iCompaas Support

Profile Applicability:
 Level 1

Description:
 Root Squash is an NFS export option that maps requests from the root user (UID 0) on client machines to an anonymous or non-privileged user on the NFS server. This prevents root users on clients from having root privileges on the NFS file share, mitigating risks of unauthorized access or privilege escalation.

Rationale:
 Enabling Root Squash reduces the risk of privilege misuse by limiting root-level access from client systems, thereby enforcing least privilege principles. It protects file share data from being modified or deleted by root users on client machines who could otherwise bypass security controls.

Impact:

• Pros:
  

  • Enhances security by restricting root privileges over NFS shares.
    

  • Prevents privilege escalation and unauthorized file system modifications.
    

• Cons:
  

  • May cause permission issues for legitimate administrative operations requiring root access on clients.
    

  • Requires proper configuration and testing to avoid disrupting workflows.
    

Default Value:
 Root Squash is typically disabled by default unless explicitly configured in the NFS server export settings.

Pre-requisites:

• Administrative access to NFS server and Azure Files NFS share configuration.
  

• Understanding of NFS export options and client requirements.
  

Remediation

Test Plan:

Using Azure Portal:

1. Navigate to the Storage Account hosting the NFS file share.
   

2. Under File Shares, select the NFS-enabled share.
   

3. Check the NFS export policy or access settings to verify if Root Squash is enabled.
   

Using Azure CLI:

1. Retrieve export policies and verify Root Squash configuration (this may require querying NFS-specific settings):

az storage file-service-properties show --account-name <storage-account-name> --query "nfsExportPolicy"

2. Confirm Root Squash is enabled or mapped correctly.

Implementation Plan

Using Azure Portal:

1. Edit the NFS export policy for the file share.
   

2. Enable Root Squash by setting root user requests to map to an anonymous or low-privilege user.
   

3. Save and apply the configuration.
   

4. Test client access to ensure appropriate permissions.
   

Using Azure CLI:

1. Update the NFS export policy to enable Root Squash:

az storage file-service-properties update --account-name <storage-account-name> --set nfsExportPolicy="[{'ruleIndex':1,'unixReadOnly':false,'allowedClients':'<client-subnet>','rootSquash':true}]"

2. Verify changes.

Backout Plan

Using Azure Portal:

1. Disable Root Squash by reverting the export policy settings.
   

2. Notify stakeholders of potential permission impacts.
   

Using Azure CLI:

1. Update the NFS export policy to disable Root Squash:

az storage file-service-properties update --account-name <storage-account-name> --set nfsExportPolicy="[{'ruleIndex':1,'unixReadOnly':false,'allowedClients':'<client-subnet>','rootSquash':false}]"

References:

• Azure Files NFS Root Squash