From owner-freebsd-questions@FreeBSD.ORG Wed May 28 20:17:20 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F2BA43F9 for ; Wed, 28 May 2014 20:17:19 +0000 (UTC) Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8C424216E for ; Wed, 28 May 2014 20:17:19 +0000 (UTC) Received: by mail-wi0-f182.google.com with SMTP id r20so4358842wiv.15 for ; Wed, 28 May 2014 13:17:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:date:subject:to :message-id:mime-version; bh=9TPbM+SxTKbcmTjdaNxDWSAVfJX6fnW7zICM7RIz/6M=; b=cBPj8vd9JJ0U4wYMLR3GEHNLTe2pcge95t5beGWdEtjT1xfdrnf9YBPJ+KOnUXxGer lvtmsp941XKiev0eKiXAXzCyXcgOv4w6J19nEpC8gyGhDYhHu/m3YE5iHR5ExO/1oxi9 XjPWddc3+keXdVe9/EyAq+oMH4leDU/aasIU+l3MGA0nulXbS3oqQANvbiStXjCo9aeV COG/IRfDaZfMfsZcmgFnyCdsVCh8ca/SNfNAR6++5puZtqmpeFLm8mc5unZAtBMJZ+vW fS72b7Kmy/YaFWdVk8F9VpoIFj0SqpvACSWEo92DkFzjxQlgXUmJ4Q/7Lhns3ge33H54 JuwQ== X-Received: by 10.194.77.148 with SMTP id s20mr2776217wjw.31.1401308237141; Wed, 28 May 2014 13:17:17 -0700 (PDT) Received: from guillercussimac.home (95-91-242-223-dynip.superkabel.de. [95.91.242.223]) by mx.google.com with ESMTPSA id hr4sm45802355wjb.28.2014.05.28.13.17.15 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 May 2014 13:17:16 -0700 (PDT) From: Guillermo Marcus Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Wed, 28 May 2014 22:17:14 +0200 Subject: Mounting a ZFS snapshot by another user To: freebsd-questions@FreeBSD.org Message-Id: <80D52646-2377-447F-BBC4-BEF642585391@gmail.com> Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\)) X-Mailer: Apple Mail (2.1878.2) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 May 2014 20:17:20 -0000 Hi all, I am using ZFS in a FreeBSD 10.0-RELEASE (10.0-RELEASE FreeBSD = 10.0-RELEASE #0 r260789). I setup some scripts to create snapshots of my = ZFS pool at regular intervals, and then another script to mount the = latest snapshot of each dataset in the pool to a specific location, = recreating a snapshot of my pool for backup. The goal is to use Bacula = to always backup the snapshot, to avoid data being in an inconsistent = state. The mount script is then executed by the bacula user at the = beginning of the backup job. The scripts work fine, but I have an issue = with the script being executed by the backup user and not the pool = owner. So I set up the delegation of the pool to: ---- Permissions on tank -------------------------------------------- Permission sets: @bacula = aclinherit,clone,create,destroy,mount,mountpoint,readonly,sharenfs,userpro= p Create time permissions: clone,create,destroy Local+Descendent permissions: user bacula @bacula I also set up the VFS sysctl: vfs.usermount: 1 and finally, I grant full ACL access to the bacula user to the pool file = system: # file: /tank # owner: dataowner # group: dataowner user:bacula:rwxpDdaARWcCos:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:r-x---a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow Here is the thing: it works only partially. Apparently, it requires that = the mount point of the dataset be owned by the bacula user and not = dataowner, even when the user bacula has full access. Example: To mount a dataset by user bacula: su -m bacula -c "zfs clone -o = readonly=3Don -o mountpoint=3D/tank/latest-snapshot = tank/dataset1@snapN", one of two things will happen: if = /tank/latest-snapshot does not exist, it will be created, owned by user = bacula. However, if /tank/latest-snapshot exists in the parent dataset = (where it is owned by dataowner), it will fail with "Insufficient = privileges", even when the user bacula is given full access by the ACL. = If I change the owner of the mount point it works correctly. Can anyone explain what I am missing? Thanks in advance. PS: as why this will be an issue: This will extrapolate to a big issue = when mounting hierarchical datasets with different owners in my = snapshots, and I cannot change the ownership of a mountpoint inside a = snapshot because it is readonly. Best Regards, G. Marcus=