Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Solaris ZFS Administration Guide
Previous Next

Delegating ZFS Permissions

You can use the zfs allow command to grant permissions on ZFS datasets to non-root users in the following ways:

  • Individual permissions can be granted to a user, group, or everyone.

  • Groups of individual permissions can be granted as a permission set to a user, group, or everyone.

  • Permissions can be granted either locally, which is to the current dataset only, or granted to all descendents of the current dataset.

The following table describes the operations that can be delegated and any dependent permissions that are required to do the delegated operations.

Permission (Subcommand)

Description

Dependencies

allow

The ability to grant permissions that you have to another user.

Must also have the permission that is being allowed.

clone

The ability to clone any of the dataset's snapshots.

Must also have the create ability and the mount ability in the origin file system.

create

The ability to create descendent datasets.

Must also have the mount ability.

destroy

The ability to destroy a dataset.

Must also have the mount ability.

mount

The ability to mount and unmount a dataset and create and destroy volume device links.

promote

The ability to promote a clone to a dataset.

Must also have the mount ability and promote ability in the origin file system.

receive

The ability to create descendent file system with the zfs receivecommand.

Must also have the mount ability and the create ability.

rename

The ability to rename a dataset.

Must also have the mount ability and the create ability in the new parent.

rollback

The ability to rollback a snapshot.

Must also have the mount ability.

send

The ability to send a snapshot stream.

share

The ability to share and unshare a dataset.

snapshot

The ability to take a snapshot of a dataset.

In addition, you can delegate the following ZFS properties to non-root users:

  • aclinherit

  • aclmode

  • atime

  • canmount

  • casesensitivity

  • checksum

  • compression

  • copies

  • exec

  • devices

  • mountpoint

  • nbmand

  • normalization

  • quota

  • readonly

  • recordsize

  • reservation

  • setuid

  • shareiscsi

  • sharenfs

  • sharesmb

  • snapdir

  • userprop

  • utf8only

  • version

  • volsize

  • vscan

  • xattr

  • zoned

Some of the properties listed above can only set at dataset creation time. For a description of these properties, see Introducing ZFS Properties.

Syntax Descriptions for Delegating Permissions

The zfs allow syntax is as follows:

# zfs allow -[l d u g e c s] everyone|user|group[,,...] perm|@setname ,...] filesystem| volume

The following zfs allow syntax (in bold) identifies to whom the permissions are delegated:

zfs allow [-uge] | user | group | everyone [,...] filesystem | volume

Multiple entities can be specified as a comma-separated list. If none of the -uge options are specified, then the argument is interpreted preferentially as the keyword everyone, then as a user name, and lastly, as a group name. To specify a user or group named “everyone,” use the -u or -g options. To specify a group with the same name as a user, use the -g option.

The following zfs allow syntax (in bold) identifies how permissions and permission sets are specified:

zfs allow [-s] ... perm | @setname [,...] filesystem | volume

Multiple permissions can be specified as a comma-separated list. Permission names are the same as ZFS subcommands and properties. For more information, see the section above.

Permissions can be aggregated into permissions sets and are identified by the -s option. Permission sets can be used by other zfs allow commands for the specified file system and its descendents. Sets are evaluated dynamically, so changes to a set are immediately updated. Permission sets follow the same naming conventions as ZFS file systems, but the name must begin with an at sign (@), and can be no more than 64 characters long.

The following zfs allow syntax (in bold) identifies how the permissions are delegated:

zfs allow [-ld] ... ... filesystem | volume

The -l option identifies if whether the permission is allowed for the specified dataset and not its descendents, unless the -d option is also specified. The -d option indicates that the permission is allowed for the descendent datasets and not for this dataset, unless the -l option is also specified. If neither of the -ld options are specified, then the permissions are allowed for the file system or volume and all of its descendents.

Removing ZFS Delegated Permissions (zfs unallow)

You can remove previously granted permissions with the zfs unallow command.

For example, if you delegated create, destroy, mount, and snapshot permissions as follows:

# zfs allow cindys, create,destroy,mount,snapshot tank/cindys
# zfs allow tank/cindys
-------------------------------------------------------------
Local+Descendent permissions on (tank/cindys)
        user cindys create,destroy,mount,snapshot
-------------------------------------------------------------

You would need to use syntax similar to the following to remove these permissions:

# zfs unallow cindys tank/cindys
# zfs allow tank/cindys
Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire