Archive for September, 2011

Mounting an NFS Share within a Virtual Machine

Monday, September 12th, 2011

Let’s say you run a FreeBSD server somewhere on your network and you’ve configured it to export a directory via NFS. Everything works as it should when you connect with clients running OSes on native hardware, but as soon as you try to mount the same share on the same hardware with an OS inside a virtual machine, you’re unable to do so.

So what’s going on here? Well, as it turns out, the default behavior for NFS on FreeBSD is to only accept client connections on ports below 1024. This is because services started on port numbers less than 1024 must be started as root or an equivalent system administrator account, and thus are usually safe to trust.

The problem is, most virtual machines typically don’t have access to ports below 1024 because they aren’t started with root or administrator privileges in the host OS (that would defeat all the added security one gains from sandboxing). In fact, some VM packages (VirtualBox comes to mind) won’t even run if it’s started by root unless it’s explicitly forced to. Thus, under most circumstances, the only port numbers guest OSes have access to begin at 1025 and increase from there.

There are two ways around this problem: run each instance of VirtualBox or VMWare with root capabilities (very insecure), or tell your server to just accept incoming connections on ports less than 1024 (a little bit insecure). To do this, simply fire up your favorite text editor, and add the “insecure” flag (denoted by an -n) to the mountd_flags argument list in /etc/rc.conf.

Here’s an example of /etc/rc.conf:


Save your changes and restart rpcbind, nfsd, and mountd as root:

# /etc/rc.d/rpcbind onerestart ; /etc/rc.d/nfsd onerestart ; /etc/rc.d/mountd onerestart

Now you’re good to go!

Remember: NFS was never a security-minded protocol. It was built for speed, with others layering security on top of it. If one wanted a greater degree of security aside from the IP address whitelisting necessary in /etc/exports (which really isn’t that secure at all), they are many options to choose from including Kerberos authentication or tunneling everything through SSH. Check Google or Chapter 14 of the FreeBSD handbook for some good starting points.


Performing a Fresh Install/Uninstall of a FreeBSD Port

Thursday, September 8th, 2011

If you accidentally corrupt the installation or configuration of a FreeBSD port, or if you just want to wipe any old installation settings away and install a fresh copy, issuing the following command in the port directory of interest:

# make && make deinstall reinstall clean

This will first uninstall (or “deinstall”, as it’s oddly called in the FreeBSD world) the broken port, then reinstall it, and then clean up any temporary files left behind by the compiler. It will not clear any flags you set during the installation procedure (assuming the port you’re trying to install had options/flags that could be set).

If you want to reset any previously specified options/flags to whatever’s used as the port’s default, issue the following command sequence:

# make rmconfig
# make && make deinstall reinstall clean

If you want to see what options are currently set or configured, issue the following command:

# make showconfig

Note: You must execute this command as root and from the specific port directory of interest (e.g., /usr/ports/net/samba35, /usr/ports/sysutils/lsof, /usr/ports/editors/vim, etc.)