Network Storage Protocols Discussions

Top-Level slash "/" export


We export six Qtrees under a volume on a FAS2240-4 with access restrictions based upon subnet range.


It was noted during a penetration test that one can mount, without any restrictions the "/" share from a controller even though it is not listed in /etc/exports or via "showmount -e" on a client.


One can then go down the tree to /etc and read/write without any authorization.


Can we restrict this, why is it being exported even though it is not listed.



So this looks like perhaps a SVM setup but we are running 7-mode .... and this poses a security risk for us, is there a way to disable SVM in 7-mode or is this indeed what is being done here?




So it looks like you're talking about the base vFiler (i.e. vfiler0) in 7-mode.  To see what the effective export policy is for the root (vol0) run the following from the CLI:


FilerName>  exportfs


and you should get something that includes:


/vol/vol0       -sec=sys,,


Anyway, it sounds like access to the root is open to public.  To verify the configuration run:


FilerName>  rdfile /etc/exports


Modify the file to lock it down accordingly (i.e. just have it exported to just your admin host) and then run the following:


FilerName>  exportfs -r


That should enforce the new config.  Run another exportfs to confirm.


Hope that helps,



NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner