4_2 Secure Ports

By default many NFS servers only allow connections from a port < 1024 which means that root privileges or cap_net_bind_service is required in order to connect. There are some differences between server implementations. On modern Linux systems, the NFS server will accept requests from any port if a client uses Kerberos authentication. It is also possible to allow connections from any port on a Linux server by enabling the insecure option on an export. The Windows NFS server does not have this option and always accepts connections from any port.

This security feature has historic reasons. When NFS was created, the attacker model was different from today. The port requirement was only designed to protect against malicious users on a multi-user Unix system, not against malicious/compromised machines or root accounts. The idea behind it was that regular users are not able to run their own NFS client on a multi-user system because they cannot bind to a privileged port. They had to use the system's NFS client to communicate with NFS servers. The system's NFS client was supposed to verify the user's identity and the server trusted that it always attaches the correct uid to NFS requests. This means that permission checking happened on the client side. However, this option does not protect against compromised root accounts or attacker-controlled machines on the network making it insufficient as the only protection mechanism nowadays.