Vladimir Kotal wrote:
Hello,
I'm trying to set ZFS to work with RBAC so that I could manage all ZFS
stuff w/out root. However, in my setup there is sys_mount privilege
needed:
- without sys_mount:
Currently, anything in zfs that changes dataset configurations, such as
file systems and properties requires sys_mount privilege. This actually
comes from the secpolicy_zfs() function if your curious.
ioctl(4, ZFS_IOC_CREATE, 0x0804679C) Err#1 EPERM [sys_mount]
brk(0x080CA000) = 0
fstat64(2, 0x080457C0) = 0
cannot create 'write(2, " c a n n o t c r e a t".., 15) = 15
local/testfswrite(2, " l o c a l / t e s t f s", 12) = 12
': permission deniedwrite(2, " ' : p e r m i s s i o".., 20) = 20
- however with sys_mount:
vk199839:tessier:~$ ppriv $$
434: /usr/bin/bash
flags = <none>
E: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount
I: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount
P: basic,dtrace_kernel,dtrace_proc,dtrace_user,sys_mount
L: all
vk199839:tessier:~$ profiles
ZFS Storage Management
ZFS File system Management
Basic Solaris User
All
vk199839:tessier:~$ pfexec zfs create local/testfs
vk199839:tessier:~$ echo $?
0
vk199839:tessier:~$ zfs list |grep testfs
local/testfs 9K 191G 9K /local/testfs
vk199839:sier:~$ ls -ald /local/testfs/
drwxr-xr-x 2 root sys 2 Sep 12 19:15 /local/testfs/
vk199839:tessier:~$ ls -ald /local/
drwxrwxr-x 14 vk199839 sys 16 Sep 12 19:15 /local/
Any idea what is wrong ?
Also, I would like the fs to be created with vk199839:sys and not with
root:sys ownership.
That will be changed once the delegated administration model is
integrated. Once it is integrated a file systems root node will be
created with the uid/gid of the user that creates the file system.
For more information on this check out the following thread
http://www.opensolaris.org/jive/thread.jspa?threadID=11130&tstart=15
-Mark
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
