From owner-freebsd-bugs@freebsd.org  Tue Oct  9 07:55:58 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 57D0110C43FD
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Tue,  9 Oct 2018 07:55:58 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id E51F27B6A4
 for <freebsd-bugs@freebsd.org>; Tue,  9 Oct 2018 07:55:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id A9EF410C43FC; Tue,  9 Oct 2018 07:55:57 +0000 (UTC)
Delivered-To: bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 98D1910C43FB
 for <bugs@mailman.ysv.freebsd.org>; Tue,  9 Oct 2018 07:55:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 39A7A7B69E
 for <bugs@FreeBSD.org>; Tue,  9 Oct 2018 07:55:57 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 87B1F1093F
 for <bugs@FreeBSD.org>; Tue,  9 Oct 2018 07:55:56 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w997tu1n044926
 for <bugs@FreeBSD.org>; Tue, 9 Oct 2018 07:55:56 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w997tuUI044925
 for bugs@FreeBSD.org; Tue, 9 Oct 2018 07:55:56 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 232021] zfs cannot mount 'dataset': Insufficient privileges
Date: Tue, 09 Oct 2018 07:55:56 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.2-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: supportsobaka@mail.ru
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-232021-227-jA6wtLjgaI@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-232021-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-232021-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Oct 2018 07:55:58 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D232021

--- Comment #14 from Oleg <supportsobaka@mail.ru> ---
(In reply to Allan Jude from comment #13)
Bob can unmount /etc or destroy it when permissions delegated incorrectly.
Don't delegate mountpoint permissions if don't want allow mount to /etc.
And so on... this all about acts of admin who configures the system what to
allow and what not to allow. Moreover, in my case unprivileged user is mana=
ged
by the same person, i.e. me and/or replication scripts that run from that u=
ser
cannot be modified to allow dangerous acts.

What really looks "oddly asymmetrical" to me is that VFCF_DELEGADMIN flag is
not checked on mount but unmount only. I would like to get a patch to change
this behavior or additional dangerous sysctl that will allow mount to anywh=
ere
for unprivileged user.

I guess the problem here that vfs.usermount has an effect to any user, not =
just
the one related with delegated permissions with zfs. Right? If so, then I s=
ee
why  "Mounting is more dangerous". In that case the best solution will be to
have individual sysct for both mount and unmount in relation with zfs
permission delegation subsystem only... or just leave vfs.usermount for
anything else except zfs delegation subsystem and add another permission
"unmount" for zfs allow... something like that should cover all scenarios.

--=20
You are receiving this mail because:
You are the assignee for the bug.=