diff mbox

exports: document change to "insecure" export option

Message ID 20180614133238.GA24594@fieldses.org (mailing list archive)
State New, archived
Headers show

Commit Message

J. Bruce Fields June 14, 2018, 1:32 p.m. UTC 
From: "J. Bruce Fields" <bfields@redhat.com>

We're changing the kernel to allow gss requests from high ports even
when "secure" is set.

If the change gets backported to distro kernels, the kernel version may
be an imperfect predictor of the behavior, but I think it's the best we
can do.

Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
 utils/exportfs/exports.man | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

Comments

Steve Dickson June 19, 2018, 4:56 p.m. UTC | #1 
On 06/14/2018 09:32 AM, J. Bruce Fields wrote:
> From: "J. Bruce Fields" <bfields@redhat.com>
> 
> We're changing the kernel to allow gss requests from high ports even
> when "secure" is set.
> 
> If the change gets backported to distro kernels, the kernel version may
> be an imperfect predictor of the behavior, but I think it's the best we
> can do.
> 
> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Committed.... 

steved.
> ---
>  utils/exportfs/exports.man | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
> index 4f95f3a2197e..e3a16f6b276a 100644
> --- a/utils/exportfs/exports.man
> +++ b/utils/exportfs/exports.man
> @@ -131,10 +131,12 @@ this way are ro, rw, no_root_squash, root_squash, and all_squash.
>  understands the following export options:
>  .TP
>  .IR secure
> -This option requires that requests originate on an Internet port less
> -than IPPORT_RESERVED (1024). This option is on by default. To turn it
> -off, specify
> +This option requires that requests not using gss originate on an
> +Internet port less than IPPORT_RESERVED (1024). This option is on by default.
> +To turn it off, specify
>  .IR insecure .
> +(NOTE: older kernels (before upstream kernel version 4.17) enforced this
> +requirement on gss requests as well.)
>  .TP
>  .IR rw
>  Allow both read and write requests on this NFS volume. The
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/utils/exportfs/exports.man b/utils/exportfs/exports.man
index 4f95f3a2197e..e3a16f6b276a 100644
--- a/utils/exportfs/exports.man
+++ b/utils/exportfs/exports.man
@@ -131,10 +131,12 @@  this way are ro, rw, no_root_squash, root_squash, and all_squash.
 understands the following export options:
 .TP
 .IR secure
-This option requires that requests originate on an Internet port less
-than IPPORT_RESERVED (1024). This option is on by default. To turn it
-off, specify
+This option requires that requests not using gss originate on an
+Internet port less than IPPORT_RESERVED (1024). This option is on by default.
+To turn it off, specify
 .IR insecure .
+(NOTE: older kernels (before upstream kernel version 4.17) enforced this
+requirement on gss requests as well.)
 .TP
 .IR rw
 Allow both read and write requests on this NFS volume. The