Marco van Wieringen wrote:
Hi,

Am I right to assume ZFS currently doesn't support the least privilege model ?

No you are not correct it does support privileges.

I'm trying to make bacula run as non root on zfs and be able to restore
files a non-root with the correct least privilege modes but when I
enable debugging with ppriv -D <pid> I get

Nov  5 20:39:27 corona genunix: [ID 702911 kern.notice] bacula-fd[9685]: missing 
privilege "ALL" (euid = 110, syscall = 5) needed at zfs_zaccess+0x1fc

syscall 5 is open(2). That likely means you are trying to write to a root owned file which requires ALL privilege otherwise file_dac_write is equivalent to all privileges. See the privileges(5) man page for a detailed explanation.

UFS and tmpfs have the same behaviour.

I recommend reading the Sun Blueprint "Privilege Debugging in the Solaris 10 Operating System" which you can find off the OpenSolaris Security web page:

http://hub.opensolaris.org/bin/view/Community+Group+security/library

or directly at:

http://www.sun.com/blueprints/0206/819-5507.pdf

--
Darren J Moffat
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Reply via email to