From f74b821a6696fef9e9953aae05941e99bf83800e Mon Sep 17 00:00:00 2001 From: Brian Behlendorf Date: Tue, 7 Jun 2016 09:16:52 -0700 Subject: Add `zfs allow` and `zfs unallow` support ZFS allows for specific permissions to be delegated to normal users with the `zfs allow` and `zfs unallow` commands. In addition, non- privileged users should be able to run all of the following commands: * zpool [list | iostat | status | get] * zfs [list | get] Historically this functionality was not available on Linux. In order to add it the secpolicy_* functions needed to be implemented and mapped to the equivalent Linux capability. Only then could the permissions on the `/dev/zfs` be relaxed and the internal ZFS permission checks used. Even with this change some limitations remain. Under Linux only the root user is allowed to modify the namespace (unless it's a private namespace). This means the mount, mountpoint, canmount, unmount, and remount delegations cannot be supported with the existing code. It may be possible to add this functionality in the future. This functionality was validated with the cli_user and delegation test cases from the ZFS Test Suite. These tests exhaustively verify each of the supported permissions which can be delegated and ensures only an authorized user can perform it. Two minor bug fixes were required for test-running.py. First, the Timer() object cannot be safely created in a `try:` block when there is an unconditional `finally` block which references it. Second, when running as a normal user also check for scripts using the both the .ksh and .sh suffixes. Finally, existing users who are simulating delegations by setting group permissions on the /dev/zfs device should revert that customization when updating to a version with this change. Signed-off-by: Brian Behlendorf Signed-off-by: Tony Hutter Closes #362 Closes #434 Closes #4100 Closes #4394 Closes #4410 Closes #4487 --- module/zfs/zfs_fuid.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'module/zfs/zfs_fuid.c') diff --git a/module/zfs/zfs_fuid.c b/module/zfs/zfs_fuid.c index 6ca61b872..d4916bf58 100644 --- a/module/zfs/zfs_fuid.c +++ b/module/zfs/zfs_fuid.c @@ -488,7 +488,6 @@ zfs_fuid_node_add(zfs_fuid_info_t **fuidpp, const char *domain, uint32_t rid, } } -#ifdef HAVE_KSID /* * Create a file system FUID, based on information in the users cred * @@ -501,6 +500,7 @@ uint64_t zfs_fuid_create_cred(zfs_sb_t *zsb, zfs_fuid_type_t type, cred_t *cr, zfs_fuid_info_t **fuidp) { +#ifdef HAVE_KSID uint64_t idx; ksid_t *ksid; uint32_t rid; @@ -540,8 +540,12 @@ zfs_fuid_create_cred(zfs_sb_t *zsb, zfs_fuid_type_t type, zfs_fuid_node_add(fuidp, kdomain, rid, idx, id, type); return (FUID_ENCODE(idx, rid)); -} +#else + VERIFY(type == ZFS_OWNER || type == ZFS_GROUP); + + return ((uint64_t)((type == ZFS_OWNER) ? crgetuid(cr) : crgetgid(cr))); #endif /* HAVE_KSID */ +} /* * Create a file system FUID for an ACL ace -- cgit v1.2.3