Marco van Wieringen wrote:
Hi,
Am I right to assume ZFS currently doesn't support the least privilege model ?
No you are not correct it does support privileges.
I'm trying to make bacula run as non root on zfs and be able to restore
files a non-root with the correct least privilege modes but when I
enable debugging with ppriv -D <pid> I get
Nov 5 20:39:27 corona genunix: [ID 702911 kern.notice] bacula-fd[9685]: missing
privilege "ALL" (euid = 110, syscall = 5) needed at zfs_zaccess+0x1fc
syscall 5 is open(2). That likely means you are trying to write to a
root owned file which requires ALL privilege otherwise file_dac_write is
equivalent to all privileges. See the privileges(5) man page for a
detailed explanation.
UFS and tmpfs have the same behaviour.
I recommend reading the Sun Blueprint "Privilege Debugging in the
Solaris 10 Operating System" which you can find off the OpenSolaris
Security web page:
http://hub.opensolaris.org/bin/view/Community+Group+security/library
or directly at:
http://www.sun.com/blueprints/0206/819-5507.pdf
--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss