diff --git a/sbin/mountd/mountd.c b/sbin/mountd/mountd.c
index f09486396036..8039be821ad4 100644
--- a/sbin/mountd/mountd.c
+++ b/sbin/mountd/mountd.c
@@ -43,7 +43,7 @@ static char copyright[] =
#ifndef lint
/*static char sccsid[] = "@(#)mountd.c 8.15 (Berkeley) 5/1/95"; */
static const char rcsid[] =
- "$Id: mountd.c,v 1.13 1997/02/22 14:33:02 peter Exp $";
+ "$Id: mountd.c,v 1.14 1997/03/11 12:43:45 peter Exp $";
#endif /*not lint*/
#include <sys/param.h>
@@ -54,6 +54,7 @@ static const char rcsid[] =
#include <sys/stat.h>
#include <sys/syslog.h>
#include <sys/ucred.h>
+#include <sys/sysctl.h>
#include <rpc/rpc.h>
#include <rpc/pmap_clnt.h>
@@ -63,6 +64,7 @@ static const char rcsid[] =
#endif
#include <nfs/rpcv2.h>
#include <nfs/nfsproto.h>
+#include <nfs/nfs.h>
#include <ufs/ufs/ufsmount.h>
#include <msdosfs/msdosfsmount.h>
#include <isofs/cd9660/cd9660_mount.h> /* XXX need isofs in include */
@@ -255,6 +257,7 @@ main(argc, argv)
#ifdef __FreeBSD__
struct vfsconf vfc;
int error;
+ int mib[3];
error = getvfsbyname("nfs", &vfc);
if (error && vfsisloadable("nfs")) {
@@ -314,6 +317,16 @@ main(argc, argv)
fclose(pidfile);
}
}
+
+ mib[0] = CTL_VFS;
+ mib[1] = MOUNT_NFS;
+ mib[2] = NFS_NFSPRIVPORT;
+ if (sysctl(mib, 3, NULL, NULL,
+ &resvport_only, sizeof(resvport_only)) != 0) {
+ syslog(LOG_ERR, "sysctl: %m");
+ exit(1);
+ }
+
if ((udptransp = svcudp_create(RPC_ANYSOCK)) == NULL ||
(tcptransp = svctcp_create(RPC_ANYSOCK, 0, 0)) == NULL) {
syslog(LOG_ERR, "Can't create socket");
diff --git a/sys/nfs/nfs.h b/sys/nfs/nfs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfs/nfs.h
+++ b/sys/nfs/nfs.h
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
*/
#ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
* fs.nfs sysctl(3) identifiers
*/
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
#define FS_NFS_NAMES { \
{ 0, 0 }, \
{ "nfsstats", CTLTYPE_STRUCT }, \
+ { "nfsprivport", CTLTYPE_INT }, \
}
/*
diff --git a/sys/nfs/nfs_syscalls.c b/sys/nfs/nfs_syscalls.c
index 83cd64dd9c9b..396dff88d13a 100644
--- a/sys/nfs/nfs_syscalls.c
+++ b/sys/nfs/nfs_syscalls.c
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95
- * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
+ * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
*/
#include <sys/param.h>
@@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
int cacherep));
static int nfssvc_addsock __P((struct file *,struct mbuf *));
static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
+
+static int nfs_privport = 0;
+SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
+
/*
* NFS server system calls
* getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
@@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
nd->nd_procnum = NFSPROC_NOOP;
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
cacherep = RC_DOIT;
+ } else if (nfs_privport) {
+ /* Check if source port is privileged */
+ u_short port;
+ u_long addr;
+ struct mbuf *nam = nd->nd_nam;
+ struct sockaddr_in *sin;
+
+ sin = mtod(nam, struct sockaddr_in *);
+ port = ntohs(sin->sin_port);
+ if (port >= IPPORT_RESERVED) {
+ nd->nd_procnum = NFSPROC_NOOP;
+ nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
+ cacherep = RC_DOIT;
+ printf("NFS request from unprivileged port (%s:%d)\n",
+ inet_ntoa(sin->sin_addr), port);
+ }
}
+
}
/*
diff --git a/sys/nfsclient/nfs.h b/sys/nfsclient/nfs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsclient/nfs.h
