Configuring NFS Share with Read-Only and Anonymous

Access Control on ZFS Filesystem in Oracle Solaris 11.4

Introduction
Network File System (NFS) is a distributed file system protocol that allows users to
access files over a network in a way that is transparent to the user. Oracle Solaris 11.4
provides robust support for NFS, and its integration with the ZFS filesystem offers
flexible and efficient management of shared resources. This report details the process
of configuring an NFS share for a specific ZFS filesystem, rpool/export/share/data,
with the requirements of 'readonly' access and disabled anonymous root access
('anon=0'), utilizing ZFS properties within the Oracle Solaris 11.4 environment.

Understanding the Sharing Requirements

The user's objective is to share the ZFS filesystem rpool/export/share/data via NFS
with two specific constraints: the shared data should be accessible in a read-only
manner to all clients, and any unauthenticated user accessing the share should not be
mapped to the root user on the server. These requirements are crucial for maintaining
data integrity and enhancing the security of the shared resource. Read-only access
prevents unintended modifications to the data, while controlling anonymous access
mitigates potential privilege escalation risks.

Utilizing ZFS Properties for NFS Share Management

Oracle Solaris 11.4 leverages ZFS properties to manage various aspects of filesystem
behavior, including NFS sharing. Instead of relying on traditional configuration files like
/etc/exports, administrators can directly set properties on ZFS datasets to define how
they are shared over the network.1 Two primary ZFS properties are involved in
configuring NFS shares with specific options: share and sharenfs.2

Configuring NFS Share Options with the share Property

The share property in ZFS allows for fine-grained control over the parameters of a
network share, including the protocol, access permissions, and anonymous user
mapping.1 To meet the user's requirements, the following zfs set command can be
used:

Bash
# zfs set share=name=data,prot=nfs,ro=*,anon=0 rpool/export/share/data​

This command configures the desired NFS options for the rpool/export/share/data
filesystem. Let's break down each component:
●​ zfs set share=: This initiates the process of setting the share property for a ZFS
filesystem.
●​ name=data: This assigns a local name, "data," to this specific NFS share instance.1
This name serves as an identifier for managing this particular share and can be
chosen by the administrator. Naming the share provides a reference point for
potential future modifications or when managing multiple shares on the same
filesystem.
●​ prot=nfs: This explicitly defines that the share configuration is intended for the
NFS protocol.1 ZFS also supports other sharing protocols like SMB, which would
be configured using prot=smb. Specifying the protocol ensures that the
subsequent options are interpreted in the context of NFS sharing.
●​ ro=*: This option configures read-only access for all client hosts that attempt to
mount this share.1 The asterisk (*) acts as a wildcard, indicating that this
restriction applies universally to any client accessing the share. This directly
addresses the 'readonly' requirement of the user query, ensuring that clients can
only view and copy data but cannot make any modifications.
●​ anon=0: This setting controls the mapping of anonymous users, specifically
preventing them from being mapped to the root user ID (0) on the server.3 By
default, NFS might map anonymous requests to a non-privileged user like
'nobody'. Setting anon=0 further restricts access by ensuring that
unauthenticated users do not gain root privileges, enhancing the security posture
of the shared resource. It's worth noting that a more restrictive setting, anon=-1,
would deny access to unauthenticated users altogether.4
●​ rpool/export/share/data: This specifies the target ZFS filesystem for which this
NFS share configuration is being applied. This is the specific resource that the
user intends to share over the network with the defined options.

Table 1: ZFS Properties for NFS Sharing Configuration in Oracle Solaris 11.4

Property Name Description Relevant Options Example Usage (for

for This Query this query)

share Configures detailed name, prot, ro, anon share=name=data,pr

sharing parameters ot=nfs,ro=*,anon=0
 for ZFS filesystems,
supporting protocols
like NFS and SMB.

