Always default to standard NFS ports

[vitmaubra]

I've seen people saying that libnfs can't use standard NFS ports under all circumstances because those ports are privileged and only processes ran as root can use privileged ports. As it should be possible to run libnfs as a non-root process sometimes, it must use non-privileged ports when run in this way.

I don't find that argument sound though. The general rule is that only root processes can bind privileged ports. However, as libnfs is a NFS client library, it doesn't bind any port, right? In other words, as libnfs only make outbound connections, it should be able to use the standard NFS ports without any problems even when run non-root.

Are there other reasons for libnfs to use non-privileged ports when run a non-root process?

[sahlberg]

Libnfs tries to bind the client port to a system port, if possible, exactly for the reason that the default configuration on many servers do not allow incoming connections from a non-system port.

On linux, it just means that as a non-root user you need to set the proper capabilities to allow the binary to bind to system ports:

ROOT vs NON-ROOT

When running as root, libnfs tries to allocate a system port for its connection to the NFS server. When running as non-root it will use a normal ephemeral port. Many NFS servers default to a mode where they do not allow non-system ports from connecting. These servers require you use the "insecure" export option in /etc/exports in order to allow libnfs clients to be able to connect.

On Linux we can get around this restriction by setting the NET_BIND_SERVICE capability for the application binary.

This is set up by running sudo setcap 'cap_net_bind_service=+ep' /path/to/executable This capability allows the binary to use systems ports like this even when not running as root. Thus if you set this capability for your application you no longer need to edit the export on the NFS server to set "insecure".

On Sat, 31 Dec 2022 at 14:05, vitmaubra @.***> wrote:

I've seen people saying that libnfs can't use standard NFS ports under all circumstances because those ports are privileged and only processes ran as root can use privileged ports. As it should be possible to run libnfs as a non-root process sometimes, it must use non-privileged ports when run in this way.

I don't find that argument sound though. The general rule is that only root processes can bind privileged ports. However, as libnfs is a NFS client library, it doesn't bind any port, right? Are there other reasons for libnfs to use non-privileged ports when run a non-root process?

— Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/issues/415, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADY3EHAPR5FN4IW2U7DU2LWP6WKLANCNFSM6AAAAAATNKUAAI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[sahlberg]

Normal client applications do not care which port it uses so they skip the "bind clientside port" step of setting up a tcp session as they accept whatever random port the system will allocate to them. But clients CAN request to bind to a specific port if they want to.

Libnfs does this. It will try to bind to a handful of different system ports. This will work if either the appplication is running as root OR if the application has been granted the capability to use system ports. On linux I have documented how to do so. You can also do this on OSX, BSD, Windows, etc but I do not know. IF libnfs can not bind to a system port it will fallback to the mode where it uses "just give me whatever port" the system will allocate to it.

Closing as answered.

[sahlberg]

Here is where libnfs tries to bind to a system port during session establishment: https://github.com/sahlberg/libnfs/blob/dae4ed844a817bcdd7d308b731cbad90e2ff0161/lib/socket.c#L719

[vitmaubra]

Thank you for your answer, Ronnie. Things are way clearer now. So, if I understood you correctly, libnfs by default will first try to use the standard NFS ports even when ran non-root. If that is so, I would suggest a slight modification to your readme file: "When running as non-root it (libnfs) will use a normal ephemeral port after trying and failing to use a system port". It's nothing fundamental, but I think things would be clearer this way.

My problem specifically (but I don't think anymore that changing libnfs's code is the way to fix it) is that there is no insecure flag on OpenBSD (my server) and there is no way to make any modifications that require root access on the Fire OS that runs on Fire TV Stick (my client). So I basically cannot mount my NFS share through VLC or Kodi running on my Fire TV Stick.

Best and thank you for your work, Vitor

Em sáb., 31 de dez. de 2022 às 01:49, Ronnie Sahlberg < @.***> escreveu:

Here is where libnfs tries to bind to a system port during session establishment:

https://github.com/sahlberg/libnfs/blob/dae4ed844a817bcdd7d308b731cbad90e2ff0161/lib/socket.c#L719

— Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/issues/415#issuecomment-1368164423, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQNO4LEEF4LYLCSMMXJOVU3WP63PHANCNFSM6AAAAAATNKUAAI . You are receiving this because you authored the thread.Message ID: @.***>

[sahlberg]

Ah, Fire TV. That is based on Android. As far as I know android is the only platform today that does not allow non-root users to bind to system ports (or provides a mechanism to allow it, like NET_BIND_SYSTEM). :-(

It has been requested many times that android fixes this but they don't seem to care much about it. https://issuetracker.google.com/issues/36909525

One option would be to add "insecure" to the BSD kernel server. Or just remove the check for client port outright. It is really just going to be something like : if (port < 2048 && uid != 0) return -EPERM and just remove it.

