port numbers are chosen by the
Linux RPC client, which starts at the top of the range and works
downwards.  It means that bumping the maximum means all RPC services
requesting a source port will likely get an unprivileged port instead
of a privileged one.

Changing this setting effects all NFS mount points on a client.  A
sysadmin could not selectively choose which mount points would use
non-privileged ports and which could not.

Lastly, this mechanism of expanding the limit on the number of NFS
mount points was entirely undocumented.

To address the need for the NFS client to use a large range of source
ports without interfering with the activity of other in-kernel RPC
services, we introduce a new NFS mount option.  This option explicitly
tells only the NFS client to use a non-privileged source port when
communicating with the NFS server for one specific mount point.

This new mount option is called "resvport," like the similar NFS mount
option on FreeBSD and Mac OS X.  A sister patch for nfs-utils will be
submitted that documents this new option in nfs(5).

The default setting for this new mount option requires the NFS client
to use a privileged port, as before.  Explicitly specifying the
"noresvport" mount option allows the NFS client to use an unprivileged
source port for this mount point when connecting to the NFS server
port.

This mount option is supported only for text-based NFS mounts.

[ Sidebar: it is widely known that security mechanisms based on the
  use of privileged source ports are ineffective.  However, the NFS
  client can combine the use of unprivileged ports with the use of
  secure authentication mechanisms, such as Kerberos.  This allows a
  large number of connections and mount points while ensuring a useful
  level of security.

  Eventually we may change the default setting for this option
  depending on the security flavor used for the mount.  For example,
  if the mount is using only AUTH_SYS, then the default setting will
  be "resvport;" if the mount is using a strong security flavor such
  as krb5, the default setting will be "noresvport." ]

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[Trond.Myklebust@netapp.com: Fixed a bug whereby nfs4_init_client()
was being called with incorrect arguments.]
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
2008-12-23 15:21:37 -05:00
..
9p fs/9p: change simple_strtol to simple_strtoul 2008-12-19 16:50:22 -06:00
adfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
affs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
afs [PATCH] fix ->llseek for more directories 2008-10-23 05:13:21 -04:00
autofs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
autofs4 autofs4: collect version check return 2008-11-06 15:41:17 -08:00
befs befs: annotate fs32 on tests for superblock endianness 2008-10-16 11:21:46 -07:00
bfs [PATCH] fix ->llseek for more directories 2008-10-23 05:13:21 -04:00
cifs cifs: fix buffer overrun in parse_DFS_referrals 2008-12-17 14:59:55 -08:00
coda Switch to a valid email address... 2008-10-27 08:40:17 -07:00
configfs [PATCH] assorted path_lookup() -> kern_path() conversions 2008-10-23 05:12:52 -04:00
cramfs cramfs: fix named-pipe handling 2008-08-20 15:40:32 -07:00
debugfs integrity: special fs magic 2008-10-13 09:47:43 +11:00
devpts vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
dlm dlm: fix shutdown cleanup 2008-11-13 13:22:34 -06:00
ecryptfs eCryptfs: Allocate up to two scatterlists for crypto ops on keys 2008-11-19 18:49:58 -08:00
efs [PATCH] switch all filesystems over to d_obtain_alias 2008-10-23 05:13:01 -04:00
exportfs EXPORTFS: handle NULL returns from fh_to_dentry()/fh_to_parent() 2008-12-08 19:49:32 -08:00
ext2 Merge git://git.kernel.org/pub/scm/linux/kernel/git/viro/bdev 2008-10-23 10:23:07 -07:00
ext3 ext3: Clean up outdated and incorrect comment for ext3_write_super() 2008-11-12 17:17:17 -08:00
ext4 revert "percpu_counter: new function percpu_counter_sum_and_set" 2008-12-10 08:01:52 -08:00
fat fat: i_blocks warning fix 2008-11-06 15:41:22 -08:00
freevxfs
fuse saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
gfs2 [PATCH] switch all filesystems over to d_obtain_alias 2008-10-23 05:13:01 -04:00
hfs [PATCH] move executable checking into ->permission() 2008-10-23 05:13:25 -04:00
hfsplus [PATCH] move executable checking into ->permission() 2008-10-23 05:13:25 -04:00
hostfs hostfs: fix a duplicated global function name 2008-11-19 18:50:00 -08:00
hpfs [PATCH] hpfs: cleanup ->setattr 2008-10-23 05:12:58 -04:00
hppfs
hugetlbfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
isofs [PATCH] switch all filesystems over to d_obtain_alias 2008-10-23 05:13:01 -04:00
jbd jbd: don't give up looking for space so easily in __log_wait_for_space 2008-11-06 22:37:59 -05:00
jbd2 jbd2: don't give up looking for space so easily in __jbd2_log_wait_for_space 2008-11-06 22:38:07 -05:00
jffs2 Merge git://git.infradead.org/mtd-2.6 2008-11-06 15:43:13 -08:00
jfs Merge git://git.kernel.org/pub/scm/linux/kernel/git/viro/bdev 2008-10-23 10:23:07 -07:00
lockd lockd: convert reclaimer thread to kthread interface 2008-12-23 15:21:33 -05:00
minix
ncpfs
nfs NFS: add "[no]resvport" mount option 2008-12-23 15:21:37 -05:00
nfs_common SUNRPC: nfsacl_encode/nfsacl_decode should be exported as GPL-only 2008-12-23 15:21:32 -05:00
nfsd nfsd: use of unitialized list head on error exit in nfs4recover.c 2008-11-24 10:36:09 -06:00
nls remove CONFIG_KMOD from fs 2008-10-17 02:38:36 +11:00
ntfs ntfs: don't fool kernel-doc 2008-12-01 19:55:25 -08:00
ocfs2 ocfs2: Add JBD2 compat feature bit. 2008-12-16 18:26:16 -08:00
omfs [PATCH] fix ->llseek for more directories 2008-10-23 05:13:21 -04:00
openpromfs [PATCH] fix ->llseek for more directories 2008-10-23 05:13:21 -04:00
partitions block/md: fix md autodetection 2008-11-18 15:08:56 +01:00
proc KSYM_SYMBOL_LEN fixes 2008-12-10 08:01:54 -08:00
qnx4
ramfs Ramfs and Ram Disk pages are unevictable 2008-10-20 08:50:26 -07:00
reiserfs Merge git://git.kernel.org/pub/scm/linux/kernel/git/viro/bdev 2008-10-23 10:23:07 -07:00
romfs
smbfs
sysfs [PATCH] fix ->llseek for more directories 2008-10-23 05:13:21 -04:00
sysv
ubifs UBIFS: pre-allocate bulk-read buffer 2008-11-21 18:59:33 +02:00
udf udf: Fix BUG_ON() in destroy_inode() 2008-11-27 17:38:28 +01:00
ufs [PATCH] fix ->llseek for more directories 2008-10-23 05:13:21 -04:00
xfs [XFS] Fix hang after disallowed rename across directory quota domains 2008-12-05 15:39:13 +11:00
aio.c
anon_inodes.c
attr.c [patch] vfs: make security_inode_setattr() calling consistent 2008-10-23 05:13:27 -04:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c Merge branch 'v28-timers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip 2008-10-20 13:19:56 -07:00
binfmt_elf_fdpic.c binfmt_elf_fdpic: Update for cputime changes. 2008-10-20 20:17:18 -07:00
binfmt_em86.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_flat.c uclinux: fix gzip header parsing in binfmt_flat.c 2008-10-16 11:21:29 -07:00
binfmt_misc.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_script.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_som.c binfmt_som.c: add MODULE_LICENSE 2008-10-16 11:21:38 -07:00
bio-integrity.c block: Introduce integrity data ownership flag 2008-10-09 08:56:21 +02:00
bio.c block: mark bio_split_pool static 2008-10-09 08:57:05 +02:00
block_dev.c [PATCH 1/2] kill FMODE_NDELAY_NOW 2008-12-04 04:22:57 -05:00
buffer.c udf: Fix BUG_ON() in destroy_inode() 2008-11-27 17:38:28 +01:00
char_dev.c [PATCH] tidy up chrdev_open 2008-10-23 05:12:59 -04:00
compat.c select: deal with math overflow from borderline valid userland data 2008-10-26 11:22:08 -07:00
compat_binfmt_elf.c
compat_ioctl.c
dcache.c [PATCH] fs: add a sanity check in d_free 2008-10-23 05:17:12 -04:00
dcookies.c
direct-io.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
dnotify.c
dquot.c [PATCH] switch quota_on-related stuff to kern_path() 2008-10-23 05:12:44 -04:00
drop_caches.c
eventfd.c
eventpoll.c epoll: introduce resource usage limits 2008-12-01 19:55:24 -08:00
exec.c tracehook: exec double-reporting fix 2008-12-09 19:36:38 -08:00
fcntl.c Fix a race condition in FASYNC handling 2008-12-05 15:35:10 -08:00
fifo.c [PATCH] introduce fmode_t, do annotations 2008-10-21 07:47:06 -04:00
file.c
file_table.c saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
filesystems.c proc: move /proc/filesystems to fs/filesystems.c 2008-10-23 14:27:09 +04:00
fs-writeback.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
generic_acl.c
inode.c fs/inode.c: properly init address_space->writeback_index 2008-08-15 08:35:44 -07:00
inotify.c inotify: fix IN_ONESHOT unmount event watcher 2008-12-10 08:01:53 -08:00
inotify_user.c saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
internal.h
ioctl.c Fix a race condition in FASYNC handling 2008-12-05 15:35:10 -08:00
ioprio.c fix setpriority(PRIO_PGRP) thread iterator breakage 2008-08-20 15:40:32 -07:00
Kconfig [patch 1/3] FS_MBCACHE: don't needlessly make it built-in 2008-10-23 05:13:26 -04:00
Kconfig.binfmt add CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS 2008-10-20 08:52:39 -07:00
libfs.c fs: remove prepare_write/commit_write 2008-10-30 11:38:45 -07:00
locks.c Merge branch 'proc' of git://git.kernel.org/pub/scm/linux/kernel/git/adobriyan/proc 2008-10-23 12:04:37 -07:00
Makefile fat: move fs/vfat/* and fs/msdos/* to fs/fat 2008-11-06 15:41:20 -08:00
mbcache.c
mpage.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
namei.c don't unlink an active swapfile 2008-11-19 18:49:59 -08:00
namespace.c vfs: fix shrink_submounts 2008-11-12 17:17:17 -08:00
nfsctl.c
no-block.c
open.c [PATCH] introduce fmode_t, do annotations 2008-10-21 07:47:06 -04:00
pipe.c saner FASYNC handling on file close 2008-11-01 09:49:46 -07:00
pnode.c
pnode.h
posix_acl.c
quota.c
quota_v1.c
quota_v2.c
read_write.c [PATCH] generic_file_llseek tidyups 2008-10-23 05:12:59 -04:00
read_write.h
readdir.c [PATCH] prepare vfs_readdir() callers to returning filldir result 2008-10-23 05:13:10 -04:00
select.c select: deal with math overflow from borderline valid userland data 2008-10-26 11:22:08 -07:00
seq_file.c seq_file: add seq_cpumask_list(), seq_nodemask_list() 2008-10-20 08:52:39 -07:00
signalfd.c
splice.c fs: remove prepare_write/commit_write 2008-10-30 11:38:45 -07:00
stack.c
stat.c
super.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/viro/bdev 2008-10-23 10:23:07 -07:00
sync.c
timerfd.c hrtimer: convert timerfd to the new hrtimer apis 2008-09-05 21:35:09 -07:00
utimes.c
xattr.c
xattr_acl.c