logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

zfs-unallow.8 (15240B)


  1. .\"
  2. .\" CDDL HEADER START
  3. .\"
  4. .\" The contents of this file are subject to the terms of the
  5. .\" Common Development and Distribution License (the "License").
  6. .\" You may not use this file except in compliance with the License.
  7. .\"
  8. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  9. .\" or https://opensource.org/licenses/CDDL-1.0.
  10. .\" See the License for the specific language governing permissions
  11. .\" and limitations under the License.
  12. .\"
  13. .\" When distributing Covered Code, include this CDDL HEADER in each
  14. .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  15. .\" If applicable, add the following below this CDDL HEADER, with the
  16. .\" fields enclosed by brackets "[]" replaced with your own identifying
  17. .\" information: Portions Copyright [yyyy] [name of copyright owner]
  18. .\"
  19. .\" CDDL HEADER END
  20. .\"
  21. .\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
  22. .\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org>
  23. .\" Copyright (c) 2011, 2019 by Delphix. All rights reserved.
  24. .\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
  25. .\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
  26. .\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
  27. .\" Copyright (c) 2014 Integros [integros.com]
  28. .\" Copyright 2019 Richard Laager. All rights reserved.
  29. .\" Copyright 2018 Nexenta Systems, Inc.
  30. .\" Copyright 2019 Joyent, Inc.
  31. .\"
  32. .Dd March 16, 2022
  33. .Dt ZFS-ALLOW 8
  34. .Os
  35. .
  36. .Sh NAME
  37. .Nm zfs-allow
  38. .Nd delegate ZFS administration permissions to unprivileged users
  39. .Sh SYNOPSIS
  40. .Nm zfs
  41. .Cm allow
  42. .Op Fl dglu
  43. .Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
  44. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  45. .Ar setname Oc Ns …
  46. .Ar filesystem Ns | Ns Ar volume
  47. .Nm zfs
  48. .Cm allow
  49. .Op Fl dl
  50. .Fl e Ns | Ns Sy everyone
  51. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  52. .Ar setname Oc Ns …
  53. .Ar filesystem Ns | Ns Ar volume
  54. .Nm zfs
  55. .Cm allow
  56. .Fl c
  57. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  58. .Ar setname Oc Ns …
  59. .Ar filesystem Ns | Ns Ar volume
  60. .Nm zfs
  61. .Cm allow
  62. .Fl s No @ Ns Ar setname
  63. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  64. .Ar setname Oc Ns …
  65. .Ar filesystem Ns | Ns Ar volume
  66. .Nm zfs
  67. .Cm unallow
  68. .Op Fl dglru
  69. .Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
  70. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  71. .Ar setname Oc Ns … Oc
  72. .Ar filesystem Ns | Ns Ar volume
  73. .Nm zfs
  74. .Cm unallow
  75. .Op Fl dlr
  76. .Fl e Ns | Ns Sy everyone
  77. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  78. .Ar setname Oc Ns … Oc
  79. .Ar filesystem Ns | Ns Ar volume
  80. .Nm zfs
  81. .Cm unallow
  82. .Op Fl r
  83. .Fl c
  84. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  85. .Ar setname Oc Ns … Oc
  86. .Ar filesystem Ns | Ns Ar volume
  87. .Nm zfs
  88. .Cm unallow
  89. .Op Fl r
  90. .Fl s No @ Ns Ar setname
  91. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  92. .Ar setname Oc Ns … Oc
  93. .Ar filesystem Ns | Ns Ar volume
  94. .
  95. .Sh DESCRIPTION
  96. .Bl -tag -width ""
  97. .It Xo
  98. .Nm zfs
  99. .Cm allow
  100. .Ar filesystem Ns | Ns Ar volume
  101. .Xc
  102. Displays permissions that have been delegated on the specified filesystem or
  103. volume.
  104. See the other forms of
  105. .Nm zfs Cm allow
  106. for more information.
  107. .Pp
  108. Delegations are supported under Linux with the exception of
  109. .Sy mount ,
  110. .Sy unmount ,
  111. .Sy mountpoint ,
  112. .Sy canmount ,
  113. .Sy rename ,
  114. and
  115. .Sy share .
  116. These permissions cannot be delegated because the Linux
  117. .Xr mount 8
  118. command restricts modifications of the global namespace to the root user.
  119. .It Xo
  120. .Nm zfs
  121. .Cm allow
  122. .Op Fl dglu
  123. .Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
  124. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  125. .Ar setname Oc Ns …
  126. .Ar filesystem Ns | Ns Ar volume
  127. .Xc
  128. .It Xo
  129. .Nm zfs
  130. .Cm allow
  131. .Op Fl dl
  132. .Fl e Ns | Ns Sy everyone
  133. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  134. .Ar setname Oc Ns …
  135. .Ar filesystem Ns | Ns Ar volume
  136. .Xc
  137. Delegates ZFS administration permission for the file systems to non-privileged
  138. users.
