Kjetil Torgrim Homme
2009-Nov-06 15:07 UTC
[zfs-discuss] zfs allow destroy and rmdir to remove snapshot
I just discovered the very neat functionality which allows users to make snapshots on demand with mkdir .zfs/snapshot/snap (with "zfs allow snapshot,mount"), but it seems very unsafe to allow users to remove these snapshots: if they are allowed to log on to the server, they could destroy the filesystem itself with "zfs destroy". if we did one FS per user, I guess we could allow them to shoot themselves in the foot, but in our case several users share the same FS. is there a less powerful permission I can assign to ordinary users? -- Kjetil T. Homme Redpill Linpro AS - Changing the game
Darren J Moffat
2009-Nov-06 15:21 UTC
[zfs-discuss] zfs allow destroy and rmdir to remove snapshot
Kjetil Torgrim Homme wrote:> I just discovered the very neat functionality which allows users to make > snapshots on demand with mkdir .zfs/snapshot/snap (with "zfs allow > snapshot,mount"), but it seems very unsafe to allow users to remove > these snapshots: if they are allowed to log on to the server, they could > destroy the filesystem itself with "zfs destroy".You shouldn''t be able to destroy the snapshots unless you have also been given the destroy delegation. portellen:pts/10$ zfs allow dummy/fs ---- Permissions on dummy/fs ----------------------------------------- Local+Descendent permissions: user darrenm mount,snapshot portellen:pts/10$ pwd /dummy/fs/.zfs/snapshot portellen:pts/10$ ls -l total 0 portellen:pts/10$ mkdir foo portellen:pts/10$ ls -l total 4 drwxr-xr-x 2 root root 3 Oct 20 14:01 foo/ portellen:pts/10$ rm -rf foo rm: Unable to remove directory foo: Not owner If they can login to the server and run ''zfs destory'' then you must have given them the destroy delegation as well. -- Darren J Moffat
Mark Shellenbaum
2009-Nov-06 16:15 UTC
[zfs-discuss] zfs allow destroy and rmdir to remove snapshot
Darren J Moffat wrote:> Kjetil Torgrim Homme wrote: >> I just discovered the very neat functionality which allows users to make >> snapshots on demand with mkdir .zfs/snapshot/snap (with "zfs allow >> snapshot,mount"), but it seems very unsafe to allow users to remove >> these snapshots: if they are allowed to log on to the server, they could >> destroy the filesystem itself with "zfs destroy". > > You shouldn''t be able to destroy the snapshots unless you have also been > given the destroy delegation. > > portellen:pts/10$ zfs allow dummy/fs > ---- Permissions on dummy/fs ----------------------------------------- > Local+Descendent permissions: > user darrenm mount,snapshot > portellen:pts/10$ pwd > /dummy/fs/.zfs/snapshot > portellen:pts/10$ ls -l > total 0 > portellen:pts/10$ mkdir foo > portellen:pts/10$ ls -l > total 4 > drwxr-xr-x 2 root root 3 Oct 20 14:01 foo/ > portellen:pts/10$ rm -rf foo > rm: Unable to remove directory foo: Not owner > > If they can login to the server and run ''zfs destory'' then you must have > given them the destroy delegation as well. > >Or you could give them destroy permission, but only for descendants. # zfs allow -d darrenm destroy dummy/fs This should allow snapshots to be destroyed, by not the parent file system. You will need at least build 118 for this to work correctly. -Mark
Kjetil Torgrim Homme
2009-Nov-06 16:27 UTC
[zfs-discuss] zfs allow destroy and rmdir to remove snapshot
Darren J Moffat <darrenm at opensolaris.org> writes:> Kjetil Torgrim Homme wrote: >> I just discovered the very neat functionality which allows users to >> make snapshots on demand with mkdir .zfs/snapshot/snap (with "zfs >> allow snapshot,mount"), but it seems very unsafe to allow users to >> remove these snapshots: if they are allowed to log on to the server, >> they could destroy the filesystem itself with "zfs destroy". > > You shouldn''t be able to destroy the snapshots unless you have also > been given the destroy delegation.that''s issue: I want users to be able to destroy the snapshots they are creating with mkdir. unfortunately, "destroy" can destroy anything, so I can''t give them that right. -- Kjetil T. Homme Redpill Linpro AS - Changing the game
Kjetil Torgrim Homme
2009-Nov-06 16:34 UTC
[zfs-discuss] zfs allow destroy and rmdir to remove snapshot
Mark Shellenbaum <Mark.Shellenbaum at Sun.COM> writes:> Or you could give them destroy permission, but only for descendants. > > # zfs allow -d darrenm destroy dummy/fs > > This should allow snapshots to be destroyed, by not the parent file > system.aha! thanks, I completely missed the -d flag when I read the man page.> You will need at least build 118 for this to work correctly.oh, I''m at 2009.06 (build 111). seems like that version doesn''t consider a snapshot a descendent: : [kjetilho at zfs ~]; zfs destroy tank/kjetilho-test/bar : [kjetilho at zfs ~]; zfs destroy tank/kjetilho-test at foo cannot destroy ''tank/kjetilho-test at foo'': permission denied -- Kjetil T. Homme Redpill Linpro AS - Changing the game