ONTAP Discussions

What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
9,458 Views

Hi, 

 

As I understand that this property was DEPRECATED, but I still trying to find any information about which security check this CIFS superuser option allows to bypass? 

 

Thanks. 

1 ACCEPTED SOLUTION

AlexDawson
8,906 Views

Hi there,

 

As of ONTAP 9.4 the "vserver cifs superuser" commands are deprecated - the preferred method is to add a user to the AD Domain Admins group.

 

Per http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cifs-nfs-audit%2FGUID-8658509D-AE99-44A6-8CFB-F47D673A7127.html 

 

  • Avoid permission checks

    The user avoids checks on files and directory access.

  • Special locking privileges

    Data ONTAP allows read, write, or modify access to any file regardless of existing locks. If the FPolicy server takes byte range locks on the file, it results in immediate removal of existing locks on the file.

  • Bypass any FPolicy checks

    Access does not generate any FPolicy notifications.

View solution in original post

8 REPLIES 8

AlexDawson
9,417 Views

Hi there,

 

In order to answer your question most accurately, can you provide a reference in our documentation to the exact functionality you are asking about?

VARONISSYSTEMS
9,383 Views

Hi, 

 

I'm not sure about exact functionality. In this link, there is a description of how to give a user cifs superuser privileges. 

I'm trying to find what are privileges this all about? 

 

Thanks.

ninja
8,927 Views

Any reply to this? It would be good to know what security is bypassed by adding a super user.

AlexDawson
8,907 Views

Hi there,

 

As of ONTAP 9.4 the "vserver cifs superuser" commands are deprecated - the preferred method is to add a user to the AD Domain Admins group.

 

Per http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cifs-nfs-audit%2FGUID-8658509D-AE99-44A6-8CFB-F47D673A7127.html 

 

  • Avoid permission checks

    The user avoids checks on files and directory access.

  • Special locking privileges

    Data ONTAP allows read, write, or modify access to any file regardless of existing locks. If the FPolicy server takes byte range locks on the file, it results in immediate removal of existing locks on the file.

  • Bypass any FPolicy checks

    Access does not generate any FPolicy notifications.

VARONISSYSTEMS
8,792 Views

Great thanks, 

 

By any chance, are you know and can refer me to the documentation that states, from which version this CIFS superuser property is not supported anymore? 

AlexDawson
8,773 Views

Hi there,

 

We have marked it as deprecated in our current release of ONTAP - to ensure ongoing compatibility, new functionality should not be based around it.

VARONISSYSTEMS
8,740 Views

Hi,

Thank you a lot for your help and time. 🙂

 

 

Ok, but by any chance, you remember since which cmod version it was deprecated?

(Is it 8.3 or starting from 9.0, I do remember it was available at 8.2, probably 8.3 but I may wrong.)

 


And another question hopes you will able to answer or direct me to the relevant article... 

 

In case I comparing the local Administrators group on CIFS server defined on vserver and the superuser privileges.
What is the difference between the two? (if you have a table comparison will be good if not see example)
I'm interested in File System permission perspective.


For example:
1. I have UserA that member in the local Administrators group.
2. I have UserB that not a member of any local group but has superuser assignment.
3. I have a folder which has not direct permission or ownership for any of that users.
4. I would like to change the ACLs acting as one of those users at a time.

 

 

What will I need to do?
1. In case UserA is it, I will need first to make my self an owner and then change the permissions otherwise will get access denied?
2. In the case of UserB, the change permission will take effect without any prior action?

 

 

Best regards.

AlexDawson
8,722 Views
Public