Here's the deal...at least on 7-mode ONTAP
(this does not work as well on C-MODE)

All normal options are visible all the time.
All hidden options are hidden *until* you unhide them.

How do you unhide them? You change them from their default setting.

Let's say the option nfs.foo.bar (it is not real!) is a hidden option.
If you run "options" it will not show.
If you run "options nfs.foo.bar" it will show and so will its' default value.
If you modify the option away from the default, it will *always* show.

No that I condone this, but you can go to the /etc directory on your filer
and look (DO NOT MODIFY) at the registry file.

You can always compare stuff you find to the "options" output to see 
what, if anything, is hidden

In case you were wondering:

nfs.mount_rootonly
When enabled, the mount server will deny the request if the client is not root user using privileged ports. Valid values for this option are on (enabled) or off (disabled). The default value for this option is on for more secure access

--> *usually*, not always, someone might turn this on when the filer is being mounted from a PC using PCNFS.

nfs.nfs_rootonly
When enabled, the NFS server will reject client requests from the non-reserved ports(>=1024) except for the NULL call. Ports lower than 1024 can only be used by the root user. Valid values for this option are on (enabled) or off (disabled). The default value for this option is off.

--tmac

Tim McCarthy
Principal Consultant

          

        Clustered ONTAP                                                        Clustered ONTAP
 NCDA ID: XK7R3GEKC1QQ2LVD           RHCE6 110-107-141           NCSIE ID: C14QPHE21FR4YWD4
     Expires: 08 November 2014              Current until Aug 02, 2016         Expires: 08 November 2014



On Sun, Aug 11, 2013 at 7:26 PM, Peter D. Gray <pdg@uow.edu.au> wrote:
Can someone who knows tell me whats going on here?

We recently discovered a security issue with our netapp
filers when using NFS. The netapps where allowing
NFS mounts and operations from non-privilaged client ports.

Investigation found the options nfs.nfs_rootonly and
nfs.mount_rootonly options.

nfs.mount_rootonly was true, but nfs.nfs_rootonly was false.

I was kind of surprized by this, since I had no recollection
of ever altering either of these options yet the settings were identical
across all our filers. The environment is:

3170A running 8.2
3240 running 8.2
3240 running 8.1 (reverted from 8.2)

Ok, so I asked another nearby site to check there filers for me
and they tell me their filers have no such setting, all on 8.1

So, I guess my questions are:

1) has ONTAP always allowed NFS from non-privilaged ports?

2) was nfs.nfs_rootonly introduced in 8.2 and why is the default off?

3) why does this setting stay around after revert to 8.1?

It would seem to me that allowing NFS from non-privilages ports
is kind of bad.

Any help appreciated.

Regards,
pdg

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters