Here's the deal...at least on 7-mode ONTAP (this does not work as well on C-MODE)
All normal options are visible all the time. All hidden options are hidden *until* you unhide them.
How do you unhide them? You change them from their default setting.
Let's say the option nfs.foo.bar (it is not real!) is a hidden option. If you run "options" it will not show. If you run "options nfs.foo.bar" it will show and so will its' default value. If you modify the option away from the default, it will *always* show.
No that I condone this, but you can go to the /etc directory on your filer and look (DO NOT MODIFY) at the registry file.
You can always compare stuff you find to the "options" output to see what, if anything, is hidden
In case you were wondering:
*nfs.mount_rootonly* When enabled, the mount server will deny the request if the client is not root user using privileged ports. Valid values for this option are *on* (enabled) or *off* (disabled). The default value for this option is *on* for more secure access
--> *usually*, not always, someone might turn this on when the filer is being mounted from a PC using PCNFS.
*nfs.nfs_rootonly* When enabled, the NFS server will reject client requests from the non-reserved ports(>=1024) except for the NULL call. Ports lower than 1024 can only be used by the root user. Valid values for this option are *on* (enabled) or *off* (disabled). The default value for this option is *off*.
--tmac
*Tim McCarthy* *Principal Consultant*
Clustered ONTAP Clustered ONTAP NCDA ID: XK7R3GEKC1QQ2LVD RHCE6 110-107-141https://www.redhat.com/wapps/training/certification/verify.html?certNumber=110-107-141&isSearch=False&verify=Verify NCSIE ID: C14QPHE21FR4YWD4 Expires: 08 November 2014 Current until Aug 02, 2016 Expires: 08 November 2014
On Sun, Aug 11, 2013 at 7:26 PM, Peter D. Gray pdg@uow.edu.au wrote:
Can someone who knows tell me whats going on here?
We recently discovered a security issue with our netapp filers when using NFS. The netapps where allowing NFS mounts and operations from non-privilaged client ports.
Investigation found the options nfs.nfs_rootonly and nfs.mount_rootonly options.
nfs.mount_rootonly was true, but nfs.nfs_rootonly was false.
I was kind of surprized by this, since I had no recollection of ever altering either of these options yet the settings were identical across all our filers. The environment is:
3170A running 8.2 3240 running 8.2 3240 running 8.1 (reverted from 8.2)
Ok, so I asked another nearby site to check there filers for me and they tell me their filers have no such setting, all on 8.1
So, I guess my questions are:
has ONTAP always allowed NFS from non-privilaged ports?
was nfs.nfs_rootonly introduced in 8.2 and why is the default off?
why does this setting stay around after revert to 8.1?
It would seem to me that allowing NFS from non-privilages ports is kind of bad.
Any help appreciated.
Regards, pdg
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters