2017-08-21 06:17 AM
We export six Qtrees under a volume on a FAS2240-4 with access restrictions based upon subnet range.
It was noted during a penetration test that one can mount, without any restrictions the "/" share from a controller even though it is not listed in /etc/exports or via "showmount -e" on a client.
One can then go down the tree to /etc and read/write without any authorization.
Can we restrict this, why is it being exported even though it is not listed.
2017-08-21 08:12 AM
So this looks like perhaps a SVM setup but we are running 7-mode .... and this poses a security risk for us, is there a way to disable SVM in 7-mode or is this indeed what is being done here?
2017-08-21 11:57 AM
So it looks like you're talking about the base vFiler (i.e. vfiler0) in 7-mode. To see what the effective export policy is for the root (vol0) run the following from the CLI:
and you should get something that includes:
Anyway, it sounds like access to the root is open to public. To verify the configuration run:
FilerName> rdfile /etc/exports
Modify the file to lock it down accordingly (i.e. just have it exported to just your admin host) and then run the following:
FilerName> exportfs -r
That should enforce the new config. Run another exportfs to confirm.
Hope that helps,