Network and Storage Protocols
We export six Qtrees under a volume on a FAS2240-4 with access restrictions based upon subnet range.
It was noted during a penetration test that one can mount, without any restrictions the "/" share from a controller even though it is not listed in /etc/exports or via "showmount -e" on a client.
One can then go down the tree to /etc and read/write without any authorization.
Can we restrict this, why is it being exported even though it is not listed.
So this looks like perhaps a SVM setup but we are running 7-mode .... and this poses a security risk for us, is there a way to disable SVM in 7-mode or is this indeed what is being done here?
So it looks like you're talking about the base vFiler (i.e. vfiler0) in 7-mode. To see what the effective export policy is for the root (vol0) run the following from the CLI:
and you should get something that includes:
Anyway, it sounds like access to the root is open to public. To verify the configuration run:
FilerName> rdfile /etc/exports
Modify the file to lock it down accordingly (i.e. just have it exported to just your admin host) and then run the following:
FilerName> exportfs -r
That should enforce the new config. Run another exportfs to confirm.
Hope that helps,
NetApp Wins One Silver and One Bronze Stevie® Award in 2022 Stevie Awards for Sales and Customer Service
Live Chat, Watch Parties, and More!
Engage digitally throughout the sales process, from product discovery to conﬁguration, and handle all your post-purchase needs.