From: doug Date: Sun, 24 Aug 2014 14:45:00 +0000 (+0000) Subject: Remove imaginary non-reserved port support from mountd. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=df026f4d43d97ce92cef2b27d72a45906d5b556e;p=openbsd Remove imaginary non-reserved port support from mountd. This bug was reported by Julian Hsiao. ok concept deraadt@, miod@ mountd.8 diff is from jmc@. ok doug@ mountd.c diff is from me. ok miod@ --- diff --git a/sbin/mountd/mountd.8 b/sbin/mountd/mountd.8 index 7fd43779e85..5f375be2348 100644 --- a/sbin/mountd/mountd.8 +++ b/sbin/mountd/mountd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: mountd.8,v 1.17 2014/01/19 10:39:00 schwarze Exp $ +.\" $OpenBSD: mountd.8,v 1.18 2014/08/24 14:45:00 doug Exp $ .\" $NetBSD: mountd.8,v 1.11 1996/02/18 11:57:51 fvdl Exp $ .\" .\" Copyright (c) 1989, 1991, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)mountd.8 8.4 (Berkeley) 4/28/95 .\" -.Dd $Mdocdate: January 19 2014 $ +.Dd $Mdocdate: August 24 2014 $ .Dt MOUNTD 8 .Os .Sh NAME @@ -38,7 +38,7 @@ .Nd service remote NFS mount requests .Sh SYNOPSIS .Nm mountd -.Op Fl dn +.Op Fl d .Op Ar exportsfile .Sh DESCRIPTION .Nm @@ -58,14 +58,6 @@ Enable debugging mode. .Nm will not detach from the controlling terminal and will print debugging messages to stderr. -.It Fl n -Do not require that clients make mount requests from reserved ports. -(Normally, only mount requests from reserved ports are accepted.) -This option should only be specified if there are clients, such as PCs, -that need it. -The use of -.Fl n -is STRONGLY discouraged, as it opens up a wide range of security problems. .It Ar exportsfile The .Ar exportsfile @@ -111,3 +103,12 @@ The .Nm utility first appeared in .Bx 4.4 . +.Pp +The +.Fl n +flag historically allowed clients to use non-reserved ports +when communicating with +.Nm . +In +.Ox , +a reserved port is always used. diff --git a/sbin/mountd/mountd.c b/sbin/mountd/mountd.c index b7adff22fc8..2b3129cc443 100644 --- a/sbin/mountd/mountd.c +++ b/sbin/mountd/mountd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mountd.c,v 1.75 2014/05/16 17:30:28 millert Exp $ */ +/* $OpenBSD: mountd.c,v 1.76 2014/08/24 14:45:00 doug Exp $ */ /* $NetBSD: mountd.c,v 1.31 1996/02/18 11:57:53 fvdl Exp $ */ /* @@ -184,7 +184,6 @@ struct xucred def_anon = { .cr_ngroups = 0, .cr_groups = { 0, } }; -int resvport_only = 1; int opt_flags; /* Bits for above */ #define OP_MAPROOT 0x01 @@ -204,7 +203,6 @@ volatile sig_atomic_t gotterm; * The optional arguments are the exports file name * default: _PATH_EXPORTS * "-d" to enable debugging - * and "-n" to allow nonroot mount. */ int main(int argc, char *argv[]) @@ -219,13 +217,11 @@ main(int argc, char *argv[]) debug = 1; break; case 'n': - resvport_only = 0; - break; case 'r': /* Compatibility */ break; default: - fprintf(stderr, "usage: mountd [-dn] [exportsfile]\n"); + fprintf(stderr, "usage: mountd [-d] [exportsfile]\n"); exit(1); } argc -= optind; @@ -373,7 +369,7 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *transp) if (debug) fprintf(stderr, "Got mount request from %s\n", inet_ntoa(transp->xp_raddr.sin_addr)); - if (sport >= IPPORT_RESERVED && resvport_only) { + if (sport >= IPPORT_RESERVED) { syslog(LOG_NOTICE, "Refused mount RPC from host %s port %d", inet_ntoa(transp->xp_raddr.sin_addr), sport); @@ -471,7 +467,7 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *transp) syslog(LOG_ERR, "Can't send reply"); return; case RPCMNT_UMOUNT: - if (sport >= IPPORT_RESERVED && resvport_only) { + if (sport >= IPPORT_RESERVED) { svcerr_weakauth(transp); return; } @@ -487,7 +483,7 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *transp) del_mlist(inet_ntoa(transp->xp_raddr.sin_addr), dirpath); return; case RPCMNT_UMNTALL: - if (sport >= IPPORT_RESERVED && resvport_only) { + if (sport >= IPPORT_RESERVED) { svcerr_weakauth(transp); return; }