Network and Storage Protocols

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Top-Level slash "/" export

bscalio
‎2017-08-21 06:17 AM
3,156 Views

We export six Qtrees under a volume on a FAS2240-4 with access restrictions based upon subnet range.

 

It was noted during a penetration test that one can mount, without any restrictions the "/" share from a controller even though it is not listed in /etc/exports or via "showmount -e" on a client.

 

One can then go down the tree to /etc and read/write without any authorization.

 

Can we restrict this, why is it being exported even though it is not listed.

0 Kudos
View By:
2 REPLIES 2

bscalio
‎2017-08-21 08:12 AM
3,136 Views

So this looks like perhaps a SVM setup but we are running 7-mode .... and this poses a security risk for us, is there a way to disable SVM in 7-mode or is this indeed what is being done here?

0 Kudos

colsen
NetApp A-Team
‎2017-08-21 11:57 AM
3,112 Views

Hello,

 

So it looks like you're talking about the base vFiler (i.e. vfiler0) in 7-mode.  To see what the effective export policy is for the root (vol0) run the following from the CLI:

 

FilerName>  exportfs

 

and you should get something that includes:

 

/vol/vol0       -sec=sys,rw=xxx.xxx.xxx,root=xxx.xxx.xxx.xxx

 

Anyway, it sounds like access to the root is open to public.  To verify the configuration run:

 

FilerName>  rdfile /etc/exports

 

Modify the file to lock it down accordingly (i.e. just have it exported to just your admin host) and then run the following:

 

FilerName>  exportfs -r

 

That should enforce the new config.  Run another exportfs to confirm.

 

Hope that helps,


Chris

 

All Community Forums
Public