Delegating ZFS Permissions Examples

Example 9-1 Delegating Permissions to an Individual User

When you delegate create and mount permissions to an individual user, you must ensure that the user has permissions on the underlying mount point.

For example, to delegate user mork create and mount permissions on the system1 file system, set the permissions first:

$ chmod A+user:mork:add_subdirectory:fd:allow /system1/home

Then, use the zfs allow command to delegate create, destroy, and mount permissions. For example:

$ zfs allow mork create,destroy,mount system1/home

Now, user mork can create his own file systems in the system1/home file system. For example:

$ su mork
mork$ zfs create system1/home/mork
mork$ ^D
$ su lp
$ zfs create system1/home/lp
cannot create 'system1/home/lp': permission denied

Example 9-2 Delegating create and destroy Permissions to a Group

The following example shows how to set up a file system so that anyone in the staff group can create and mount file systems in the system1/home file system, as well as destroy their own file systems. However, staff group members cannot destroy anyone else's file systems.

$ zfs allow staff create,mount system1/home
$ zfs allow -c create,destroy system1/home
$ zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy
Local+descendant permissions:
group staff create,mount
$ su mindy
mindy% zfs create system1/home/mindy/files
mindy% exit
$ su mork
mork% zfs create system1/home/mork/data
mork% exit
mindy% zfs destroy system1/home/mork/data
cannot destroy 'system1/home/mork/data': permission denied

Example 9-3 Delegating Permissions at the Correct File System Level

Ensure that you delegate users permission at the correct file system level. For example, user mork is delegated create, destroy, and mount permissions for the local and descendant file systems. User mork is delegated local permission to snapshot the system1/home file system, but he is not allowed to snapshot his own file system. So, he has not been delegated the snapshot permission at the correct file system level.

$ zfs allow -l mork snapshot system1/home
$ zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy
Local permissions:
user mork snapshot
Local+descendant permissions:
group staff create,mount
$ su mork
mork$ zfs snapshot system1/home@snap1
mork$ zfs snapshot system1/home/mork@snap1
cannot create snapshot 'system1/home/mork@snap1': permission denied

To delegate user mork permission at the descendant file system level, use the zfs allow -d command. For example:

$ zfs unallow -l mork snapshot system1/home
$ zfs allow -d mork snapshot system1/home
$ zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy
descendant permissions:
user mork snapshot
Local+descendant permissions:
group staff create,mount
$ su mork
$ zfs snapshot system1/home@snap2
cannot create snapshot 'system1/home@snap2': permission denied
$ zfs snapshot system1/home/mork@snappy

Now, user mork can only create a snapshot below the system1/home file system level.

Example 9-4 Defining and Using Complex Delegated Permissions

You can delegate specific permissions to users or groups. For example, the following zfs allow command delegates specific permissions to the staff group. In addition, destroy and snapshot permissions are delegated after system1/home file systems are created.

$ zfs allow staff create,mount system1/home
$ zfs allow -c destroy,snapshot system1/home
$ zfs allow system1/home
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy,snapshot
Local+descendant permissions:
group staff create,mount

Because user mork is a member of the staff group, he can create file systems in system1/home. In addition, user mork can create a snapshot of system1/home/mark2 because he has specific permissions to do so. For example:

$ su mork
$ zfs create system1/home/mark2
$ zfs allow system1/home/mark2
---- Permissions on system1/home/mark2 ----------------------------------
Local permissions:
user mork create,destroy,snapshot
---- Permissions on system1/home ----------------------------------------
Create time permissions:
create,destroy,snapshot
Local+descendant permissions:
group staff create,mount

But, user mork cannot create a snapshot in system1/home/mork because he does not have specific permissions to do so. For example:

$ zfs snapshot system1/home/mork@snap1
cannot create snapshot 'system1/home/mork@snap1': permission denied

In this example, user mork has create permission in his home directory, which means he can create snapshots. This scenario is helpful when your file system is NFS mounted.

$ cd /system1/home/mark2
$ ls
$ cd .zfs
$ ls
shares snapshot
$ cd snapshot
$ ls -l
total 3
drwxr-xr-x   2 mork    staff          2 Sep 27 15:55 snap1
$ pwd
/system1/home/mark2/.zfs/snapshot
$ mkdir snap2
$ zfs list
# zfs list -r system1/home
NAME                       USED  AVAIL  REFER  MOUNTPOINT
system1/home/mork           63K  62.3G    32K  /system1/home/mork
system1/home/mark2          49K  62.3G    31K  /system1/home/mark2
system1/home/mark2@snap1    18K      -    31K  -
system1/home/mark2@snap2      0      -    31K  -
$ ls
snap1  snap2
$ rmdir snap2
$ ls
snap1

Example 9-5 Defining and Using a ZFS Delegated Permission Set

The following example shows how to create the permission set @myset and delegates the permission set and the rename permission to the group staff for the system1 file system. User mindy, a staff group member, has the permission to create a file system in system1. However, user lp does not have permission to create a file system in system1.

$ zfs allow -s @myset create,destroy,mount,snapshot,promote,clone,readonly \
system1
$ zfs allow system1
---- Permissions on system1 ---------------------------------------------
Permission sets:
@myset clone,create,destroy,mount,promote,readonly,snapshot
$ zfs allow staff @myset,rename system1
$ zfs allow system1
---- Permissions on system1 ---------------------------------------------
Permission sets:
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+descendant permissions:
group staff @myset,rename
$ chmod A+group:staff:add_subdirectory:fd:allow system1
# su mindy
mindy% zfs create system1/data
mindy% zfs allow system1
---- Permissions on system1 ---------------------------------------------
Permission sets:
@myset clone,create,destroy,mount,promote,readonly,snapshot
Local+descendant permissions:
group staff @myset,rename
mindy% ls -l /system1
total 15
drwxr-xr-x   2 mindy   staff          2 Jun 24 10:55 data
mindy% exit
$ su lp
$ zfs create system1/lp
cannot create 'system1/lp': permission denied