How to allow users to mount ZFS datasets?

markov · 2022-03-02 00:55:21

I have separate ZFS dataset for each user home dir, I would like to allow users to use zfs create snapshot etc, on their home directories. There is zfs allow command for this, but each user must have ability to mount. Right now when user run zfs create
command this message is printed

filesystem successfully created, but it may only be mounted by root

I could allow users to mount through sudo but this is to much privileges, It would be perfect to somehow limit ability to mount only to zfs datasets and only within home directory.

fukawi2 · 2022-03-03 10:11:44

You can limit sudo to only running specific commands... Perhaps something like:

myuser ALL=(root) /usr/bin/zfs mount *

Of course, this doesn't restrict mounting only to /home since the mountpoint is a property of the dataset. I don't see a way to limit that.

markov · 2022-03-03 14:14:44

Thanks @fukawi2

I can limit mount command to users home dir by:

myuser ALL=(root) /usr/bin/zfs mount path/to/user_dataset/*

It solves problem partially, although user now can mount own datasets. Any other programs still can't utilize this feature of ZFS on user level privileges, Eg. I was preparing to use podman to create and run containers without root. But command

zfs create some_ds

still returns error because user can't mount (zfs does not try to use sudo for mount)

fukawi2 · 2022-03-04 00:43:27

Your other option would be to setuid on the zfs binary, but that would allow any user to do anything with ZFS. I guess you could change the permissions to remove o= perms, and only allow user/group to execute (with setuid) for a specific group.... But that's getting pretty messy.

Arch Linux

#1 2022-03-02 00:55:21

How to allow users to mount ZFS datasets?

#2 2022-03-03 10:11:44

Re: How to allow users to mount ZFS datasets?

#3 2022-03-03 14:14:44

Re: How to allow users to mount ZFS datasets?

#4 2022-03-04 00:43:27

Re: How to allow users to mount ZFS datasets?

Board footer