  139. .Bl -tag -width "-d"
  140. .It Fl d
  141. Allow only for the descendent file systems.
  142. .It Fl e Ns | Ns Sy everyone
  143. Specifies that the permissions be delegated to everyone.
  144. .It Fl g Ar group Ns Oo , Ns Ar group Oc Ns …
  145. Explicitly specify that permissions are delegated to the group.
  146. .It Fl l
  147. Allow
  148. .Qq locally
  149. only for the specified file system.
  150. .It Fl u Ar user Ns Oo , Ns Ar user Oc Ns …
  151. Explicitly specify that permissions are delegated to the user.
  152. .It Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
  153. Specifies to whom the permissions are delegated.
  154. Multiple entities can be specified as a comma-separated list.
  155. If neither of the
  156. .Fl gu
  157. options are specified, then the argument is interpreted preferentially as the
  158. keyword
  159. .Sy everyone ,
  160. then as a user name, and lastly as a group name.
  161. To specify a user or group named
  162. .Qq everyone ,
  163. use the
  164. .Fl g
  165. or
  166. .Fl u
  167. options.
  168. To specify a group with the same name as a user, use the
  169. .Fl g
  170. options.
  171. .It Xo
  172. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  173. .Ar setname Oc Ns …
  174. .Xc
  175. The permissions to delegate.
  176. Multiple permissions may be specified as a comma-separated list.
  177. Permission names are the same as ZFS subcommand and property names.
  178. See the property list below.
  179. Property set names, which begin with
  180. .Sy @ ,
  181. may be specified.
  182. See the
  183. .Fl s
  184. form below for details.
  185. .El
  186. .Pp
  187. If neither of the
  188. .Fl dl
  189. options are specified, or both are, then the permissions are allowed for the
  190. file system or volume, and all of its descendents.
  191. .Pp
  192. Permissions are generally the ability to use a ZFS subcommand or change a ZFS
  193. property.
  194. The following permissions are available:
  195. .TS
  196. l l l .
  197. NAME TYPE NOTES
  198. _ _ _
  199. allow subcommand Must also have the permission that is being allowed
  200. bookmark subcommand
  201. clone subcommand Must also have the \fBcreate\fR ability and \fBmount\fR ability in the origin file system
  202. create subcommand Must also have the \fBmount\fR ability. Must also have the \fBrefreservation\fR ability to create a non-sparse volume.
  203. destroy subcommand Must also have the \fBmount\fR ability
  204. diff subcommand Allows lookup of paths within a dataset given an object number, and the ability to create snapshots necessary to \fBzfs diff\fR.
  205. hold subcommand Allows adding a user hold to a snapshot
  206. load-key subcommand Allows loading and unloading of encryption key (see \fBzfs load-key\fR and \fBzfs unload-key\fR).
  207. change-key subcommand Allows changing an encryption key via \fBzfs change-key\fR.
  208. mount subcommand Allows mounting/umounting ZFS datasets
  209. promote subcommand Must also have the \fBmount\fR and \fBpromote\fR ability in the origin file system
  210. receive subcommand Must also have the \fBmount\fR and \fBcreate\fR ability
  211. release subcommand Allows releasing a user hold which might destroy the snapshot
  212. rename subcommand Must also have the \fBmount\fR and \fBcreate\fR ability in the new parent
  213. rollback subcommand Must also have the \fBmount\fR ability
  214. send subcommand
  215. share subcommand Allows sharing file systems over NFS or SMB protocols
  216. snapshot subcommand Must also have the \fBmount\fR ability
  217. groupquota other Allows accessing any \fBgroupquota@\fI…\fR property
  218. groupobjquota other Allows accessing any \fBgroupobjquota@\fI…\fR property
  219. groupused other Allows reading any \fBgroupused@\fI…\fR property
  220. groupobjused other Allows reading any \fBgroupobjused@\fI…\fR property
  221. userprop other Allows changing any user property
  222. userquota other Allows accessing any \fBuserquota@\fI…\fR property
  223. userobjquota other Allows accessing any \fBuserobjquota@\fI…\fR property
  224. userused other Allows reading any \fBuserused@\fI…\fR property
  225. userobjused other Allows reading any \fBuserobjused@\fI…\fR property
  226. projectobjquota other Allows accessing any \fBprojectobjquota@\fI…\fR property
  227. projectquota other Allows accessing any \fBprojectquota@\fI…\fR property
  228. projectobjused other Allows reading any \fBprojectobjused@\fI…\fR property
  229. projectused other Allows reading any \fBprojectused@\fI…\fR property
