[LUNA] NFS on unprivileged ports ....

Branden Harper bharper at chaosweb.us
Tue Aug 26 14:51:05 CDT 2014


Well, that option was _right below_ the options I pasted and I missed
it.  I need to learn to read.  :)

On Tue, Aug 26, 2014 at 2:43 PM, William A. Mahaffey III <wam at hiwaay.net> wrote:
>
> & we have a winner .... actual changes:
>
>
> in /etc/rc.conf:
>
> weak_mountd_authentication="yes"
>
> followed by:
>
> # service mountd forcerestart
>
> & I am off to the races !!!! *Booooyah* !!!!
>
>
> On 08/26/14 14:16, Branden Harper wrote:
>>
>> According to /etc/defaults/rc.conf , you can set the mountd_flags option.
>>
>> defaults:
>> mountd_enable="NO"              # Run mountd (or NO).
>> mountd_flags="-r"               # Flags to mountd (if NFS server enabled).
>>
>>
>> On Tue, Aug 26, 2014 at 2:16 PM, William A. Mahaffey III <wam at hiwaay.net>
>> wrote:
>>>
>>>
>>> '-n' is indeed an option, I could (easily) edit the rc.d/mountd file, but
>>> then I would have to remember to redo that every upgrade .... There
>>> doesn't
>>> seem to be any way to pass that option in .... I could try to 'correct'
>>> the
>>> other box, but it is a VM running on an FC14 box, I think that has
>>> something
>>> to do w/ it ....
>>>
>>>
>>> The linux boxen seem to allow it automatically, have for years now (at
>>> least
>>> on my LAN, all w/ *old* distros, FC14 era ....)
>>>
>>>
>>>
>>> On 08/26/14 10:05, Bob Nance wrote:
>>>>
>>>> Go look at your “mountd” options and see if there is one that allows
>>>> connections from an unprivileged port (a port higher that 1024, as all
>>>> ports
>>>> under 1024 can only be opened by a “root” level account/process). It’s
>>>> likely that it is NOT an option. I think at least one BSD build of
>>>> mountd
>>>> offered a “-n” option, but I don’t think it’s there in any of the Linux
>>>> distros.
>>>>
>>>> The real fix would be to get the offending connection to use the right
>>>> port. Can you make it a system-based mount instead of a user-environment
>>>> mount? That might fix it by allowing the NFS mount program to use a port
>>>> lower than 1024.
>>>>
>>>> -Bob
>>>>
>>>>
>>>>
>>>> ---
>>>>     Bob Nance
>>>>     Novation Systems
>>>>     bob.nance at novationsys.com
>>>>     256-534-4620
>>>>
>>>> On Aug 26, 2014, at 9:30 AM, William A. Mahaffey III <wam at HiWAAY.net>
>>>> wrote:
>>>>
>>>>> .... I have nfsd running on my FBSD 9.3 desktop, exporting /home (~3.6
>>>>> TiB). I can mount/see/use it from all other machines on my LAN (all
>>>>> Linux
>>>>> boxen) *except* for a CentOS 5.n VM running on one of the other boxen.
>>>>> When
>>>>> the VM tries to (auto)mount the exported partition on the FBSD box
>>>>> ('jaguar'), I get the following (from earlier this A.M.):
>>>>>
>>>>>
>>>>> [root at centos-5:/etc, Tue Aug 26, 06:28 AM] 1008 # lf /net/jaguar/home/
>>>>> /net/q6600/home/   /net/opty165a/work/ /net/opty165a/home/
>>>>> /net/cube/home/
>>>>> ls: /net/jaguar/home/: No such file or directory
>>>>> /net/cube/home/:
>>>>> Opty165A/  Q6600/  VMs/  archive/  lost+found/  makedepend*  pub/ wam/
>>>>>
>>>>> /net/opty165a/home/:
>>>>> FTP/  RPMs/  SGI/  archive/  lost+found/  rsync/  wam/
>>>>>
>>>>> /net/opty165a/work/:
>>>>> FTP/  ISOs/  RPMs/  VMs/  archive/  lost+found/  vmware/  wam/
>>>>>
>>>>> /net/q6600/home/:
>>>>> FTP/  ISOs/  VMs/  archive/  lost+found/  rsync/  wam/  work/
>>>>> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1009 # df ; w ; /sbin/swapon
>>>>> -s ; free -m ; uname -a ; hwclock  -r;  date
>>>>> Filesystem    Type   1K-blocks      Used Available Use% Mounted on
>>>>> /dev/mapper/VolGroup00-LogVol00
>>>>>                ext3    46691248   7505344  36775820  17% /
>>>>> /dev/hda1     ext3      101086     26854     69013  29% /boot
>>>>> tmpfs        tmpfs     1029372         0   1029372   0% /dev/shm
>>>>> q6600:/home    nfs   1906370560 1025951744 783581184  57%
>>>>> /net/q6600/home
>>>>> opty165a:/work nfs   480719104 410868736  45431040  91%
>>>>> /net/opty165a/work
>>>>> opty165a:/home nfs   473086208 351912192  96754944  79%
>>>>> /net/opty165a/home
>>>>> cube:/home     nfs   155794432 143113728   4638976  97% /net/cube/home
>>>>> 06:29:20 up 121 days, 12:12,  3 users,  load average: 0.04, 0.02, 0.00
>>>>> USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
>>>>> wam      pts/0    192.168.122.1    Thu07   46:20m  1.96s  1.96s -tcsh
>>>>> root     pts/1    192.168.122.1    Sun08   46:11m  0.09s  0.09s -bash
>>>>> root     pts/2    192.168.122.1    Sun08    0.00s  0.09s  0.08s -bash
>>>>> Filename                                Type            Size Used
>>>>> Priority
>>>>> /dev/mapper/VolGroup00-LogVol01         partition       4095992 76
>>>>> -1
>>>>>               total       used       free     shared    buffers cached
>>>>> Mem:          2010       1891        118          0 327        943
>>>>> -/+ buffers/cache:        620       1389
>>>>> Swap:         3999          0       3999
>>>>> Linux centos-5.6-vm 2.6.18-371.8.1.el5.centos.plus #1 SMP Thu Apr 24
>>>>> 18:32:18 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>> Tue Aug 26 06:29:28 2014  -1.008094 seconds
>>>>> Tue Aug 26 06:29:21 CDT 2014
>>>>> [root at centos-5:/etc, Tue Aug 26, 06:29 AM] 1010 #
>>>>>
>>>>>
>>>>> i.e., it can see all other exported partitions except the FBSD
>>>>> (jaguar).
>>>>> On the FBSD box, I get the following:
>>>>>
>>>>>
>>>>>
>>>>> [root at kabini1, /etc, 6:24:31am] 708 %  grep vfs LIST.sysctl-A.txt |
>>>>> grep
>>>>> nfs | grep priv
>>>>> vfs.nfsd.nfs_privport: 0
>>>>> [root at kabini1, /etc, 6:24:50am] 709 %  service  mountd  status
>>>>> Cannot 'status' mountd. Set mountd_enable to YES in /etc/rc.conf or use
>>>>> 'onestatus' instead of 'status'.
>>>>> [root at kabini1, /etc, 6:26:08am] 710 %  service mountd onestatus
>>>>> mountd is running as pid 718.
>>>>> [root at kabini1, /etc, 6:26:16am] 711 %  ps -aux | grep mountd
>>>>> root         718   0.0  0.0  16180  3836 ??  Is   15Aug14 0:00.03
>>>>> /usr/sbin/mountd -r
>>>>> root       51859   0.0  0.0  16332  2024 10  S+    6:26AM 0:00.00 grep
>>>>> mountd
>>>>> wam        51820   0.0  0.0  14544  2428 17  I+    6:22AM 0:00.01
>>>>> /bin/sh
>>>>> /usr/bin/man mountd
>>>>> [root at kabini1, /etc, 6:26:35am] 712 %  grep -i mountd rc.d/*
>>>>> rc.d/mountd:# $FreeBSD: releng/9.3/etc/rc.d/mountd 231792 2012-02-15
>>>>> 22:59:15Z dougb $
>>>>> rc.d/mountd:# PROVIDE: mountd
>>>>> rc.d/mountd:name="mountd"
>>>>> rc.d/mountd:rcvar="mountd_enable"
>>>>> rc.d/mountd:start_precmd="mountd_precmd"
>>>>> rc.d/mountd:mountd_precmd()
>>>>> rc.d/mountd:    # mountd flags will differ depending on rc.conf
>>>>> settings
>>>>> rc.d/mountd:            if checkyesno weak_mountd_authentication; then
>>>>> rc.d/mountd:                    rc_flags="${mountd_flags} -n"
>>>>> rc.d/mountd:            if checkyesno mountd_enable; then
>>>>> rc.d/mountd:                    checkyesno weak_mountd_authentication
>>>>> &&
>>>>> rc_flags="-n"
>>>>> rc.d/mountd:    rm -f /var/db/mountdtab
>>>>> rc.d/mountd:    ( umask 022 ; > /var/db/mountdtab ) ||
>>>>> rc.d/mountd:        err 1 'Cannot create /var/db/mountdtab'
>>>>> rc.d/nfsd:# REQUIRE: mountd hostname gssd nfsuserd
>>>>> rc.d/nfsd:      force_depend mountd || return 1
>>>>> [root at kabini1, /etc, 6:27:19am] 713 %  (tail -10 /var/log/messages ;
>>>>> date)
>>>>> Aug 24 08:09:44 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Aug 24 08:18:12 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Aug 24 08:18:51 kabini1 su: wam to root on /dev/pts/19
>>>>> Aug 24 08:52:04 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Aug 24 09:10:23 kabini1 ntpd[804]: time reset +0.186836 s
>>>>> Aug 24 11:37:21 kabini1 dbus[738]: [system] Failed to activate service
>>>>> 'org.freedesktop.Avahi': timed out
>>>>> Aug 24 11:38:57 kabini1 dbus[738]: [system] Failed to activate service
>>>>> 'org.freedesktop.Avahi': timed out
>>>>> Aug 24 11:40:21 kabini1 dbus[738]: [system] Failed to activate service
>>>>> 'org.freedesktop.Avahi': timed out
>>>>> Aug 24 11:48:49 kabini1 last message repeated 7 times
>>>>> Aug 26 06:29:25 kabini1 mountd[718]: mount request from 192.168.0.9
>>>>> from
>>>>> unprivileged port
>>>>> Tue Aug 26 06:30:14 CDT 2014
>>>>> [root at kabini1, /etc, 6:30:14am] 714 %
>>>>>
>>>>>
>>>>> i.e., the mount request from the VM is apparently coming in on an
>>>>> unprivileged port & the FBSD box's mountd is dropping/ignoring it. The
>>>>> other
>>>>> boxen handle it OK. I have ipfw dropping all such traffic *not*
>>>>> originating
>>>>> on my LAN, so I don't mind using the unprivileged port (I don't think
>>>>> there
>>>>> are any security issues). How do I get FBSD's nfsd/mountd to
>>>>> allow/handle
>>>>> the mount request on unprivileged ports ? TIA ....
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>          William A. Mahaffey III
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>>          "The M1 Garand is without doubt the finest implement of war
>>>>>           ever devised by man."
>>>>>                             -- Gen. George S. Patton Jr.
>>>>>
>>>>> _______________________________________________
>>>>> LUNA mailing list
>>>>> LUNA at lunagroup.us
>>>>> http://lunagroup.us/mailman/listinfo/luna
>>>>
>>>> _______________________________________________
>>>> LUNA mailing list
>>>> LUNA at lunagroup.us
>>>> http://lunagroup.us/mailman/listinfo/luna
>>>>
>>> --
>>>
>>>          William A. Mahaffey III
>>>
>>>   ----------------------------------------------------------------------
>>>
>>>          "The M1 Garand is without doubt the finest implement of war
>>>           ever devised by man."
>>>                             -- Gen. George S. Patton Jr.
>>>
>>> _______________________________________________
>>> LUNA mailing list
>>> LUNA at lunagroup.us
>>> http://lunagroup.us/mailman/listinfo/luna
>>
>> _______________________________________________
>> LUNA mailing list
>> LUNA at lunagroup.us
>> http://lunagroup.us/mailman/listinfo/luna
>>
>
> --
>
>         William A. Mahaffey III
>
>  ----------------------------------------------------------------------
>
>         "The M1 Garand is without doubt the finest implement of war
>          ever devised by man."
>                            -- Gen. George S. Patton Jr.
>
> _______________________________________________
> LUNA mailing list
> LUNA at lunagroup.us
> http://lunagroup.us/mailman/listinfo/luna


More information about the LUNA mailing list