Delegating ZFS Permissions

You can use the zfs allow command to delegate permissions on ZFS file systems to non-root users in the following ways:

Individual permissions can be delegated to a user, group, or everyone.
Groups of individual permissions can be delegated as a permission set to a user, group, or everyone.
Permissions can be delegated either locally to the current file system only or to all descendents of the current file system.

The following table describes the operations that can be delegated and any dependent permissions that are required to perform the delegated operations.

Permission (Subcommand)	Description	Dependencies
`allow`	The permission to grant permissions that you have to another user.	Must also have the permission that is being allowed.
`clone`	The permission to clone any of the dataset's snapshots.	Must also have the `create` permission and the `mount` permission in the original file system.
`create`	The permission to create descendent datasets.	Must also have the `mount` permission.
`destroy`	The permission to destroy a dataset.	Must also have the `mount` permission.
`diff`	The permission to identify paths within a dataset.	Non-root users need this permission to use the `zfs diff` command.
`hold`	The permission to hold a snapshot.
`mount`	The permission to mount and unmount a file system, and create and destroy volume device links.
`promote`	The permission to promote a clone to a dataset.	Must also have the `mount` permission and the `promote` permission in the original file system.
`receive`	The permission to create descendent file systems with the `zfs receive` command.	Must also have the `mount` permission and the `create` permission.
`release`	The permission to release a snapshot hold, which might destroy the snapshot.
`rename`	The permission to rename a dataset.	Must also have the `create` permission and the `mount` permission in the new parent.
`rollback`	The permission to roll back a snapshot.
`send`	The permission to send a snapshot stream.
`share`	The permission to share and unshare a file system.
`snapshot`	The permission to create a snapshot of a dataset.

You can delegate the following set of permissions but a permission might be limited to access, read, or change permission:

groupquota
groupused
key
keychange
userprop
userquota
userused

In addition, you can delegate administration of the following ZFS properties to non-root users:

aclinherit
aclmode
atime
canmount
casesensitivity
checksum
compression
copies
dedup
devices
encryption
exec
keysource
logbias
mountpoint
nbmand
normalization
primarycache
quota
readonly
recordsize
refquota
refreservation
reservation
rstchown
secondarycache
setuid
shadow
sharenfs
sharesmb
snapdir
sync
utf8only
version
volblocksize
volsize
vscan
xattr
zoned

Some of these properties can be set only at dataset creation time. For a description of these properties, see Introducing ZFS Properties.

Delegating ZFS Permissions (`zfs allow`)

The zfs allow syntax follows:

zfs allow -[ldugecs] everyone|user|group[,...] perm|@setname,...] filesystem| volume

The following zfs allow syntax (in bold) identifies to whom the permissions are delegated:

zfs allow [-uge]|user|group|everyone [,...] filesystem | volume

Multiple entities can be specified as a comma-separated list. If no -uge options are specified, then the argument is interpreted preferentially as the keyword everyone, then as a user name, and lastly, as a group name. To specify a user or group named “everyone,” use the -u or -g option. To specify a group with the same name as a user, use the -g option. The -c option delegates create-time permissions.

The following zfs allow syntax (in bold) identifies how permissions and permission sets are specified:

zfs allow [-s] ... perm|@setname [,...] filesystem | volume

Multiple permissions can be specified as a comma-separated list. Permission names are the same as ZFS subcommands and properties. For more information, see the preceding section.

Permissions can be aggregated into permission sets and are identified by the -s option. Permission sets can be used by other zfs allow commands for the specified file system and its descendents. Permission sets are evaluated dynamically, so changes to a set are immediately updated. Permission sets follow the same naming requirements as ZFS file systems, but the name must begin with an at sign (@) and can be no more than 64 characters in length.

The following zfs allow syntax (in bold) identifies how the permissions are delegated:

zfs allow [-ld] ... ... filesystem | volume

The -l option indicates that the permissions are allowed for the specified file system and not its descendents, unless the -d option is also specified. The -d option indicates that the permissions are allowed for the descendent file systems and not for this file system, unless the -l option is also specified. If neither option is specified, then the permissions are allowed for the file system or volume and all of its descendents.

Removing ZFS Delegated Permissions (`zfs unallow`)

You can remove previously delegated permissions with the zfs unallow command.

For example, assume that you delegated create, destroy, mount, and snapshot permissions as follows:

# zfs allow cindy create,destroy,mount,snapshot tank/home/cindy
# zfs allow tank/home/cindy
---- Permissions on tank/home/cindy ----------------------------------
Local+Descendent permissions:
        user cindy create,destroy,mount,snapshot

To remove these permissions, you would use the following syntax:

# zfs unallow cindy tank/home/cindy
# zfs allow tank/home/cindy

Skip Navigation Links
Exit Print View
	Oracle Solaris Administration: ZFS File Systems Oracle Solaris 11 Information Library

Delegating ZFS Permissions

Delegating ZFS Permissions (zfs allow)

Removing ZFS Delegated Permissions (zfs unallow)

Delegating ZFS Permissions (`zfs allow`)

Removing ZFS Delegated Permissions (`zfs unallow`)