HardenedBSD/etc/rc.d/nfsd
Rick Macklem a70ee81756 Modify /etc/rc.d/nfsd so it doesn't force a startup of nfsuserd for NFSv4.
Given that RFC7530 allows uid/gids to be placed in owner/owner_group
strings directly, many NFSv4 environments don't need the nfsuserd.
This small patch modified /etc/rc.d/nfsd so that it does not force
startup of the nfsuserd daemon unless nfs_server_managegids is enabled.
This implies that nfsuserd_enable="YES" must be added to /etc/rc.conf
for NFSv4 server environments that use Kerberos mounts or clients that
do not support the uid/gid in string capability.
Since this could be considered a POLA violation, it will not be MFC'd.

Discussed on:	freebsd-current
2017-07-28 21:07:57 +00:00

52 lines
984 B
Bash
Executable File

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: nfsd
# REQUIRE: mountd hostname gssd nfsuserd
# KEYWORD: nojail shutdown
. /etc/rc.subr
name="nfsd"
desc="Remote NFS server"
rcvar="nfs_server_enable"
command="/usr/sbin/${name}"
load_rc_config $name
start_precmd="nfsd_precmd"
sig_stop="USR1"
nfsd_precmd()
{
rc_flags="${nfs_server_flags}"
# Load the modules now, so that the vfs.nfsd sysctl
# oids are available.
load_kld nfsd
if checkyesno nfs_reserved_port_only; then
echo 'NFS on reserved port only=YES'
sysctl vfs.nfsd.nfs_privport=1 > /dev/null
else
sysctl vfs.nfsd.nfs_privport=0 > /dev/null
fi
if checkyesno nfs_server_managegids; then
force_depend nfsuserd || err 1 "Cannot run nfsuserd"
fi
if checkyesno nfsv4_server_enable; then
sysctl vfs.nfsd.server_max_nfsvers=4 > /dev/null
else
echo 'NFSv4 is disabled'
sysctl vfs.nfsd.server_max_nfsvers=3 > /dev/null
fi
force_depend rpcbind || return 1
force_depend mountd || return 1
}
run_rc_command "$1"