Delegating ZFS Permissions
You can use the zfs allow
command to delegate permissions on
ZFS file systems to non-root users in the following ways:
-
Individual permissions can be delegated to a user, group, or everyone.
-
Groups of individual permissions can be delegated as a permission set to a user, group, or everyone.
-
Permissions can be delegated either locally to the current file system only or to all descendants of the current file system.
The following table describes the operations that can be delegated and any dependent permissions that are required to perform the delegated operations.
Permission (Subcommand) | Description | Dependencies |
---|---|---|
|
The permission to grant permissions that you have to another user. |
Must also have the permission that is being allowed. |
|
The permission to clone any of the dataset's snapshots. |
Must also have the |
|
The permission to create descendant datasets. |
Must also have the |
|
The permission to destroy a dataset. |
Must also have the |
|
The permission to identify paths within a dataset. |
Non-root users need this permission to use the |
|
The permission to hold a snapshot. |
|
|
The permission to mount and unmount a file system, and create and destroy volume device links. |
|
|
The permission to promote a clone to a dataset. |
Must also have the |
|
The permission to create descendant file systems with the |
Must also have the |
|
The permission to release a snapshot hold, which might destroy the snapshot. |
|
|
The permission to rename a dataset. |
Must also have the |
|
The permission to roll back a snapshot. |
|
|
The permission to send a snapshot stream. |
|
|
The permission to share and unshare a file system. |
Must have both Must have both |
|
The permission to create a snapshot of a dataset. |
You can delegate the following set of permissions but a permission might be limited to access, read, or change permission:
-
groupquota
-
groupused
-
key
-
keychange
-
userprop
-
userquota
-
userused
In addition, you can delegate administration of the following ZFS properties to non-root users:
-
aclinherit
-
aclmode
-
atime
-
canmount
-
casesensitivity
-
checksum
-
compression
-
copies
-
dedup
-
defaultgroupquota
-
defaultuserquota
-
devices
-
encryption
-
exec
-
keysource
-
logbias
-
mountpoint
-
nbmand
-
normalization
-
primarycache
-
quota
-
readonly
-
recordsize
-
refquota
-
refreservation
-
reservation
-
rstchown
-
secondarycache
-
setuid
-
shadow
-
share.nfs
-
share.smb
-
snapdir
-
sync
-
utf8only
-
version
-
volblocksize
-
volsize
-
vscan
-
xattr
-
zoned
Some of these properties can be set only at dataset creation time. For a description of these properties, see
zfs
(8).