Date: Fri, 6 Apr 2018 14:12:10 +0100 From: Stilez Stilezy <stilezy@gmail.com> To: Andriy Gapon <avg@freebsd.org> Cc: freebsd-fs <freebsd-fs@freebsd.org> Subject: Re: Does setuid=on work on ZFS datasets, or is the man page for zfs misleading? Message-ID: <CAFwhr77WP_rDb1%2BAW-hbe8vcWdnpa-KXU0xjMryvmX-isa5W7g@mail.gmail.com> In-Reply-To: <7eba73db-3097-5c8a-eb2c-e3880fb5b501@FreeBSD.org> References: <CAFwhr76YOacX7kS87M-xRhcnkQGYGcmpYz%2BKU6rok2b-Wt_GHA@mail.gmail.com> <7eba73db-3097-5c8a-eb2c-e3880fb5b501@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks Andriy,
Please read in the manual what ZFS setuid property means.
By the way, it's on by default, so you would typically turn it off if you
don't
want suid binaries. And, of course, suiddir != setuid and ZFS does not
support
it, afaict.
TLDR: yes, setuid works; no, it's not suiddir.
I did look up the ZFS setuid property in the man pages. If there are there
pages I missed, can you point me to them (and sorry for not finding them!)
*[man zfs]:*
setuid=on | off
Controls whether the set-UID bit is respected for the file system.
[Does not say anything else, seems perfectly clear]
*[man chmod]* - where it's documented what the set-UID bit does when set on
a file system:
4000 (the setuid bit).
Directories with this bit set will force all files and sub-
directories created in them to be owned by the directory
owner and not by the uid of the creating process, if the
underlying file system supports this feature...
[Does **not** say that mount -o suiddir is/isn't required, or
is/isn't a "blocker".
Just says "see suiddir mounting option". But zfs man page has
already said
the bit **will** be respected. It's a bit conflicting.]
Like I said, the man pages seem a bit conflicted. *[man zfs]* definitely
says it provides an option for the setuid bit to be respected for the file
system - it doesn't say "for files only" or any other limitation. It just
says that setuid will be "respected for the file system" if the flag is
enabled on the dataset. *[man chmod]* describes what happens if setuid is
"respected on a file system". It's clear that this will force+inherit
directory ownership "if the underlying file system supports this feature".
As [man zfs] already says set_UID will be "respected", set-UID is clearly
supported by ZFS.
As you can see, I did read the man pages carefully. That's why I asked help
to understand if it was documentation, implementation, or invocation, which
was the issue.
If the zfs setuid property *doesn't* mean the same as normal enabling of
the setuid bit functionality, then the [man zfs] page is misleading. If it
works only for files but not for directories, it's also misleading. So I
hope you can see, I'm not asking because of failure to read the man pages.
I really did read, and followed them carefully, before asking.
So your answer was helpful (thank you!), even if I don't understand what
info I didn't read in the man pages. I have 2 quick points arising:
1. I gather from your reply that even with this flag set, set-UID for
ZFS based directories' ownership/inheritance is not "respected for the file
system" - or not fully respected in the sense normally understood as in
[man chmod]? If that's the case then [man zfs] is incorrect - please can
you confirm exactly what is this flag's functionality, since it's unclear?
2. Returning to the original issue, is there any way one can
automatically force owner+owner inheritance, for data in a zfs dataset?
Thank you for your help, even if not the ideal answer.
I hope these last couple of points are easy to clear up, and not annoying :)
Stilez
On 6 April 2018 at 13:31, Andriy Gapon <avg@freebsd.org> wrote:
> On 05/04/2018 18:53, Stilez Stilezy wrote:
> > I'm trying to use the setuid property in ZFS.
> >
> > The man pages are a bit conflicted but overall man zfs seems most
> specific
> > and implies the property is valid (man zfs says use setuid=on and it'll
> > work, man mount says use -o suiddir but won't work except on UFS).
>
> Please read in the manual what ZFS setuid property means.
> By the way, it's on by default, so you would typically turn it off if you
> don't
> want suid binaries. And, of course, suiddir != setuid and ZFS does not
> support
> it, afaict.
>
> TLDR: yes, setuid works; no, it's not suiddir.
>
> --
> Andriy Gapon
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFwhr77WP_rDb1%2BAW-hbe8vcWdnpa-KXU0xjMryvmX-isa5W7g>