Network Storage Protocols Discussions

Top-Level slash "/" export


We export six Qtrees under a volume on a FAS2240-4 with access restrictions based upon subnet range.


It was noted during a penetration test that one can mount, without any restrictions the "/" share from a controller even though it is not listed in /etc/exports or via "showmount -e" on a client.


One can then go down the tree to /etc and read/write without any authorization.


Can we restrict this, why is it being exported even though it is not listed.


Re: Top-Level slash "/" export


So this looks like perhaps a SVM setup but we are running 7-mode .... and this poses a security risk for us, is there a way to disable SVM in 7-mode or is this indeed what is being done here?

Re: Top-Level slash "/" export




So it looks like you're talking about the base vFiler (i.e. vfiler0) in 7-mode.  To see what the effective export policy is for the root (vol0) run the following from the CLI:


FilerName>  exportfs


and you should get something that includes:


/vol/vol0       -sec=sys,,


Anyway, it sounds like access to the root is open to public.  To verify the configuration run:


FilerName>  rdfile /etc/exports


Modify the file to lock it down accordingly (i.e. just have it exported to just your admin host) and then run the following:


FilerName>  exportfs -r


That should enforce the new config.  Run another exportfs to confirm.


Hope that helps,



Earn Rewards for Your Review!
GPI Review Banner
All Community Forums