zfs_allow - delegates ZFS file system administration permission to non- zfs_allow



  • System Administration Commands					 zfs_allow(1M)
    
    
    
    NAME
           zfs_allow - delegates ZFS file system administration permission to non-
           privileged users
    
    SYNOPSIS
           zfs help	subcommand | help | property property-name | permission
    
    
           zfs help	-l properties
    
    
           zfs allow filesystem|volume
    
    
           zfs allow [-ldug] everyone|user|group[,...] perm|@setname[,...]
    	    filesystem|volume
    
    
           zfs allow [-ld] -e perm|@setname[,...] filesystem|volume
    
    
           zfs allow -c perm|@setname[,...]	filesystem|volume
    
    
           zfs allow -s @setname perm|@setname[,...] filesystem|volume
    
    
           zfs unallow [-rldug] everyone|user|group[,...] [perm|@setname[,... ]]
    	    filesystem|volume
    
    
           zfs unallow [-rld] -e [perm|@setname[,... ]] filesystem|volume
    
    
           zfs unallow [-r]	-c [perm|@setname[ ... ]] filesystem|volume
    
    
           zfs unallow [-r]	-s @setname [perm|@setname[,...	]] filesystem|volume
    
    
    DESCRIPTION
           The zfs allow command can be used to delegate permissions to non-privi-
           leged  users  for administering ZFS file	systems	in a ZFS storage pool,
           as described in zpool(1M). You can  use	the  zfs  unallow  command  to
           revoke administrative permissions.
    
    
           Permissions are generally the ability to	use a ZFS subcommand or	change
           a ZFS property. The following permissions are available:
    
    	 # zfs help permissions
    	 The following delegated permissions are supported:
    
    	 NAME		  TYPE		 NOTES
    	 allow		  subcommand	 Must also have	the permission that is being
    					 allowed
    	 clone		  subcommand	 Must also have	the 'create' ability and 'mount'
    					 ability in the	origin file system
    	 create		  subcommand	 Must also have	the 'mount' ability
    	 destroy	  subcommand	 Must also have	the 'mount' ability
    	 diff		  subcommand	 Allows	lookup of paths	within a dataset,
    					 given an object number. Ordinary users	need this
    					 in order to use zfs diff
    	 hold		  subcommand	 Allows	adding a user hold to a	snapshot
    	 mount		  subcommand	 Allows	mount/umount of	ZFS datasets
    	 promote	  subcommand	 Must also have	the 'mount'
    					 and 'promote' ability in the origin file system
    	 receive	  subcommand	 Must also have	the 'mount' and	'create' ability
    	 release	  subcommand	 Allows	releasing a user hold which
    					 might destroy the snapshot
    	 rename		  subcommand	 Must also have	the 'mount' and	'create'
    					 ability in the	new parent
    	 rollback	  subcommand	 Allows	rolling	back datasets to previously-taken snapshots
    	 send		  subcommand	 Allows	sending	of snapshots
    	 share		  subcommand	 Allows	sharing	file systems over NFS or SMB
    					 protocols
    	 snapshot	  subcommand	 Allows	taking of snapshots
    	 groupquota	  other		 Allows	accessing any groupquota@... property
    	 groupused	  other		 Allows	reading	any groupused@... property
    	 key		  other		 Allows	load/unload of dataset key
    	 keychange	  other		 Allows	key change operations
    	 userprop	  other		 Allows	changing any user property
    	 userquota	  other		 Allows	accessing any userquota@... property
    	 userused	  other		 Allows	reading	any userused@... property
    
    	 The following properties can have delegated permissions applied:
    	 aclinherit	  aclmode	   atime	    canmount
    	 casesensitivity  checksum	   compression	    copies
    	 dedup		  devices	   encryption	    exec
    	 keysource	  logbias	   mountpoint	    multilevel
    	 nbmand		  normalization	   primarycache	    quota
    	 readonly	  recordsize	   refquota	    refreservation
    	 reservation	  rstchown	   secondarycache   setuid
    	 shadow		  sharenfs	   sharesmb	    snapdir
    	 sync		  utf8only	   version	    volblocksize
    	 volsize	  vscan		   xattr	    zoned
    
    
    
    SUBCOMMANDS
           All subcommands that modify state are logged persistently to  the  pool
           in their	original form.
    
           zfs ?
    
    	   Displays a help message.
    
    
           zfs help	command	| help | property property-name	| permission
    
    	   Displays  zfs command usage information. You	can display help for a
    	   specific command, property, or delegated permission.	If you display
    	   help	 for  a	 specific  command  or property, the command syntax or
    	   property value is displayed.	Using zfs help without	any  arguments
    	   displays a complete list of zfs commands.
    
    
           zfs help	-l properties
    
    	   Displays  zfs  property information,	including whether the property
    	   value is editable and inheritable, and their	possible values.
    
    
           zfs allow filesystem | volume
    
    	   Displays permissions	that have  been	 delegated  on	the  specified
    	   filesystem  or  volume.  See	 the other forms of zfs	allow for more
    	   information.
    
    
           zfs allow [-ldug] everyone|user|group[,...] perm|@setname[,...]
           filesystem| volume
           zfs allow [-ld] -e perm|@setname[,...] filesystem | volume
    
    	   Delegates  ZFS  administration  permission  for the file systems to
    	   non-privileged users.
    
    	   [-ug] everyone|user|group[,...]
    
    	       Specifies to whom the permissions are delegated.	Multiple enti-
    	       ties  can be specified as a comma-separated list. If neither of
    	       the -ug options are specified, then the argument	is interpreted
    	       preferentially  as  the	keyword	everyone, then as a user name,
    	       and lastly as a group name. To specify a	user  or  group	 named
    	       "everyone",  use	 the -u	or -g options. To specify a group with
    	       the same	name as	a user,	use the	-g options.
    
    
    	   [-e]	perm|@setname[,...]
    
    	       Specifies that the permissions be delegated to everyone.	Multi-
    	       ple  permissions	 may  be  specified as a comma-separated list.
    	       Permission names	are the	same as	ZFS  subcommand	 and  property
    	       names.  See  the	property list below. Property set names, which
    	       begin with an at	sign (@) , may be specified. See the  -s  form
    	       below for details.
    
    
    	   [-ld] filesystem|volume
    
    	       Specifies  where	 the  permissions are delegated. If neither of
    	       the -ld options are specified, or both are,  then  the  permis-
    	       sions are allowed for the file system or	volume,	and all	of its
    	       descendents. If only the	-l option is  used,  then  is  allowed
    	       "locally"  only	for  the specified file	system.	If only	the -d
    	       option is used, then is allowed only for	 the  descendent  file
    	       systems.
    
    
    
           zfs allow -c perm|@setname[,...]	filesystem|volume
    
    	   Sets	 "create  time"	 permissions.  These  permissions  are granted
    	   (locally) to	the creator of any newly-created descendent file  sys-
    	   tem.
    
    
           zfs allow -s @setname perm|@setname[,...] filesystem|volume
    
    	   Defines  or	adds  permissions  to a	permission set.	The set	can be
    	   used	by other zfs allow commands for	the specified file system  and
    	   its	descendents.  Sets  are	evaluated dynamically, so changes to a
    	   set are immediately reflected. Permission sets follow the same nam-
    	   ing	restrictions as	ZFS file systems, but the name must begin with
    	   an "at sign"	(@), and can be	no more	than 64	characters long.
    
    
           zfs unallow [-rldug] everyone|user|group[,...] [perm|@setname[, ...]]
           filesystem|volume
           zfs unallow [-rld] -e [perm|@setname [,...]] filesystem|volume
           zfs unallow [-r]	-c [perm|@setname[,...]]
           filesystem|volume
    
    	   Removes  permissions	 that were granted with	the zfs	allow command.
    	   No permissions are explicitly denied, so other permissions  granted
    	   are	still  in effect. For example, if the permission is granted by
    	   an ancestor.	If no permissions are specified, then all  permissions
    	   for	the specified user, group, or everyone are removed. Specifying
    	   everyone (or	using the -e option) only removes the permissions that
    	   were	 granted  to  everyone,	not all	permissions for	every user and
    	   group. See the zfs allow command for	a description of  the  -ldugec
    	   options.
    
    	   -r
    
    	       Recursively  remove  the	 permissions from this file system and
    	       all descendents.
    
    
    
           zfs unallow [-r]	-s @setname [perm|@setname[,...]]
           filesystem|volume
    
    	   Removes permissions from a permission set. If  no  permissions  are
    	   specified,  then all	permissions are	removed, thus removing the set
    	   entirely.
    
    
    EXAMPLES
           Example 1 Delegating ZFS	Administration Permissions on a	ZFS Dataset
    
    
           The following example shows how to set permissions so  that  user  anne
           can  create,  destroy, mount, and take snapshots	on pool/home/anne. The
           permissions on pool/home/anne are also displayed.
    
    
    	 # zfs allow anne create,destroy,mount,snapshot	pool/home/anne
    	 # zfs allow pool/home/anne
    	 ---- Permissions on pool/home/anne -----------------------------------
    	 Local+Descendent permissions:
    		 user anne create,destroy,mount,snapshot
    
    
    
    
           Because the pool/home/anne mount	point permission  is  set  to  755  by
           default,	 user  anne  will  be  unable  to  mount  file	systems	 under
           pool/home/anne. Set an ACL similar to the following syntax  to  provide
           mount point access:
    
    
    	 # chmod A+user:anne:add_subdirectory:allow /pool/home/anne
    
    
    
           Example 2 Delegating Create Time	Permissions on a ZFS Dataset
    
    
           The  following  example shows how to grant anyone in the	group staff to
           create file systems in pool/home. This syntax also allows staff members
           to  destroy  their own file systems, but	not destroy anyone else's file
           system. The permissions on pool/home are	also displayed.
    
    
    	 # zfs allow staff create,mount	pool/home
    	 # zfs allow -c	destroy	pool/home
    	 # zfs allow pool/home
    	 ---- Permissions on pool/home ----------------------------------------
    	 Create	time permissions:
    		 destroy
    	 Local+Descendent permissions:
    		 group staff create,mount
    
    
    
           Example 3 Defining and Granting a Permission Set	on a ZFS Dataset
    
    
           The following example shows how to define and grant a permission	set on
           the  pool/home  file system. The	permissions on pool/home are also dis-
           played.
    
    
    	 # zfs allow -s	@pset create,destroy,snapshot,mount pool/home
    	 # zfs allow staff @pset pool/home
    	 # zfs allow pool/home
    	 ---- Permissions on pool/home ----------------------------------------
    	 Permission sets:
    		 @pset create,destroy,mount,snapshot
    	 Create	time permissions:
    		 destroy
    	 Local+Descendent permissions:
    		 group staff @pset,create,mount
    
    
    
           Example 4 Delegating Property Permissions on a ZFS Dataset
    
    
           The following example shows to grant the	 ability  to  set  quotas  and
           reservations   on  the  tank/users  file	 system.  The  permissions  on
           tank/users are also displayed.
    
    
    	 # zfs allow mark quota,reservation tank/users
    	 # zfs allow tank/users
    	 ---- Permissions on tank/users	---------------------------------------
    	 Local+Descendent permissions:
    		 user mark quota,reservation
    	 mark% zfs set quota=10G tank/users/tim
    	 mark% zfs get quota tank/users/tim
    	 NAME		 PROPERTY  VALUE  SOURCE
    	 tank/users/tim	 quota	   10G	  local
    
    
    
           Example 5 Removing ZFS Delegated	Permissions on a ZFS Dataset
    
    
           The following example shows how to remove the snapshot permission  from
           the @pset permission set	for the	staff group on the pool/home file sys-
           tem. The	permissions on pool/home are also displayed.
    
    
    	 # zfs unallow -s @pset	snapshot pool/home
    	 # zfs allow pool/home
    	 ---- Permissions on pool/home ----------------------------------------
    	 Permission sets:
    		 @pset create,destroy,mount
    	 Create	time permissions:
    		 destroy
    	 Local+Descendent permissions:
    		 group staff @pset,create,mount
    
    
    
    EXIT STATUS
           The following exit values are returned:
    
           0
    
    	   Successful completion.
    
    
           1
    
    	   An error occurred.
    
    
           2
    
    	   Invalid command line	options	were specified.
    
    
    ATTRIBUTES
           See attributes(5) for descriptions of the following attributes:
    
    
    
    
           +-----------------------------+-----------------------------+
           |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
           +-----------------------------+-----------------------------+
           |Availability		     |system/file-system/zfs	   |
           +-----------------------------+-----------------------------+
           |Interface Stability	     |Committed			   |
           +-----------------------------+-----------------------------+
    
    SEE ALSO
           zfs(1M),	zpool(1M), chmod(2), chown(2), attributes(5)
    
    
           For information about using other  ZFS  features,  see  zfs_encrypt.1m,
           zfs_share.1m,  zfs(1M)  and  the	 Managing  ZFS	File Systems in	Oracle
           Solaris 11.3.
    
    
    
    SunOS 5.11			  23 Jul 2015			 zfs_allow(1M)
    

Log in to reply
 

© Lightnetics 2024