Installation manual
Preparing for NFS Authentication
Adding an NFS Access List
4-16 CLI Storage-Management Guide
Rule Ordering
The order of rules is very important in an access list. Whenever a client tries to access
an NFS service with an access list, the client’s IP address is compared to the rules in
the order they were entered. If the IP address matches two rules, the first rule is used
and the second rule is ignored.
For example, consider the two permit rules below. Clients in 192.168.10.x would
match the first rule, while clients outside that subnet in the same Class-B network
(192.168.x.x) would match the second rule. This would give read-only access to
clients in the Class-B network but full read-write access clients in the smaller Class-C
subnet:
permit 192.168.10.0 255.255.255.0
permit 192.168.0.0 255.255.0.0 read-only
If the rules were reversed, clients in the Class-C subnet would match the read-only
rule before reaching the read-write rule that was intended for them.
Allowing Root Access
A new permit rule squashes root access by default. That is, if a client logs in as the
root user (sometimes called the superuser) and accesses the NFS share, the ARX
translates the client’s user ID to an anonymous ID with very low access privileges.
The client can therefore write only to files or directories with wide-open permission
settings. This is the safest strategy for a permit rule, as it prevents root users from
damaging NFS shares.
You have the option to disable root squashing in a permit rule. From gbl-nfs-acl
mode, use the
root allow keywords at the end of the permit command to allow root
access:
permit ip-address mask [read-only] root allow
or
permit netgroup name [read-only] root allow
This setting permits clients with root access to change or remove any (or all) files or
directories. Whether by accident or malicious intent, this could result in loss or
corruption in client data.