zfs discuss - May 2009 - disabling showmount -e behaviour

I must admit that this question originates in the context of Sun''s
Storage 7210 product, which impose additional restrictions on the
kind of knobs I can turn.

But here''s the question: suppose I have an installation where ZFS
is the storage for user home directories. Since I need quotas, each
directory gets to be its own filesystem. Since I also need these
homes to be accessible remotely each FS is exported via NFS. Here''s
the question though: how do I prevent showmount -e (or a manually 
constructed EXPORT/EXPORTALL RPC request) to disclose a list of
users that are hosted on a particular server?

Thanks,
Roman.

Roman V Shaposhnik <rvs at sun.com> writes:
> I must admit that this question originates in the context of Sun''s
> Storage 7210 product, which impose additional restrictions on the
> kind of knobs I can turn.
>
> But here''s the question: suppose I have an installation where ZFS
is
> the storage for user home directories. Since I need quotas, each
> directory gets to be its own filesystem. Since I also need these
> homes to be accessible remotely each FS is exported via NFS.
Here''s
> the question though: how do I prevent showmount -e (or a manually
> constructed EXPORT/EXPORTALL RPC request) to disclose a list of
> users that are hosted on a particular server?
I think the best you can do is to reject mount protocol requests
coming from "high" ports (1024+) in your firewall.  this means you
need root priveleges (or more specific capability) on the client to
fetch the list.

another option is to make the usernames opaque and anonymous, e.g.,
"u4233".

-- 
Kjetil T. Homme
Redpill Linpro AS - Changing the game