So I've been playing with SXCE in anticipation of the release of S10U6 (which last I heard has been delayed until sometime in October :( ) seeing how I might integrate our identity management system and ZFS provisioning using a minimum privileges service account.
I need to be able to create filesystems, rename them, delete them, and change various attributes (quota and whatnot). However, in addition to delegation using zfs allow, it seems permissions must be granted in the underlying file systems as well. In order to mount a new ZFS filesystem, an account needs permission to be able to create a directory in the containing filesystem. I suppose I can configure an ACL allowing such without any problem, but I also need to be able to update the ownership of the new filesystem to the appropriate account it is being created for. Another option would be to leave the filesystem owned by the service account, and create an explicit ACL for the user it was created for, but a fair number of UNIX applications aren't really happy when a home directory is not owned by the user whose home directory it is. What would be the best way to allow the service account to chown the newly created ZFS filesystem to the appropriate user? Right now I'm tentatively thinking of making a small suid root binary only executable by the service account which would take a username and chown appropriately. Any other suggestions? -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | [EMAIL PROTECTED] California State Polytechnic University | Pomona CA 91768 _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
