Date: Tue, 11 Nov 2014 11:18:25 +0100 From: Thomas Steen Rasmussen <thomas@gibfest.dk> To: freebsd-fs@freebsd.org Subject: "Permission denied" for jails root for jailed ZFS datasets, trouble delegating permissions Message-ID: <5461E271.60105@gibfest.dk>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello list, I am using jailed zfs datasets for backup purposes (I use one ezjail per remote host that needs backing up, just so if a server is compromised it can only access its own backups). My notes from setting this up: - - first set the following sysctls: ### allow zfs in jails security.jail.mount_allowed=1 security.jail.enforce_statfs=1 Then repeat for each jail/dataset: - - create a dataset - - create a jail - - jail the dataset - - set the "jailed" property on the dataset If I understand the manpage correctly this should be enough to manage the dataset with the root user inside the jail. But it isn't. The only way I've found it possible to actually do anything with the jailed dataset from inside the jail is to use zfs delegate *from the host* to a user with the same uid as one inside the jail. So I create a non-root user inside the jail with, say, uid 1001. Then I try delegating the permissions it needs, but the root user in the jail get permission denied whatever I try, including "zfs delegate". However, the root user *on the host* can successfully delegate permissions to a user inside the jail, provided that a user with the same uid exists on the host. After delegating the non-root user in the jail can manage the dataset, but the jails root user still can't. This seems wrong to me. I should be able to do stuff with the root user inside the jail, including delegating to other users in the jail. What gives ? Thanks! /Thomas ps. The behaviour is the same across various 9-stable and 10-stable machines so I haven't included svn revisions as it doesn't seem to make a difference. More details available on request. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJUYeJxAAoJEHcv938JcvpY8NkQAJBpwTulpDm7JHzySU9XBPCf 6bK9oM3GQZnd+CJoO4Zr0fe5FLnAAK3hhZ0SnFj/7d132JWhg/1H8Y8aRmd2amYc /Qp5z8RdatkSQoRPQeEqHJTHnyS2lnQ74w9NdhyIb6C5/m21kTiXYhmWNji4ctRa XnSJxPyTxU1is+c1bZnV6WcJfC6SpR4OTfE0UQU1AbgLpAaZRhPrRbjni9lluAXd iIAr8ghIuy2A7nADS0ZOssrh5StBMS5r2k2nC9zoDcOPkVDdA2+71yKzhBM5sh3a Jx2VyGyrsAJx6XAtsjcj/Hij3rQ31JrqcrIOQ+uT5wJrhI1QkFaJxSnbsVuJbnqo jwTQsdM0RQoaxn7m0TPtD/2c+UC0FDyefHLCNIYE+7PaZ2Zb6d7xa0YyXmEMRhUe 5uHQMdyQD/3oKAa4s4Tr21kFnaxZ2ExhL6MlgQyyuxwluNnFViNPkoT90cW2TsMh y5ACXSWlqhoeulwv3T+Of27+A6BZ9NtH+G9yqfA6B5ytotMnP/HGrg0jywu8FVQD Ll+EmpyIpFNxGH9U0HJIpItzFuZPPLwVPhwER6ds34yWJhZOitcWtXlIETG4B6xH Xg6PpIdxg82BrPjsPpr1l+rENi4h+1Pmgirp9Q5cV6XWjoKnWqITPtSsRXDLUZ9N zSpchj5ar8osMNXkzY8V =PpBz -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5461E271.60105>