ONTAP Discussions

Netapp ONTAP 8.3.1. NFS hardening

Jellekamma30

Hi,

 

we have a nice netapp cluster with 8.3.1 running.

We have multiple vservers for NFS iscsci and CIFS. I am running into the following problem.

A linux coworker of mine is able to mount all the NFS volumes on my filers within /

We have NFS export policies enabled with allows servers in 2 vlans with acces to certain mounts.

However, my coworker can mount / and see all the mounts on the filers.(because he is in one of the 2 vlans)

How can I disable this? The volumes are all mounted under namespaces under /.

So if I remove the export rights of / all the other volumes beneath / will also be unmountable?

 

thanks!

4 REPLIES 4

Jellekamma30

do I even need an export policy on the / ?

(or a blank one)

aborzenkov

Yes, you do. Clients must be able to traverse junction tree starting from the top (i.e. "/"), which means "/" must allow at least read-only mount. The only way to harden it would be to restrict visibility of files/directories under "/", so that even if clients mount it, they won't be able to see its content.

Jellekamma30

thanks for your reply!

How can I make it invisible under /?

 

 

aborzenkov

Set "/" unix-permissions to something like 0711 (of course make sure owner is root) and create mninimal export-policy that only allows ro mount, but no rw, no root etc. Then nobody can list content of /, but still explicitly enter subvolumes or mount them.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public