Date: Fri, 6 Apr 2018 17:01:27 +0300 From: Andriy Gapon <avg@FreeBSD.org> To: Stilez Stilezy <stilezy@gmail.com> Cc: freebsd-fs <freebsd-fs@freebsd.org> Subject: Re: Does setuid=on work on ZFS datasets, or is the man page for zfs misleading? Message-ID: <672e2c84-b906-4073-0206-7eb1720adc7e@FreeBSD.org> In-Reply-To: <CAFwhr77WP_rDb1%2BAW-hbe8vcWdnpa-KXU0xjMryvmX-isa5W7g@mail.gmail.com> References: <CAFwhr76YOacX7kS87M-xRhcnkQGYGcmpYz%2BKU6rok2b-Wt_GHA@mail.gmail.com> <7eba73db-3097-5c8a-eb2c-e3880fb5b501@FreeBSD.org> <CAFwhr77WP_rDb1%2BAW-hbe8vcWdnpa-KXU0xjMryvmX-isa5W7g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06/04/2018 16:12, Stilez Stilezy wrote: > Thanks Andriy, > > Please read in the manual what ZFS setuid property means. > By the way, it's on by default, so you would typically turn it off if you don't > want suid binaries. And, of course, suiddir != setuid and ZFS does not support > it, afaict. > TLDR: yes, setuid works; no, it's not suiddir. > > > I did look up the ZFS setuid property in the man pages. If there are there pages > I missed, can you point me to them (and sorry for not finding them!) > > > *[man zfs]:* > > setuid=on | off > Controls whether the set-UID bit is respected for the file system. > > [Does not say anything else, seems perfectly clear] > Except that the original, conventional and default meaning for set-UID is for executable files. Also, don't forget that this manual page originated on illumos (!= FreeBSD). E.g., see POSIX: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/sys_stat.h.html S_ISUID 04000 Set-user-ID on execution. S_ISGID 02000 Set-group-ID on execution. > *[man chmod]* - where it's documented what the set-UID bit does when set on > a file system: > > 4000 (the setuid bit). > Directories with this bit set will force all files and sub- > directories created in them to be owned by the directory > owner and not by the uid of the creating process, if the > underlying file system supports this feature... Right. The last clause is very important. > [Does **not** say that mount -o suiddir is/isn't required, or is/isn't > a "blocker". > Just says "see suiddir mounting option". But zfs man page has already > said > the bit **will** be respected. It's a bit conflicting.] Yes, ZFS respects the bit in the standard compliant sense. Not in a FreeBSD-specific optional extension sense. > Like I said, the man pages seem a bit conflicted. *[man zfs]* definitely says it > provides an option for the setuid bit to be respected for the file system - it > doesn't say "for files only" or any other limitation. It just says that setuid > will be "respected for the file system" if the flag is enabled on the dataset. > *[man chmod]* describes what happens if setuid is "respected on a file system". > It's clear that this will force+inherit directory ownership "if the underlying > file system supports this feature". As [man zfs] already says set_UID will be > "respected", set-UID is clearly supported by ZFS. > > As you can see, I did read the man pages carefully. That's why I asked help to > understand if it was documentation, implementation, or invocation, which was the > issue. > > If the zfs setuid property _doesn't_ mean the same as normal enabling of the > setuid bit functionality, then the [man zfs] page is misleading. If it works > only for files but not for directories, it's also misleading. No, it is not misleading. You just have wrong default expectations :-) This wikipedia page seems to be surprisingly correct: https://en.wikipedia.org/wiki/Setuid > So I hope you can > see, I'm not asking because of failure to read the man pages. I really did read, > and followed them carefully, before asking. > > So your answer was helpful (thank you!), even if I don't understand what info I > didn't read in the man pages. I have 2 quick points arising: > > > 1. I gather from your reply that even with this flag set, set-UID for ZFS based > directories' ownership/inheritance is not "respected for the file system" - > or not fully respected in the sense normally understood as in [man chmod]? > If that's the case then [man zfs] is incorrect - please can you confirm > exactly what is this flag's functionality, since it's unclear? Just to repeat what I said above. It is respected in the normally understood sense. The FreeBSD extension (that has to be enabled via a special non-default kernel option and that works only for a small set of filesystems) is not supported. > 2. Returning to the original issue, is there any way one can automatically > force owner+owner inheritance, for data in a zfs dataset? This is 21st century. Access control lists. > Thank you for your help, even if not the ideal answer. > I hope these last couple of points are easy to clear up, and not annoying :) -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?672e2c84-b906-4073-0206-7eb1720adc7e>