thr3ads.net - zfs discuss - [zfs-discuss] RBAC and ZFS FileSystemManagement [Jun 2006]

If this information is useful, please help other people find it:
Share via:

James Dickens

2006-Jun-29 23:08 UTC

[zfs-discuss] RBAC and ZFS FileSystemManagement

I think I have found a bug in ZFS profiles as defined in
# uname -av
SunOS enterprise 5.11 snv_39 sun4u sparc SUNW,Ultra-2
#

# usermod  -P  "ZFS File System Management" zfsadmin

# su zfsadmin

# zfs create pool2/testzfsprofile
cannot create ''pool2/testzfsprofile'': permission denied
# ppriv -De zfs create pool2/testzfsprofile
zfs[5300]: missing privilege "sys_mount" (euid = 150026, syscall = 54)
needed at zfs_secpolicy_parent+0x68
cannot create ''pool2/testzfsprofile'': permission denied
#

shouldn''t a user with ZFS FileSystem Mangement profile be able to
create and mount a ZFS file system? is there something i''m missing
here?

ZFS File system Management ? Provides the ability to create, destroy,
and modify ZFS file systems

James Dickens
uadmin.blogspot.com

Jonathan Adams

2006-Jun-29 23:29 UTC

head link

[zfs-discuss] RBAC and ZFS FileSystemManagement

On Thu, Jun 29, 2006 at 06:08:18PM -0500, James Dickens
wrote:> I think I have found a bug in ZFS profiles as defined in
> # uname -av
> SunOS enterprise 5.11 snv_39 sun4u sparc SUNW,Ultra-2
> #
> 
> # usermod  -P  "ZFS File System Management" zfsadmin
> 
> # su zfsadmin
> 
> # zfs create pool2/testzfsprofile
> cannot create ''pool2/testzfsprofile'': permission denied
> # ppriv -De zfs create pool2/testzfsprofile
> zfs[5300]: missing privilege "sys_mount" (euid = 150026, syscall
= 54)
> needed at zfs_secpolicy_parent+0x68
> cannot create ''pool2/testzfsprofile'': permission denied
> #
> 
> shouldn''t a user with ZFS FileSystem Mangement profile be able to
> create and mount a ZFS file system? is there something i''m missing
> here?
Yeah;  you need to be using a profile shell to get access to profile-enabled
commands:

$ zfs create pool/aux2
cannot create ''pool/aux2'': permission denied
$ pfksh
$ zfs create pool/aux2
$ exit
$ 

Either set your shell to pf{k,c,}sh, or run it explicitly.


Cheers,
- jonathan

-- 
Jonathan Adams, Solaris Kernel Development

Frank Leers

2006-Jun-29 23:49 UTC

head link

[zfs-discuss] RBAC and ZFS FileSystemManagement

On Thu, 2006-06-29 at 16:29 -0700, Jonathan Adams wrote:
> Yeah;  you need to be using a profile shell to get access to
profile-enabled
> commands:
> 
> $ zfs create pool/aux2
> cannot create ''pool/aux2'': permission denied
> $ pfksh
> $ zfs create pool/aux2
> $ exit
> $ 
> 
> Either set your shell to pf{k,c,}sh, or run it explicitly.
> 
> 
> Cheers,
> - jonathan
> 
pfexec zfs create pool/aux2

from your regular shell will work as well

zfs discuss - Jun 2006 - RBAC and ZFS FileSystemManagement

[zfs-discuss] RBAC and ZFS FileSystemManagement

[zfs-discuss] RBAC and ZFS FileSystemManagement

[zfs-discuss] RBAC and ZFS FileSystemManagement