  230. aclinherit property
  231. aclmode property
  232. acltype property
  233. atime property
  234. canmount property
  235. casesensitivity property
  236. checksum property
  237. compression property
  238. context property
  239. copies property
  240. dedup property
  241. defcontext property
  242. devices property
  243. dnodesize property
  244. encryption property
  245. exec property
  246. filesystem_limit property
  247. fscontext property
  248. keyformat property
  249. keylocation property
  250. logbias property
  251. mlslabel property
  252. mountpoint property
  253. nbmand property
  254. normalization property
  255. overlay property
  256. pbkdf2iters property
  257. primarycache property
  258. quota property
  259. readonly property
  260. recordsize property
  261. redundant_metadata property
  262. refquota property
  263. refreservation property
  264. relatime property
  265. reservation property
  266. rootcontext property
  267. secondarycache property
  268. setuid property
  269. sharenfs property
  270. sharesmb property
  271. snapdev property
  272. snapdir property
  273. snapshot_limit property
  274. special_small_blocks property
  275. sync property
  276. utf8only property
  277. version property
  278. volblocksize property
  279. volmode property
  280. volsize property
  281. vscan property
  282. xattr property
  283. zoned property
  284. .TE
  285. .It Xo
  286. .Nm zfs
  287. .Cm allow
  288. .Fl c
  289. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  290. .Ar setname Oc Ns …
  291. .Ar filesystem Ns | Ns Ar volume
  292. .Xc
  293. Sets
  294. .Qq create time
  295. permissions.
  296. These permissions are granted
  297. .Pq locally
  298. to the creator of any newly-created descendent file system.
  299. .It Xo
  300. .Nm zfs
  301. .Cm allow
  302. .Fl s No @ Ns Ar setname
  303. .Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  304. .Ar setname Oc Ns …
  305. .Ar filesystem Ns | Ns Ar volume
  306. .Xc
  307. Defines or adds permissions to a permission set.
  308. The set can be used by other
  309. .Nm zfs Cm allow
  310. commands for the specified file system and its descendents.
  311. Sets are evaluated dynamically, so changes to a set are immediately reflected.
  312. Permission sets follow the same naming restrictions as ZFS file systems, but the
  313. name must begin with
  314. .Sy @ ,
  315. and can be no more than 64 characters long.
  316. .It Xo
  317. .Nm zfs
  318. .Cm unallow
  319. .Op Fl dglru
  320. .Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
  321. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  322. .Ar setname Oc Ns … Oc
  323. .Ar filesystem Ns | Ns Ar volume
  324. .Xc
  325. .It Xo
  326. .Nm zfs
  327. .Cm unallow
  328. .Op Fl dlr
  329. .Fl e Ns | Ns Sy everyone
  330. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  331. .Ar setname Oc Ns … Oc
  332. .Ar filesystem Ns | Ns Ar volume
  333. .Xc
  334. .It Xo
  335. .Nm zfs
  336. .Cm unallow
  337. .Op Fl r
  338. .Fl c
  339. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  340. .Ar setname Oc Ns … Oc
  341. .Ar filesystem Ns | Ns Ar volume
  342. .Xc
  343. Removes permissions that were granted with the
  344. .Nm zfs Cm allow
  345. command.
  346. No permissions are explicitly denied, so other permissions granted are still in
  347. effect.
  348. For example, if the permission is granted by an ancestor.
  349. If no permissions are specified, then all permissions for the specified
  350. .Ar user ,
  351. .Ar group ,
  352. or
  353. .Sy everyone
  354. are removed.
  355. Specifying
  356. .Sy everyone
  357. .Po or using the
  358. .Fl e
  359. option
  360. .Pc
  361. only removes the permissions that were granted to everyone, not all permissions
  362. for every user and group.
  363. See the
  364. .Nm zfs Cm allow
  365. command for a description of the
  366. .Fl ldugec
  367. options.
  368. .Bl -tag -width "-r"
  369. .It Fl r
  370. Recursively remove the permissions from this file system and all descendents.
  371. .El
  372. .It Xo
  373. .Nm zfs
  374. .Cm unallow
  375. .Op Fl r
  376. .Fl s No @ Ns Ar setname
  377. .Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
  378. .Ar setname Oc Ns … Oc
  379. .Ar filesystem Ns | Ns Ar volume
  380. .Xc
  381. Removes permissions from a permission set.
  382. If no permissions are specified, then all permissions are removed, thus removing
  383. the set entirely.
  384. .El
  385. .