+++ b/sys/nfsclient/nfs.h
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
*/
#ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
* fs.nfs sysctl(3) identifiers
*/
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
#define FS_NFS_NAMES { \
{ 0, 0 }, \
{ "nfsstats", CTLTYPE_STRUCT }, \
+ { "nfsprivport", CTLTYPE_INT }, \
}
/*
diff --git a/sys/nfsclient/nfs_nfsiod.c b/sys/nfsclient/nfs_nfsiod.c
index 83cd64dd9c9b..396dff88d13a 100644
--- a/sys/nfsclient/nfs_nfsiod.c
+++ b/sys/nfsclient/nfs_nfsiod.c
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95
- * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
+ * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
*/
#include <sys/param.h>
@@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
int cacherep));
static int nfssvc_addsock __P((struct file *,struct mbuf *));
static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
+
+static int nfs_privport = 0;
+SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
+
/*
* NFS server system calls
* getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
@@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
nd->nd_procnum = NFSPROC_NOOP;
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
cacherep = RC_DOIT;
+ } else if (nfs_privport) {
+ /* Check if source port is privileged */
+ u_short port;
+ u_long addr;
+ struct mbuf *nam = nd->nd_nam;
+ struct sockaddr_in *sin;
+
+ sin = mtod(nam, struct sockaddr_in *);
+ port = ntohs(sin->sin_port);
+ if (port >= IPPORT_RESERVED) {
+ nd->nd_procnum = NFSPROC_NOOP;
+ nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
+ cacherep = RC_DOIT;
+ printf("NFS request from unprivileged port (%s:%d)\n",
+ inet_ntoa(sin->sin_addr), port);
+ }
}
+
}
/*
diff --git a/sys/nfsclient/nfsargs.h b/sys/nfsclient/nfsargs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsclient/nfsargs.h
+++ b/sys/nfsclient/nfsargs.h
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
*/
#ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
* fs.nfs sysctl(3) identifiers
*/
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
#define FS_NFS_NAMES { \
{ 0, 0 }, \
{ "nfsstats", CTLTYPE_STRUCT }, \
+ { "nfsprivport", CTLTYPE_INT }, \
}
/*
diff --git a/sys/nfsclient/nfsstats.h b/sys/nfsclient/nfsstats.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsclient/nfsstats.h
+++ b/sys/nfsclient/nfsstats.h
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
*/
#ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
* fs.nfs sysctl(3) identifiers
*/
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
#define FS_NFS_NAMES { \
{ 0, 0 }, \
{ "nfsstats", CTLTYPE_STRUCT }, \
+ { "nfsprivport", CTLTYPE_INT }, \
}
/*
diff --git a/sys/nfsserver/nfs.h b/sys/nfsserver/nfs.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsserver/nfs.h
+++ b/sys/nfsserver/nfs.h
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
*/
#ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
* fs.nfs sysctl(3) identifiers
*/
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
#define FS_NFS_NAMES { \
{ 0, 0 }, \
{ "nfsstats", CTLTYPE_STRUCT }, \
+ { "nfsprivport", CTLTYPE_INT }, \
}
/*
diff --git a/sys/nfsserver/nfs_syscalls.c b/sys/nfsserver/nfs_syscalls.c
index 83cd64dd9c9b..396dff88d13a 100644
--- a/sys/nfsserver/nfs_syscalls.c
+++ b/sys/nfsserver/nfs_syscalls.c
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs_syscalls.c 8.5 (Berkeley) 3/30/95
- * $Id: nfs_syscalls.c,v 1.18 1997/02/22 09:42:42 peter Exp $
+ * $Id: nfs_syscalls.c,v 1.19 1997/03/22 06:53:11 bde Exp $
*/
#include <sys/param.h>
@@ -107,6 +107,10 @@ static void nfsd_rt __P((int sotype, struct nfsrv_descript *nd,
int cacherep));
static int nfssvc_addsock __P((struct file *,struct mbuf *));
static int nfssvc_nfsd __P((struct nfsd_srvargs *,caddr_t,struct proc *));
+
+static int nfs_privport = 0;
+SYSCTL_INT(_vfs_nfs, NFS_NFSPRIVPORT, nfs_privport, CTLFLAG_RW, &nfs_privport, 0, "");
+
/*
* NFS server system calls
* getfh() lives here too, but maybe should move to kern/vfs_syscalls.c
@@ -592,7 +596,24 @@ nfssvc_nfsd(nsd, argp, p)
nd->nd_procnum = NFSPROC_NOOP;
nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
cacherep = RC_DOIT;
+ } else if (nfs_privport) {
+ /* Check if source port is privileged */
+ u_short port;
+ u_long addr;
+ struct mbuf *nam = nd->nd_nam;
+ struct sockaddr_in *sin;
+
+ sin = mtod(nam, struct sockaddr_in *);
+ port = ntohs(sin->sin_port);
+ if (port >= IPPORT_RESERVED) {
+ nd->nd_procnum = NFSPROC_NOOP;
+ nd->nd_repstat = (NFSERR_AUTHERR | AUTH_TOOWEAK);
+ cacherep = RC_DOIT;
+ printf("NFS request from unprivileged port (%s:%d)\n",
+ inet_ntoa(sin->sin_addr), port);
+ }
}
+
}
/*
diff --git a/sys/nfsserver/nfsrvstats.h b/sys/nfsserver/nfsrvstats.h
index 6aaa1da83014..dd71abe40e36 100644
--- a/sys/nfsserver/nfsrvstats.h
+++ b/sys/nfsserver/nfsrvstats.h
@@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs.h 8.4 (Berkeley) 5/1/95
- * $Id$
+ * $Id: nfs.h,v 1.22 1997/02/22 09:42:34 peter Exp $
*/
#ifndef _NFS_NFS_H_
@@ -324,10 +324,12 @@ struct nfsstats {
* fs.nfs sysctl(3) identifiers
*/
#define NFS_NFSSTATS 1 /* struct: struct nfsstats */
+#define NFS_NFSPRIVPORT 2 /* int: prohibit nfs to resvports */
#define FS_NFS_NAMES { \
{ 0, 0 }, \
{ "nfsstats", CTLTYPE_STRUCT }, \
+ { "nfsprivport", CTLTYPE_INT }, \
}
/*
diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c
index f09486396036..8039be821ad4 100644
--- a/usr.sbin/mountd/mountd.c
+++ b/usr.sbin/mountd/mountd.c
@@ -43,7 +43,7 @@ static char copyright[] =
#ifndef lint
/*static char sccsid[] = "@(#)mountd.c 8.15 (Berkeley) 5/1/95"; */
static const char rcsid[] =
- "$Id: mountd.c,v 1.13 1997/02/22 14:33:02 peter Exp $";
+ "$Id: mountd.c,v 1.14 1997/03/11 12:43:45 peter Exp $";
#endif /*not lint*/
#include <sys/param.h>
@@ -54,6 +54,7 @@ static const char rcsid[] =
#include <sys/stat.h>
#include <sys/syslog.h>
#include <sys/ucred.h>
+#include <sys/sysctl.h>
#include <rpc/rpc.h>
#include <rpc/pmap_clnt.h>
@@ -63,6 +64,7 @@ static const char rcsid[] =
#endif
#include <nfs/rpcv2.h>
#include <nfs/nfsproto.h>
+#include <nfs/nfs.h>
#include <ufs/ufs/ufsmount.h>
#include <msdosfs/msdosfsmount.h>
#include <isofs/cd9660/cd9660_mount.h> /* XXX need isofs in include */
@@ -255,6 +257,7 @@ main(argc, argv)
#ifdef __FreeBSD__
struct vfsconf vfc;
int error;
+ int mib[3];
error = getvfsbyname("nfs", &vfc);
if (error && vfsisloadable("nfs")) {
@@ -314,6 +317,16 @@ main(argc, argv)
fclose(pidfile);
}
}
+
+ mib[0] = CTL_VFS;
+ mib[1] = MOUNT_NFS;
+ mib[2] = NFS_NFSPRIVPORT;
+ if (sysctl(mib, 3, NULL, NULL,
+ &resvport_only, sizeof(resvport_only)) != 0) {
+ syslog(LOG_ERR, "sysctl: %m");
+ exit(1);
+ }
+
if ((udptransp = svcudp_create(RPC_ANYSOCK)) == NULL ||
(tcptransp = svctcp_create(RPC_ANYSOCK, 0, 0)) == NULL) {
syslog(LOG_ERR, "Can't create socket");