Network and Storage Protocols

Top-Level slash "/" export

bscalio
2,830 Views

We export six Qtrees under a volume on a FAS2240-4 with access restrictions based upon subnet range.

 

It was noted during a penetration test that one can mount, without any restrictions the "/" share from a controller even though it is not listed in /etc/exports or via "showmount -e" on a client.

 

One can then go down the tree to /etc and read/write without any authorization.

 

Can we restrict this, why is it being exported even though it is not listed.

2 REPLIES 2

bscalio
2,810 Views

So this looks like perhaps a SVM setup but we are running 7-mode .... and this poses a security risk for us, is there a way to disable SVM in 7-mode or is this indeed what is being done here?

colsen
2,786 Views

Hello,

 

So it looks like you're talking about the base vFiler (i.e. vfiler0) in 7-mode.  To see what the effective export policy is for the root (vol0) run the following from the CLI:

 

FilerName>  exportfs

 

and you should get something that includes:

 

/vol/vol0       -sec=sys,rw=xxx.xxx.xxx,root=xxx.xxx.xxx.xxx

 

Anyway, it sounds like access to the root is open to public.  To verify the configuration run:

 

FilerName>  rdfile /etc/exports

 

Modify the file to lock it down accordingly (i.e. just have it exported to just your admin host) and then run the following:

 

FilerName>  exportfs -r

 

That should enforce the new config.  Run another exportfs to confirm.

 

Hope that helps,


Chris

 

Public