Enabling NFS Sharing with the sharenfs Property

While the share property configures the specific options for the NFS share, it does
not, by itself, activate the sharing.1 To make the filesystem accessible via NFS, the
sharenfs property must be explicitly set to on for the target filesystem.1 This acts as a
switch that enables NFS sharing for the dataset, applying the options defined in the
share property. The command to enable NFS sharing for rpool/export/share/data is:

Bash

# zfs set sharenfs=on rpool/export/share/data​

It is crucial to understand that both setting the share property with the desired
options and enabling the sharenfs property are necessary steps to establish a fully
functional NFS share with specific configurations in Oracle Solaris 11.4.

Activating the NFS Share: Ensuring Availability

Once the sharenfs property is set to on, the NFS share should typically become active
and available to clients without requiring any immediate manual intervention.6 The
system's NFS server automatically detects the change in the ZFS property and begins
advertising the share. This behavior is managed by the Service Management Facility
(SMF), which oversees system services in Oracle Solaris.

However, in certain situations, such as after the initial configuration of the NFS server
service or if changes are not immediately reflected, it might be necessary to manually
refresh the NFS server service using SMF.7 This prompts the NFS server to re-read its
configuration and recognize the newly enabled share. The command to refresh the
NFS server service is:

Bash
# svcadm refresh nfs/server​

Additionally, it's important to ensure that the NFS server service is enabled and
running. The following commands can be used to check the status and enable the
service if it's not already active:

Bash

# svcadm enable nfs/server​

Bash

# svcs nfs/server​

The svcs command will display the status of the nfs/server service, indicating whether
it is online and active. While the activation of NFS shares through ZFS properties is
generally automatic, understanding how to manage the NFS service via SMF is
essential for troubleshooting and ensuring the availability of the shared resource.

Verifying the NFS Share Configuration and Access

After configuring and enabling the NFS share, it is crucial to verify that the 'readonly'
and 'anon=0' options have been applied correctly. This ensures that the shared data
is protected as intended and that access controls are in place. Several methods can
be used for verification:
●​ Verify the sharenfs property: The zfs get command can be used to confirm that
the sharenfs property is set to on for the rpool/export/share/data filesystem.3​
Bash​
# zfs get sharenfs rpool/export/share/data​
​
The expected output should be:​
rpool/export/share/data sharenfs on local​
​
This confirms that NFS sharing is enabled at the ZFS level for the target
 filesystem.
●​ Verify the share property and its options: The zfs get share command allows
inspection of the configured options for the NFS share.1​
Bash​
# zfs get share rpool/export/share/data​
​
The expected output should resemble:​
rpool/export/share/data share
name=data,path=/rpool/export/share/data,prot=nfs,anon=0,sec=sys,ro=* local​
​
This output confirms that the share property has been set with the specified
options: name=data, prot=nfs, ro=* (read-only for all), and anon=0 (anonymous
root access disabled). The sec=sys part indicates the default security flavor and
might vary depending on the system's configuration.
●​ List active NFS shares on the server: The share command (or share -F nfs for
NFS-specific shares) displays a list of currently active network shares on the
system.1​
Bash​
# share -F nfs​
​
The output should include an entry for /rpool/export/share/data with the NFS
protocol and the configured options, typically indicating read-only access (e.g.,
ro).
●​ Check exported shares from a client system: From a separate client machine
that should have access to the NFS share, the showmount -e command followed
by the IP address or hostname of the Oracle Solaris 11.4 server can be used to
view the exported NFS shares.5​
Bash​
# showmount -e <server_ip_or_hostname>​
​
The expected output should list /rpool/export/share/data as an exported NFS
share, confirming that the server is advertising the share to potential clients.
●​ Attempt to mount the share from a client: Trying to mount the NFS share on a
client system is a practical way to test the configuration. To specifically verify the
read-only access, the -o ro mount option can be used on the client.5​
Bash​
# mount -F nfs -o ro <server_ip_or_hostname>:/rpool/export/share/data /mnt​
​
A successful mount with the -o ro option confirms that the server is enforcing
read-only access. Subsequently, attempting to create or modify files within the
/mnt directory on the client should fail with permission denied errors.
 ●​ Test anonymous access: From a client, attempt to access the share as a
non-root user. Try performing operations that would typically require root
privileges on the server if anonymous root access were enabled. These
operations should be denied if anon=0 (or preferably anon=-1) is configured
correctly, validating the anonymous root access control.

Table 2: Essential Commands for Verifying the NFS Share Configuration

Command Purpose Expected Outcome

zfs get sharenfs Checks if NFS sharing is Output shows sharenfs on

rpool/export/share/data enabled for the filesystem. local.

zfs get share Displays the configured NFS Output shows share
rpool/export/share/data share options. name=data,path=/rpool/expor
t/share/data,prot=nfs,anon=0,
sec=sys,ro=* local.

share -F nfs Lists active NFS shares on the Output includes

server. /rpool/export/share/data with
read-only indication.

showmount -e <server_ip> Shows exported NFS shares Output lists

from the server (client-side /rpool/export/share/data.
view).

mount -F nfs -o ro Attempts to mount the share Successful mount; write

<server_ip>:/... /mnt (client) as read-only from a client. attempts to /mnt should fail.

Comparison with the Rewritten Query

The configuration detailed in this report directly addresses all aspects of the rewritten
user query. The target ZFS filesystem, rpool/export/share/data, is used. NFS sharing is
enabled and configured using ZFS properties, specifically share and sharenfs.
Read-only access for all clients is configured using the ro=* option within the share
property. Anonymous root access is disabled using the anon=0 option within the
share property. Finally, the entire configuration is specific to the Oracle Solaris 11.4
operating system.

Conclusion
Configuring NFS shares with specific options like read-only access and controlled
anonymous access in Oracle Solaris 11.4 is efficiently managed through ZFS
properties. The process involves setting the desired NFS parameters using the share
property and then enabling the share using the sharenfs property for the target ZFS
filesystem. Thorough verification using server-side and client-side commands is
essential to ensure the configuration meets the intended requirements. While the
steps outlined provide a solution for the user's specific query, it is important to
consider broader security implications when managing NFS shares. For enhanced
security, using more restrictive options like anon=-1 to deny anonymous access
altogether is recommended where appropriate. Additionally, implementing
network-level security measures such as firewalls further strengthens the protection
of NFS-shared resources.

Works cited

1.​ Sharing and Unsharing ZFS File Systems - Oracle Solaris Administration, accessed
on April 1, 2025, https://docs.oracle.com/cd/E23824_01/html/821-1448/gayne.html
2.​ New ZFS Sharing Syntax - Oracle Help Center, accessed on April 1, 2025,
https://docs.oracle.com/en/operating-systems/solaris/oracle-solaris/11.4/manage-
zfs/new-zfs-sharing-syntax.html
3.​ Changes to sharenfs on ZFS in Solaris 11 :: growse.com, accessed on April 1, 2025,
https://www.growse.com/2012/02/11/changes-to-sharenfs-on-zfs-in-solaris-11.ht
ml
4.​ NFS-Specific share Options - Oracle Help Center, accessed on April 1, 2025,
https://docs.oracle.com/en/operating-systems/solaris/oracle-solaris/11.4/manage-
nfs/nfs-specific-share-options.html
5.​ Document Information - Oracle® Solaris 11.4 Network File Sharing Cheatsheet,
accessed on April 1, 2025,
https://docs.oracle.com/cd/E37838_01/html/E75575/index.html
6.​ Solaris 11 Creating NFS Exports with ZFS - YouTube, accessed on April 1, 2025,
https://www.youtube.com/watch?v=liKnAoqowNA
7.​ Repository Management Privileges - Creating Package Repositories in Oracle®
Solaris 11.4, accessed on April 1, 2025,
https://docs.oracle.com/cd/E37838_01/html/E60982/gmibm.html
8.​ Displaying ZFS Share Information - Oracle Help Center, accessed on April 1, 2025,
https://docs.oracle.com/en/operating-systems/solaris/oracle-solaris/11.4/manage-
zfs/displaying-zfs-share-information.html