Network Storage Protocols Discussions

Top-Level slash "/" export

bscalio

We export six Qtrees under a volume on a FAS2240-4 with access restrictions based upon subnet range.

 

It was noted during a penetration test that one can mount, without any restrictions the "/" share from a controller even though it is not listed in /etc/exports or via "showmount -e" on a client.

 

One can then go down the tree to /etc and read/write without any authorization.

 

Can we restrict this, why is it being exported even though it is not listed.

2 REPLIES 2

bscalio

So this looks like perhaps a SVM setup but we are running 7-mode .... and this poses a security risk for us, is there a way to disable SVM in 7-mode or is this indeed what is being done here?

colsen

Hello,

 

So it looks like you're talking about the base vFiler (i.e. vfiler0) in 7-mode.  To see what the effective export policy is for the root (vol0) run the following from the CLI:

 

FilerName>  exportfs

 

and you should get something that includes:

 

/vol/vol0       -sec=sys,rw=xxx.xxx.xxx,root=xxx.xxx.xxx.xxx

 

Anyway, it sounds like access to the root is open to public.  To verify the configuration run:

 

FilerName>  rdfile /etc/exports

 

Modify the file to lock it down accordingly (i.e. just have it exported to just your admin host) and then run the following:

 

FilerName>  exportfs -r

 

That should enforce the new config.  Run another exportfs to confirm.

 

Hope that helps,


Chris

 

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public