From owner-freebsd-stable@FreeBSD.ORG Tue May 25 19:22:03 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63B11106564A for ; Tue, 25 May 2010 19:22:03 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id DDF178FC0A for ; Tue, 25 May 2010 19:22:02 +0000 (UTC) Received: by fxm17 with SMTP id 17so743173fxm.13 for ; Tue, 25 May 2010 12:22:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:openpgp:content-type:content-transfer-encoding; bh=rfZ9aiox+sX2lRdHvhRJvbWxpZNd9YkllSL0bxnEA/I=; b=oHOqIcMDuWhU+IAnjcDJmVvzbktRq0nzQEupC0L1Yerf3zJ9+DnsBlFTlcQCReQSaV DikxjoBjoU93VKPXwFtMtEchymGv5dPJtApgrgk+GNEx6icMchiTx5+y4xukTe3sVZ7y Tk+qXHZPVdWWyyOfZsZ1UQDp929qt22WVjxZg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=U3s9Axb6iEF49vP+BE8FXe1ApC/u+7rYwzvTwR4m/PaxuTYgNuC+5+1U0DfIT3eb8m Y1w1SftDwO9FEagC/yFMWLP3lc6g0Whq0eu7j7uSCag8m9YpT9K4bZSa8AkYH8r6rtJ0 OOXoFhSxfFaI/aStFSCbM3T2mrAeDgLmGQBzA= Received: by 10.223.25.74 with SMTP id y10mr6625675fab.81.1274815321753; Tue, 25 May 2010 12:22:01 -0700 (PDT) Received: from centel.dataix.local (adsl-99-19-40-41.dsl.klmzmi.sbcglobal.net [99.19.40.41]) by mx.google.com with ESMTPS id 15sm26155297fad.22.2010.05.25.12.21.59 (version=SSLv3 cipher=RC4-MD5); Tue, 25 May 2010 12:22:00 -0700 (PDT) Sender: "J. Hellenthal" Message-ID: <4BFC2354.5040104@dataix.net> Date: Tue, 25 May 2010 15:21:56 -0400 From: jhell User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.9) Gecko/20100515 Thunderbird MIME-Version: 1.0 To: Jeremy Chadwick References: <20100524190433.GA36301@icarus.home.lan> In-Reply-To: <20100524190433.GA36301@icarus.home.lan> X-Enigmail-Version: 1.0.1 OpenPGP: id=89D8547E Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Mikkel Skaerris , freebsd-stable@freebsd.org Subject: Re: Zpool scrub and not-root users X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 May 2010 19:22:03 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/24/2010 15:04, Jeremy Chadwick wrote: > On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote: >> Im wondering if there is a way of allowing non-root users to perform a disk >> scrub using zpool scrub . I've been messing around with permissions, >> but no luck so far. Anyone got a clue? > > One question: why? Followed by one answer: sudo. :-) > He does not need to add another layer of insecurity to his system such as sudo. Not saying that this is bad but it feels like a little overkill for something as simple as this. This can be done old-school. pw groupadd _zfsadm pw groupmod _zfsadm -m {username} chmod u+s,o-rx /sbin/zpool chown :_zfsadm /sbin/zpool Repeat command line 2 for every user you want to have root type access to /sbin/zpool. Of course you do not need the zfsadm group to do this. You could just use the wheel group which in turn gives any member of that group su(1) access to the root user, so you commands would turn into... pw groupmod wheel -m {username} chmod u+s,o-rx /sbin/zpool Because this binary is already installed group wheel there is no need to chown it. And this is a little more implicit that you trust anyone with access to the zpool command will also be having access to su(1) Pick one, and Ill leave the "how to keep these permissions through upgrades/updates of world" up to you. Good luck & regards, - -- jhell -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iQEcBAEBAgAGBQJL/CNUAAoJEJBXh4mJ2FR+HwcH/0vuGlIP8mU1p6FI0XiEl9K/ tpDLxED+4cd8htBTQyh0mDWrRz8dOagjggaENC2JvNpUO8Vhxx0mJNZY6pvzmAys 5VHevdYKvY6doEjoQD9muktECXruCOXgQtxeI34r+ZLJz9fUhVJIlcNDBBrhOAG5 /P6XYy5LIKEuxBBRNqosW+JVTcU4sOJhGU1YZUlUpn0z41ObM87vjD77XP6sWfhZ Sw5dDPhNBHmmOuCEeuTnpItu1ykHUrr5jDkrtFWyIFP7ijPl7Fbd3VIRaP5nlWDU yNd06479yKS1uqOwFeEXt3DOr8nws+uY/6WtXzlsmLdhsqwy2FQN35r7PlXaY0k= =c/NP -----END PGP SIGNATURE-----