>Hi, > >Am I right to assume ZFS currently doesn't support the least privilege model ? >I'm trying to make bacula run as non root on zfs and be able to restore >files a non-root with the correct least privilege modes but when I >enable debugging with ppriv -D <pid> I get > >Nov 5 20:39:27 corona genunix: [ID 702911 kern.notice] bacula-fd[9685]: >missing privilege "ALL" ( euid = 110, syscall = 5) needed at zfs_zaccess+0x1fc > >Currently I have the following privs for bacula: > >basic >file_chown >file_chown_self >file_dac_read >file_dac_search >file_dac_write >file_owner >file_setid >file_flag_set > >and thought I would get the priv that is missing when running the debugging.
In the absence of MAC (Mandatory Access Control), we have made root owned objects behave differently. This is done to prevent "escalation of privileges". E.g., if you have "file_dac_write" you could write to /etc/passwd and give yourself root access. In order to write to a root owned object, you will need "all privileges" because by writing to a root owned file you can get all privileges. Try this with a non-root owned file. Casper _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