  386. .Sh EXAMPLES
  387. .\" These are, respectively, examples 17, 18, 19, 20 from zfs.8
  388. .\" Make sure to update them bidirectionally
  389. .Ss Example 1 : No Delegating ZFS Administration Permissions on a ZFS Dataset
  390. The following example shows how to set permissions so that user
  391. .Ar cindys
  392. can create, destroy, mount, and take snapshots on
  393. .Ar tank/cindys .
  394. The permissions on
  395. .Ar tank/cindys
  396. are also displayed.
  397. .Bd -literal -compact -offset Ds
  398. .No # Nm zfs Cm allow Sy cindys create , Ns Sy destroy , Ns Sy mount , Ns Sy snapshot Ar tank/cindys
  399. .No # Nm zfs Cm allow Ar tank/cindys
  400. ---- Permissions on tank/cindys --------------------------------------
  401. Local+Descendent permissions:
  402. user cindys create,destroy,mount,snapshot
  403. .Ed
  404. .Pp
  405. Because the
  406. .Ar tank/cindys
  407. mount point permission is set to 755 by default, user
  408. .Ar cindys
  409. will be unable to mount file systems under
  410. .Ar tank/cindys .
  411. Add an ACE similar to the following syntax to provide mount point access:
  412. .Dl # Cm chmod No A+user : Ns Ar cindys Ns :add_subdirectory:allow Ar /tank/cindys
  413. .
  414. .Ss Example 2 : No Delegating Create Time Permissions on a ZFS Dataset
  415. The following example shows how to grant anyone in the group
  416. .Ar staff
  417. to create file systems in
  418. .Ar tank/users .
  419. This syntax also allows staff members to destroy their own file systems, but not
  420. destroy anyone else's file system.
  421. The permissions on
  422. .Ar tank/users
  423. are also displayed.
  424. .Bd -literal -compact -offset Ds
  425. .No # Nm zfs Cm allow Ar staff Sy create , Ns Sy mount Ar tank/users
  426. .No # Nm zfs Cm allow Fl c Sy destroy Ar tank/users
  427. .No # Nm zfs Cm allow Ar tank/users
  428. ---- Permissions on tank/users ---------------------------------------
  429. Permission sets:
  430. destroy
  431. Local+Descendent permissions:
  432. group staff create,mount
  433. .Ed
  434. .
  435. .Ss Example 3 : No Defining and Granting a Permission Set on a ZFS Dataset
  436. The following example shows how to define and grant a permission set on the
  437. .Ar tank/users
  438. file system.
  439. The permissions on
  440. .Ar tank/users
  441. are also displayed.
  442. .Bd -literal -compact -offset Ds
  443. .No # Nm zfs Cm allow Fl s No @ Ns Ar pset Sy create , Ns Sy destroy , Ns Sy snapshot , Ns Sy mount Ar tank/users
  444. .No # Nm zfs Cm allow staff No @ Ns Ar pset tank/users
  445. .No # Nm zfs Cm allow Ar tank/users
  446. ---- Permissions on tank/users ---------------------------------------
  447. Permission sets:
  448. @pset create,destroy,mount,snapshot
  449. Local+Descendent permissions:
  450. group staff @pset
  451. .Ed
  452. .
  453. .Ss Example 4 : No Delegating Property Permissions on a ZFS Dataset
  454. The following example shows to grant the ability to set quotas and reservations
  455. on the
  456. .Ar users/home
  457. file system.
  458. The permissions on
  459. .Ar users/home
  460. are also displayed.
  461. .Bd -literal -compact -offset Ds
  462. .No # Nm zfs Cm allow Ar cindys Sy quota , Ns Sy reservation Ar users/home
  463. .No # Nm zfs Cm allow Ar users/home
  464. ---- Permissions on users/home ---------------------------------------
  465. Local+Descendent permissions:
  466. user cindys quota,reservation
  467. cindys% zfs set quota=10G users/home/marks
  468. cindys% zfs get quota users/home/marks
  469. NAME PROPERTY VALUE SOURCE
  470. users/home/marks quota 10G local
  471. .Ed
  472. .
  473. .Ss Example 5 : No Removing ZFS Delegated Permissions on a ZFS Dataset
  474. The following example shows how to remove the snapshot permission from the
  475. .Ar staff
  476. group on the
  477. .Sy tank/users
  478. file system.
  479. The permissions on
  480. .Sy tank/users
  481. are also displayed.
  482. .Bd -literal -compact -offset Ds
  483. .No # Nm zfs Cm unallow Ar staff Sy snapshot Ar tank/users
  484. .No # Nm zfs Cm allow Ar tank/users
  485. ---- Permissions on tank/users ---------------------------------------
  486. Permission sets:
  487. @pset create,destroy,mount,snapshot
  488. Local+Descendent permissions:
  489. group staff @pset
  490. .Ed