From owner-freebsd-stable@FreeBSD.ORG Tue May 25 21:22:22 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1F3DE106564A for ; Tue, 25 May 2010 21:22:22 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yw0-f186.google.com (mail-yw0-f186.google.com [209.85.211.186]) by mx1.freebsd.org (Postfix) with ESMTP id BB78B8FC1B for ; Tue, 25 May 2010 21:22:21 +0000 (UTC) Received: by ywh16 with SMTP id 16so3013715ywh.32 for ; Tue, 25 May 2010 14:22:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=fHXjZzYVbKlu/ofqlh0UtOVrGhyZXghasr44IHHnTS0=; b=mD33beJl2p1uLv0mF2XZBe+Xtfyhi96llVFudFfrQ+5TeFW0q7PdsKkNBRgDM6XM2j 79ek4U3XMA2Wxi/jEzTTkWgQFOub1cb0i9bAYJxA6wAYvVfxbZNSZKzaLRjuP/6GAU1g e0WLe4+gBKXzXq6VuaBjvA/E67oary3GQC6kc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=AIrtVTr6FRax43IkDf2nqdtW0/DrRVQDa2UEkDBffRatSGonTDyct2ACHEo6X449U4 Jj2eLCNbAL6Zhjxx5lTp1v3FZ6RwElMNfi/mShM2UEix1QyxjAvt6Oei9PiSWg+SacLq P6oH6dkoP4VojKOv0YmQNaQtOGeaoiQYZV1lM= Received: by 10.100.50.17 with SMTP id x17mr9706945anx.11.1274822539481; Tue, 25 May 2010 14:22:19 -0700 (PDT) Received: from centel.dataix.local (adsl-99-19-40-41.dsl.klmzmi.sbcglobal.net [99.19.40.41]) by mx.google.com with ESMTPS id 20sm4126174ywh.15.2010.05.25.14.22.17 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 25 May 2010 14:22:18 -0700 (PDT) Sender: "J. Hellenthal" Date: Tue, 25 May 2010 17:22:06 -0400 From: jhell To: Jeremy Chadwick In-Reply-To: <20100525201315.GA20323@icarus.home.lan> Message-ID: References: <20100524190433.GA36301@icarus.home.lan> <4BFC2354.5040104@dataix.net> <20100525201315.GA20323@icarus.home.lan> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Mikkel Skaerris , FreeBSD Stable Subject: Re: Zpool scrub and not-root users X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 May 2010 21:22:22 -0000 On Tue, 25 May 2010 16:13, Jeremy Chadwick wrote: In Message-Id: <20100525201315.GA20323@icarus.home.lan> > On Tue, May 25, 2010 at 03:21:56PM -0400, jhell wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 05/24/2010 15:04, Jeremy Chadwick wrote: >>> On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote: >>>> Im wondering if there is a way of allowing non-root users to perform a disk >>>> scrub using zpool scrub . I've been messing around with permissions, >>>> but no luck so far. Anyone got a clue? >>> >>> One question: why? Followed by one answer: sudo. :-) >>> >> Don't get me wrong I'm not shooting down sudo below. : He does not need to add another layer of insecurity to his system such : as sudo. Not saying that this is bad but it feels like a little overkill : for something as simple as this. >> >> This can be done old-school. >> >> pw groupadd _zfsadm >> pw groupmod _zfsadm -m {username} >> chmod u+s,o-rx /sbin/zpool >> chown :_zfsadm /sbin/zpool >> : Repeat command line 2 for every user you want to have root type access : to /sbin/zpool. I thought I said "root type access to /sbin/zpool". >> Of course you do not need the zfsadm group to do this. You could just >> use the wheel group which in turn gives any member of that group su(1) >> access to the root user, so you commands would turn into... >> >> pw groupmod wheel -m {username} >> chmod u+s,o-rx /sbin/zpool >> >> Because this binary is already installed group wheel there is no need to >> chown it. And this is a little more implicit that you trust anyone with >> access to the zpool command will also be having access to su(1) >> >> Pick one, and Ill leave the "how to keep these permissions through >> upgrades/updates of world" up to you. > > If I'm misunderstanding what the OP wants, then I welcome correction. I > read the Op to want users to be able to run "zpool scrub", so I took > that literally -- "/sbin/zpool scrub " and nothing more. > No you are not misunderstanding but I am also taking into account that the admin said "I've been messing around with permissions" & most notably I thought that he has tried the access control methods that are administered through the use of zfs allow which also might be a possibility if the admin has world/base on a zfsroot. Second thought that came to mind while leaving the possibility open to him was your standard Unix file perms. While thinking about the scenario in a quick sense, If this is disk activity that the admin wants to grant to a user in the form of scrub on a pool then the admin already must trust whoever he is planning to give these rights and has taken into account the possibility of misuse which has lead him here asking for advice. > sudo offers the ability for the OP to provide root-level access to > defined users and ONLY the ability to run "/sbin/zpool scrub {pool}" and > nothing more (e.g. not "/sbin/zpool remove" or similar). It could also > be used to define certain users to scrub only certain pools. > I hope so at least that's what it was designed for. Yes very well noted just leaving the possibility open to the admin to use something other than a third party package in case it is his policy to not have something like that installed. It happens. > Your first and second solutions allow any user added to _zfsadm and > group wheel, respectively, the ability to use /sbin/zpool. I hear > "zpool destroy -f" is a fun command to run while the system > administrator isn't looking. :-) > Good thing in most cases you can recover a destroyed pool or at least that's the way it was designed the last time I accidentally did that (-D). Backups are also a good thing in the case of a angry over driven highly motivated administrator or staff. ;) -- jhell