(If you’ll ask me, I’ll deny writing down these things to remember them later, but it’s the real reason behind this. I searched in Google for an extended answer, but couldn’t find it)
I’m running 10.4.7 (other releases may be different) and I very rarely use NFS, so I don’t see any real reason to have stuff I don’t use running on my machine – moreover, with listening ports. Yes, I know ipfw blocks them, but I prefer them closed.
Short and slightly wrong answer: change
NFSLOCKS=-AUTOMATIC-
RPCSERVER=-AUTOMATIC-
to
NFSLOCKS=-NO-
RPCSERVER=-NO-
in /etc/hostconfig. This will get rid of rpc.statd,rpc.lockd, and portmapper on boot, but leaves you with many other things running (nfsd-server, mountd, nfsiod). I assume that you already got rid of automounter setting
AUTOMOUNT=-NO-
in the usual place.
Boring answer: I was hoping that I could add/modify another variable to hostconfig to disable NFS completely. If it exists, I couldn’t figure it out.
Let’s see how the system initalizes NFS: [my comments between brackets]
roadrunner:/System/Library/StartupItems/NFS root# sh -x ./NFS start
+ . /etc/rc.common
[ sources common functions and variables ]
++ set -u
++ PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/libexec:/System/Library/CoreServices
++ export PATH
++ . /etc/hostconfig
[ reads system configuration, things like: ]
+++ HOSTNAME=-AUTOMATIC-
[ and so on. then it starts ]
+ AUTOMOUNTDIR=/private/var/automount
+ RunService start
+ StartService
+ CheckForNetwork
+ local test
+ ‘[‘ -z ” ‘]’
++ ifconfig -a inet
++ sed -n -e /127.0.0.1/d -e /0.0.0.0/d -e /inet/p
++ wc -l
+ test= 1
+ ‘[‘ ‘ 1’ -gt 0 ‘]’
+ NETWORKUP=-YES-
+ ‘[‘ -YES- = -NO- ‘]’
+ lockfile -r 0 /var/run/NFS.StartupItem
[ file locking is to prevent starting up multiple instances, I suppose ]
+ echo ‘Starting network file system’
Starting network file system
+ ‘[‘ -d /private/var/automount ‘]’
+ nfsiod -n 4
++ niutil -list . /exports
[ asks NetInfo about the exported file systems… ]
++ wc -w
+ exports_ni= 2
++ grep -v ‘^[[:space:]]*\(#\|$\)’ /etc/exports
[ … and looks for the good ol’ file too! … ]
++ wc -l
+ exports_etc= 0
+ exports=2
+ ‘[‘ 2 -gt 0 ‘]’
+ ‘[‘ -AUTOMATIC- = -AUTOMATIC- ‘]’
+ NFSLOCKS=-YES-
+ ‘[‘ -YES- = -YES- ‘]’
+ rpc.statd
+ rpc.lockd
+ ‘[‘ -YES- = -AUTOMATIC- ‘]’
+ rm -f /var/db/mountdtab
+ ‘[‘ 2 -gt 0 ‘]’
+ echo ‘Starting Network File System server’
Starting Network File System server
+ mountd
++ niutil -readprop . /config/nfsd arguments
niutil: can’t open directory /config/nfsd: No such directory
+ arguments=
+ ‘[‘ ” = ” ‘]’
+ arguments=-t -u -n 6
+ nfsd -t -u -n 6
+ ‘[‘ -NO- = -YES- ‘]’
+ touch /var/run/automount.initialized
As you can see, I couldn’t find any hostconfig variables to avoid all the daemons to start. Moreover, hoping to stop everything using the “stop” argument yelds to no results: it runs the StopService() which is
StopService ()
{
return 0
}
quite useful, isn’t it? :)
I have decided for the simplest (to me) solution. Add a
return 0
at the very beginning of StartService(). This will make the script exit as soon as possible without impacting on anything else. The con is that you’ll lose that change when you’ll upgrade if Apple decides to modify the script. But you can always post the how and where on your blog and recover it at the right moment. :)
If you’re trying to harden your OsX machine, have a look at Bastille, which it seems runs (sort of) on Macs too.