Skip to main content
NetApp Knowledge Base

How to limit NFS access to the SVM root volume

Views:
2,049
Visibility:
Public
Votes:
2
Category:
fas-systems
Specialty:
nas
Last Updated:

Applies to

ONTAP 9

Description

  • By default, when an SVM is created, the root volume is configured with 755 permissions.
  • This means that:
    • The user root (0) has effective permissions of 7, or Full Control.
    • The Group and Others permission levels are set to 5, which is Read & Execute.
  • When this is configured, everyone who accesses the SVM root volume can list and read junctions mounted below the SVM root volume.
  • In addition, the default export policy rule that is created when an SVM is configured using System Manager or vserver setup commands permits user access to the SVM root. 
Example:

cluster::> vserver export-policy rule show -vserver nfs_svm -policyname default -instance
 
                                    Vserver: nfs_svm 
                                Policy Name: default 
                                 Rule Index: 1 
                            Access Protocol: any 
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0 
                             RO Access Rule: any 
                             RW Access Rule: any 
User ID To Which Anonymous Users Are Mapped: 65534 
                   Superuser Security Types: none 
               Honor SetUID Bits in SETATTR: true 
                  Allow Creation of Devices: true 

  • For example, if an SVM has 3 data volumes named "nfs4", "ntfs", and "unix"
  • All would be mounted under "/" and can be listed with the ls command by any user accessing the mount. 

Example:

# mount | grep /mnt 
x.x.x.e:/ on /mnt type nfs (rw,nfsvers=3,addr=x.x.x.e) 
# cd /mnt 
# ls 
nfs4  ntfs  unix 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.