From owner-freebsd-stable@FreeBSD.ORG Tue May 25 20:13:18 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B38521065676 for ; Tue, 25 May 2010 20:13:18 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by mx1.freebsd.org (Postfix) with ESMTP id 5A35A8FC12 for ; Tue, 25 May 2010 20:13:18 +0000 (UTC) Received: from omta09.westchester.pa.mail.comcast.net ([76.96.62.20]) by qmta08.westchester.pa.mail.comcast.net with comcast id MmRR1e0060SCNGk58wDJdm; Tue, 25 May 2010 20:13:18 +0000 Received: from koitsu.dyndns.org ([98.248.46.159]) by omta09.westchester.pa.mail.comcast.net with comcast id MwDG1e00T3S48mS3VwDHi3; Tue, 25 May 2010 20:13:18 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 5DB069B418; Tue, 25 May 2010 13:13:15 -0700 (PDT) Date: Tue, 25 May 2010 13:13:15 -0700 From: Jeremy Chadwick To: jhell Message-ID: <20100525201315.GA20323@icarus.home.lan> References: <20100524190433.GA36301@icarus.home.lan> <4BFC2354.5040104@dataix.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4BFC2354.5040104@dataix.net> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Mikkel Skaerris , freebsd-stable@freebsd.org Subject: Re: Zpool scrub and not-root users X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 May 2010 20:13:18 -0000 On Tue, May 25, 2010 at 03:21:56PM -0400, jhell wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 05/24/2010 15:04, Jeremy Chadwick wrote: > > On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote: > >> Im wondering if there is a way of allowing non-root users to perform a disk > >> scrub using zpool scrub . I've been messing around with permissions, > >> but no luck so far. Anyone got a clue? > > > > One question: why? Followed by one answer: sudo. :-) > > > > He does not need to add another layer of insecurity to his system such > as sudo. Not saying that this is bad but it feels like a little overkill > for something as simple as this. > > This can be done old-school. > > pw groupadd _zfsadm > pw groupmod _zfsadm -m {username} > chmod u+s,o-rx /sbin/zpool > chown :_zfsadm /sbin/zpool > > Repeat command line 2 for every user you want to have root type access > to /sbin/zpool. > > Of course you do not need the zfsadm group to do this. You could just > use the wheel group which in turn gives any member of that group su(1) > access to the root user, so you commands would turn into... > > pw groupmod wheel -m {username} > chmod u+s,o-rx /sbin/zpool > > Because this binary is already installed group wheel there is no need to > chown it. And this is a little more implicit that you trust anyone with > access to the zpool command will also be having access to su(1) > > Pick one, and Ill leave the "how to keep these permissions through > upgrades/updates of world" up to you. If I'm misunderstanding what the OP wants, then I welcome correction. I read the Op to want users to be able to run "zpool scrub", so I took that literally -- "/sbin/zpool scrub " and nothing more. sudo offers the ability for the OP to provide root-level access to defined users and ONLY the ability to run "/sbin/zpool scrub {pool}" and nothing more (e.g. not "/sbin/zpool remove" or similar). It could also be used to define certain users to scrub only certain pools. Your first and second solutions allow any user added to _zfsadm and group wheel, respectively, the ability to use /sbin/zpool. I hear "zpool destroy -f" is a fun command to run while the system administrator isn't looking. :-) -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |