Zfs: Non-root users can manage zpools

Created on 18 Nov 2019 · 8Comments · Source: openzfs/zfs

System information

Type | Version/Name
--- | ---
Distribution Name | Fedora
Distribution Version | 29
Linux Kernel | 5.2.17-100
Architecture | x86_64
ZFS Version | 0.8.2-1
SPL Version | 0.8.2-1

Describe the problem you're observing

Non-root users should not be allowed to list zpools by default and should be delegated through the zfs allow and revoked through zfs unallow.

Currently non-root users can list, interact and manage zpools and datasets:

[root@host~]# zpool list
NAME   SIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAG    CAP  DEDUP    HEALTH  ALTROOT
osg1  4.53T  3.81T   735G        -         -    47%    84%  1.11x    ONLINE  -

``` bash
[nonrootuser@host~]$ zpool list
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
osg1 4.53T 3.81T 735G - - 47% 84% 1.11x ONLINE -

Ideally, the nonrootuser should only see what root has allowed through `zfs allow`.

Management tasks such as destroy or setting mountpoints fails as expected:

``` bash
[nonrootuser@host~]$ zfs set mountpoint=/athing osg1/temp
umount: only root can use "--types" option
cannot unmount '/osg1/temp': umount failed
exportfs: could not open /var/lib/nfs/.etab.lock for locking: errno 13 (Permission denied)

So listing is the only thing nonrootuser is allowed to do without explicitly giving permissions through zfs allow.

Describe how to reproduce the problem

-Install ZoL through DNF
-Switch to a non-root user
-zfs list or zpool list

Question

Source

msLinuxNinja

Most helpful comment

As far as I can understand FreeNAS is remotely using zpool command to configure backup(?) functionality. This is done using separate user on the remote host configured in FreeNAS. The remote host has more than one pool/dataset and the author of this issue would like to limit what this user is able to list so the configuration interface in FreeNAS will list only pools/datasets that the user has access to (using allow function).

mskarbek on 18 Nov 2019

👍2

All 8 comments

Hmmm I guess I didn't try anything more "destructive"

[nonrootuser@host~]$ zfs destroy osg1/temp
umount: only root can use "--types" option
cannot unmount '/osg1/temp': umount failed
exportfs: could not open /var/lib/nfs/.etab.lock for locking: errno 13 (Permission denied)

msLinuxNinja on 18 Nov 2019

I guess I need to rephrase to remove the manage part, since that properly works.

msLinuxNinja on 18 Nov 2019

Non-root users should not be allowed to list zpools by default
Because?
In other filesystems, are you also unable to list the mounted volumes as non-root?

Ornias1993 on 18 Nov 2019

Yeah, when you do df you can see what's mounted where.

The use case comes from using ZoL as a replication target for FreeNAS VMs. When setting up replication, FreeNAS can see all of the datasets available on the target system, this is because every user can list zfs datasets.
Ideally, only the pools you want the user to see should be listed by FreeNAS (or any other SSH connection for that matter), this should be allowed through zfs allow.

Hope this makes sense and I'm not asking for something strage :)

msLinuxNinja on 18 Nov 2019

Am I the only one here who still has no idea what the actual fuss is about this?

Ornias1993 on 18 Nov 2019

This is working as designed: unprivileged users can observe ZFS settings and properties (e.g. zfs list, zfs get, zpool get). Only privileged users (root or zfs allow-ed users) can make configuration changes (e.g. zfs create, zfs set, zpool add).

ahrens on 18 Nov 2019

mskarbek on 18 Nov 2019

👍2

Prettu much what @mskarbek said :) I would be great to isolate pools to specific users so that a when replication is being configured, users don't pick the wrong pool erroneously.

Of course, pretty sure this works the same across all ZFS, not only ZoL, so no idea if this makes sense to have on ZoL.

msLinuxNinja on 18 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings