c/mirror_zfs
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_zfs.git synced 2026-05-23 10:54:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add zfs allow and zfs unallow support

Browse Source 
ZFS allows for specific permissions to be delegated to normal users
with the `zfs allow` and `zfs unallow` commands.  In addition, non-
privileged users should be able to run all of the following commands:

  * zpool [list | iostat | status | get]
  * zfs [list | get]

Historically this functionality was not available on Linux.  In order
to add it the secpolicy_* functions needed to be implemented and mapped
to the equivalent Linux capability.  Only then could the permissions on
the `/dev/zfs` be relaxed and the internal ZFS permission checks used.

Even with this change some limitations remain.  Under Linux only the
root user is allowed to modify the namespace (unless it's a private
namespace).  This means the mount, mountpoint, canmount, unmount,
and remount delegations cannot be supported with the existing code.  It
may be possible to add this functionality in the future.

This functionality was validated with the cli_user and delegation test
cases from the ZFS Test Suite.  These tests exhaustively verify each
of the supported permissions which can be delegated and ensures only
an authorized user can perform it.

Two minor bug fixes were required for test-running.py.  First, the
Timer() object cannot be safely created in a `try:` block when there
is an unconditional `finally` block which references it.  Second,
when running as a normal user also check for scripts using the
both the .ksh and .sh suffixes.

Finally, existing users who are simulating delegations by setting
group permissions on the /dev/zfs device should revert that
customization when updating to a version with this change.

Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tony Hutter <hutter2@llnl.gov>
Closes #362 
Closes #434 
Closes #4100
Closes #4394 
Closes #4410 
Closes #4487
This commit is contained in:
Brian Behlendorf
2016-06-07 09:16:52 -07:00
parent 2627e75245
commit f74b821a66
78 changed files with 759 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/zfs-tests/include/libtest.shlib
+10 -5
View File
@@ -1876,6 +1876,14 @@ function add_user #<group_name> <user_name> <basedir>
log_must $USERADD -g $gname -d $basedir/$uname -m $uname
# Add new users to the same group and the command line utils.
# This allows them to be run out of the original users home
# directory as long as it permissioned to be group readable.
if is_linux; then
cmd_group=$(stat --format="%G" $ZFS)
log_must $USERMOD -a -G $cmd_group $uname
fi
return 0
}
@@ -1919,15 +1927,11 @@ function add_group #<group_name>
# Assign 100 as the base gid, a larger value is selected for
# Linux because for many distributions 1000 and under are reserved.
if is_linux; then
typeset -i gid=1500
while true; do
$GROUPADD -g $gid $group > /dev/null 2>&1
$GROUPADD $group > /dev/null 2>&1
typeset -i ret=$?
case $ret in
0) return 0 ;;
# The gid is not unique
9) ((gid += 1)) ;;
*) return 1 ;;
esac
done
@@ -2592,6 +2596,7 @@ function user_run
typeset user=$1
shift
log_note "user:$user $@"
eval \$SU \$user -c \"$@\" > /tmp/out 2>/tmp/err
return $?
}