Hello,
I''m trying to set ZFS to work with RBAC so that I could manage all ZFS
stuff w/out root. However, in my setup there is sys_mount privilege
needed:
- without sys_mount:
vk199839:tessier:~$ zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
local 264G 71.4G 193G 27% ONLINE -
vk199839:tessier:~$ profiles
ZFS Storage Management
ZFS File system Management
Basic Solaris User
All
vk199839:tessier:~$ ppriv $$
317: bash
flags = <none>
E: basic,dtrace_kernel,dtrace_proc,dtrace_user
I: basic,dtrace_kernel,dtrace_proc,dtrace_user
P: basic,dtrace_kernel,dtrace_proc,dtrace_user
L: all
vk199839:tessier:~$ pfexec zfs create local/testfs
cannot create ''local/testfs'': permission denied
vk199839:tessier:~$ pfexec truss zfs create local/testfs
<snip>
zone_lookup(0x00000000) = 0
ioctl(4, ZFS_IOC_OBJSET_STATS, 0x0804679C) Err#2 ENOENT
ioctl(4, ZFS_IOC_CREATE, 0x0804679C) Err#1 EPERM [sys_mount]
brk(0x080CA000) = 0
fstat64(2, 0x080457C0) = 0
cannot create ''write(2, " c a n n o t c r e a t".., 15)
= 15
local/testfswrite(2, " l o c a l / t e s t f s", 12) = 12
'': permission deniedwrite(2, " '' : p e r m i s s i
o".., 20) = 20
- however with sys_mount:
vk199839:tessier:~$ ppriv $$
434: /usr/bin/bash
flags = <none>
E: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount
I: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount
P: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount
L: all
vk199839:tessier:~$ profiles
ZFS Storage Management
ZFS File system Management
Basic Solaris User
All
vk199839:tessier:~$ pfexec zfs create local/testfs
vk199839:tessier:~$ echo $?
0
vk199839:tessier:~$ zfs list |grep testfs
local/testfs 9K 191G 9K /local/testfs
vk199839:sier:~$ ls -ald /local/testfs/
drwxr-xr-x 2 root sys 2 Sep 12 19:15 /local/testfs/
vk199839:tessier:~$ ls -ald /local/
drwxrwxr-x 14 vk199839 sys 16 Sep 12 19:15 /local/
Any idea what is wrong ?
Also, I would like the fs to be created with vk199839:sys and not with
root:sys ownership.
v.
Vladimir Kotal wrote:> Hello, > > I''m trying to set ZFS to work with RBAC so that I could manage all ZFS > stuff w/out root. However, in my setup there is sys_mount privilege > needed: > > - without sys_mount: >Currently, anything in zfs that changes dataset configurations, such as file systems and properties requires sys_mount privilege. This actually comes from the secpolicy_zfs() function if your curious.> ioctl(4, ZFS_IOC_CREATE, 0x0804679C) Err#1 EPERM [sys_mount] > brk(0x080CA000) = 0 > fstat64(2, 0x080457C0) = 0 > cannot create ''write(2, " c a n n o t c r e a t".., 15) = 15 > local/testfswrite(2, " l o c a l / t e s t f s", 12) = 12 > '': permission deniedwrite(2, " '' : p e r m i s s i o".., 20) = 20 > > > - however with sys_mount: > > vk199839:tessier:~$ ppriv $$ > 434: /usr/bin/bash > flags = <none> > E: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount > I: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount > P: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount > L: all > vk199839:tessier:~$ profiles > ZFS Storage Management > ZFS File system Management > Basic Solaris User > All > vk199839:tessier:~$ pfexec zfs create local/testfs > vk199839:tessier:~$ echo $? > 0 > vk199839:tessier:~$ zfs list |grep testfs > local/testfs 9K 191G 9K /local/testfs > vk199839:sier:~$ ls -ald /local/testfs/ > drwxr-xr-x 2 root sys 2 Sep 12 19:15 /local/testfs/ > vk199839:tessier:~$ ls -ald /local/ > drwxrwxr-x 14 vk199839 sys 16 Sep 12 19:15 /local/ > > Any idea what is wrong ? > > Also, I would like the fs to be created with vk199839:sys and not with > root:sys ownership.That will be changed once the delegated administration model is integrated. Once it is integrated a file systems root node will be created with the uid/gid of the user that creates the file system. For more information on this check out the following thread http://www.opensolaris.org/jive/thread.jspa?threadID=11130&tstart=15 -Mark