I did some tests and I'm now pretty sure the problem revolves around
the point naddy made: Kodi and VLC try to mount my NFS share through a
non-privileged port. As both Kodi and VLC use the same NFS client
library (libnfs), I tried to find out a bit more about how it works.
According to its readme, libnfs uses standard NFS ports when run as
root and non-privileged ports when run non-root. Here is the relevant
part of the readme file: "When running as root, libnfs tries to
allocate a system port for its connection to the NFS server. When
running as non-root it will use a normal ephemeral port". I find it
strange that a client library should be run as root in order to use a
privileged port. My (very poor, I confess) understanding was that only
server processes should be run as root in order to use privileged
ports. Anyway, as things stand I can only mount my OpenBSD NFS shares
if the client is run as root, since the usual way to circumvent this
problem on the server side (set the insecure flag on exports) is not
available on OpenBSD and, I hope, won't ever be. As I don't have root
access to my Fire Stick TV, there is no way to mount my OpenBSD NFS
shares on it. As I'm no expert on security though, I'd like an opinion
from you guys regarding this: is it reasonable to require an NFS
client to be run as root?
Best,
Vitor
Em sex., 30 de dez. de 2022 às 15:20, Bodie <bodie@bodie.cz> escreveu:
>
> On Fri Dec 30, 2022 at 3:59 PM CET, vitmaubra@gmail.com wrote:
> > Thank you guys for the tips. I think naddy is right, which means I was
> > wrong in thinking that I finally had a doubt that couldn't be solved
> > by OpenBSD's manuals. I'll do some tests and report back on this
> > thread soon.
>
> Don't forget to check firewall as NFSv4 from your Fedora 34 has
> way less requirements then NFSv3 served by OpenBSD
>
> You can compare 'rpcinfo -p localhost' on your OpenBSD server
> vs same command remotely from client (with proper hostname/IP)
>
> And NFSv3 is by default UDP while NFSv4 is TCP
>
> >
> > Best,
> > Vitor
> >
> > Em qui., 29 de dez. de 2022 às 16:55, Christian Weisgerber
> > <naddy@mips.inka.de> escreveu:
> > >
> > > "vitmaubra@gmail.com":
> > >
> > > > My /var/log/daemon regarding the issue:
> > > > mountd[91001]: Refused mount RPC from host 192.168.1.4 port 57264
> > >
> > > The client's mount request didn't come from a reserved port, i.e. <1024.
> > > OpenBSD's mountd(8) does not accept this.
> > >
> > > --
> > > Christian "naddy" Weisgerber naddy@mips.inka.de
>
No comments:
Post a Comment