On Sun, 1 Jan 2023 at 05:59, vitmaubra @.***> wrote:

Thank you for your answer, Ronnie. Things are way clearer now. So, if I understood you correctly, libnfs by default will first try to use the standard NFS ports even when ran non-root. If that is so, I would suggest a slight modification to your readme file: "When running as non-root it (libnfs) will use a normal ephemeral port after trying and failing to use a system port". It's nothing fundamental, but I think things would be clearer this way.

My problem specifically (but I don't think anymore that changing libnfs's code is the way to fix it) is that there is no insecure flag on OpenBSD (my server) and there is no way to make any modifications that require root access on the Fire OS that runs on Fire TV Stick (my client). So I basically cannot mount my NFS share through VLC or Kodi running on my Fire TV Stick.

Best and thank you for your work, Vitor

Em sáb., 31 de dez. de 2022 às 01:49, Ronnie Sahlberg < @.***> escreveu:

Here is where libnfs tries to bind to a system port during session establishment:

https://github.com/sahlberg/libnfs/blob/dae4ed844a817bcdd7d308b731cbad90e2ff0161/lib/socket.c#L719

— Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/issues/415#issuecomment-1368164423, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AQNO4LEEF4LYLCSMMXJOVU3WP63PHANCNFSM6AAAAAATNKUAAI

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/issues/415#issuecomment-1368273307, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADY3ECEWCWOAWBGNFMR7S3WQCGCLANCNFSM6AAAAAATNKUAAI . You are receiving this because you modified the open/close state.Message ID: @.***>

[vitmaubra]

Thank you for the tips, Ronnie. I'll try what you suggested on OpenBSD, as the issue with Android doesn't seem to be high on Google's list of priorities. By the way: happy new year!

Em dom., 1 de jan. de 2023 às 21:51, Ronnie Sahlberg < @.***> escreveu:

Ah, Fire TV. That is based on Android. As far as I know android is the only platform today that does not allow non-root users to bind to system ports (or provides a mechanism to allow it, like NET_BIND_SYSTEM). :-(

It has been requested many times that android fixes this but they don't seem to care much about it. https://issuetracker.google.com/issues/36909525

One option would be to add "insecure" to the BSD kernel server. Or just remove the check for client port outright. It is really just going to be something like : if (port < 2048 && uid != 0) return -EPERM and just remove it.

On Sun, 1 Jan 2023 at 05:59, vitmaubra @.***> wrote:

Thank you for your answer, Ronnie. Things are way clearer now. So, if I understood you correctly, libnfs by default will first try to use the standard NFS ports even when ran non-root. If that is so, I would suggest a slight modification to your readme file: "When running as non-root it (libnfs) will use a normal ephemeral port after trying and failing to use a system port". It's nothing fundamental, but I think things would be clearer this way.

My problem specifically (but I don't think anymore that changing libnfs's code is the way to fix it) is that there is no insecure flag on OpenBSD (my server) and there is no way to make any modifications that require root access on the Fire OS that runs on Fire TV Stick (my client). So I basically cannot mount my NFS share through VLC or Kodi running on my Fire TV Stick.

Best and thank you for your work, Vitor

Em sáb., 31 de dez. de 2022 às 01:49, Ronnie Sahlberg < @.***> escreveu:

Here is where libnfs tries to bind to a system port during session establishment:

https://github.com/sahlberg/libnfs/blob/dae4ed844a817bcdd7d308b731cbad90e2ff0161/lib/socket.c#L719

— Reply to this email directly, view it on GitHub <https://github.com/sahlberg/libnfs/issues/415#issuecomment-1368164423 , or unsubscribe <

https://github.com/notifications/unsubscribe-auth/AQNO4LEEF4LYLCSMMXJOVU3WP63PHANCNFSM6AAAAAATNKUAAI

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/issues/415#issuecomment-1368273307, or unsubscribe < https://github.com/notifications/unsubscribe-auth/AADY3ECEWCWOAWBGNFMR7S3WQCGCLANCNFSM6AAAAAATNKUAAI

. You are receiving this because you modified the open/close state.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/sahlberg/libnfs/issues/415#issuecomment-1368583736, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQNO4LGUKSBIKUWJC6V7DE3WQIRBVANCNFSM6AAAAAATNKUAAI . You are receiving this because you authored the thread.Message ID: @.***>