How to limit NFS access to the SVM root volume
Applies to
ONTAP 9
Description
- By default, when an SVM is created, the root volume is configured with
755permissions. - This means that:
- The user root (0) has effective permissions of
7, orFull Control. - The Group and Others permission levels are set to
5, which isRead & Execute.
- The user root (0) has effective permissions of
- When this is configured, everyone who accesses the SVM root volume can list and read junctions mounted below the SVM root volume.
- In addition, the default export policy rule that is created when an SVM is configured using System Manager or
vserver setupcommands permits user access to the SVM root.
cluster::> vserver export-policy rule show -vserver nfs_svm -policyname default -instance
Vserver: nfs_svm
Policy Name: default
Rule Index: 1
Access Protocol: any
Client Match Hostname, IP Address, Netgroup, or Domain: 0.0.0.0/0
RO Access Rule: any
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: none
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
- For example, if an SVM has 3 data volumes named "nfs4", "ntfs", and "unix"
- All would be mounted under "/" and can be listed with the
lscommand by any user accessing the mount.
Example:
# mount | grep /mnt
x.x.x.e:/ on /mnt type nfs (rw,nfsvers=3,addr=x.x.x.e)
# cd /mnt
# ls
nfs4 ntfs unix