topic Re: Are there any concerns to use "-rorule any, -rwrule any, -superuser none"? in ONTAP Discussions

Are there any concerns to use "-rorule any, -rwrule any, -superuser none"?

netappmagic — Wed, 04 Jun 2025 10:54:51 GMT

Based on https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_create_a_root_squash_export_policy_rule_in_ONTAP,

filer::> vserver export-policy rule create -vserver sv1 -policyname default -clientmatch 192.168.0.0/24 -rorule any -rwrule any -superuser none -anon 65534
filer::> vserver export-policy rule show -vserver sv1 -policyname default -ruleindex 8 -instance

Vserver: sv1
Policy Name: default
Rule Index: 8
Access Protocol: any
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 192.168.0.0/24
RO Access Rule: any
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534 <<<<
Superuser Security Types: none <<<<
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true

I have two questions:

Basically, this is "root_squash" option. Is this a recommended export policy/configurations?

Any concerns?

2)
Is there any way to assign a specified user (not root) to have "root" type of access to a NFS file system under NFSv3? How?

Re: Are there any concerns to use "-rorule any, -rwrule any, -superuser none"?

TMACMD — Fri, 04 Sep 2020 00:23:02 GMT

You may want to peruse this wonder Tech Report by @parisi

https://www.netapp.com/us/media/tr-4067.pdf

Re: Are there any concerns to use "-rorule any, -rwrule any, -superuser none"?

netappmagic — Fri, 04 Sep 2020 10:07:05 GMT

Following Example on page 117 of this document https://www.netapp.com/us/media/tr-4067.pdf,

I am not able to touch any files on this NFS file system. Please find the screenshot on errors, and also the Example on page 117 excerpted below. Could you please point out what went wrong?

On my local Linux server, 65534 is corresponding to "nfsnobody" in /etc/passwd file. Could it be the cause, if yes, why could it be the cause?

Re: Are there any concerns to use "-rorule any, -rwrule any, -superuser none"?

netappmagic — Sun, 06 Sep 2020 00:12:02 GMT

I have done same steps as instructed in page 117, however, I (either as root or an user) could not "touch" any files or do anything on the mounted NFS file system, got "permission denied" error.

Can experts here please help me out ?

Re: Are there any concerns to use "-rorule any, -rwrule any, -superuser none"?

netappmagic — Sun, 06 Sep 2020 01:12:44 GMT

by setting the permission to 777 on the volume, I got both Example 1 and Example 2 work on page 117. Please ignore my last two messages above. Sorry for confusing.

However, I don't quite understand what we are trying to do here. Here, "root" is squashed to nfsnobody (65534). But, what if I also want to have the "root" to do what "root" is supposed to do on this NFS file system.

What am I missing ?

Re: Are there any concerns to use "-rorule any, -rwrule any, -superuser none"?

netappmagic — Thu, 15 Oct 2020 15:00:46 GMT

I had to set unix-permission to 777 on NetApp side, in order to touch a file with ownership of "nfsnobody nogroup", otherwise, it won't allow me to touch and got "permission denied".

Can somebody please confirm , do I have to set to 777? if yes, then anybody can do anything but root, that sounds not good.