xref: /freebsd/sys/contrib/openzfs/man/man8/zfs-allow.8 (revision 9e5787d2284e187abb5b654d924394a65772e004)
1.\"
2.\" CDDL HEADER START
3.\"
4.\" The contents of this file are subject to the terms of the
5.\" Common Development and Distribution License (the "License").
6.\" You may not use this file except in compliance with the License.
7.\"
8.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9.\" or http://www.opensolaris.org/os/licensing.
10.\" See the License for the specific language governing permissions
11.\" and limitations under the License.
12.\"
13.\" When distributing Covered Code, include this CDDL HEADER in each
14.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15.\" If applicable, add the following below this CDDL HEADER, with the
16.\" fields enclosed by brackets "[]" replaced with your own identifying
17.\" information: Portions Copyright [yyyy] [name of copyright owner]
18.\"
19.\" CDDL HEADER END
20.\"
21.\"
22.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
23.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org>
24.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved.
25.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
26.\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
27.\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
28.\" Copyright (c) 2014 Integros [integros.com]
29.\" Copyright 2019 Richard Laager. All rights reserved.
30.\" Copyright 2018 Nexenta Systems, Inc.
31.\" Copyright 2019 Joyent, Inc.
32.\"
33.Dd June 30, 2019
34.Dt ZFS-ALLOW 8
35.Os
36.Sh NAME
37.Nm zfs Ns Pf - Cm allow
38.Nd Delegates ZFS administration permission for the file systems to non-privileged users.
39.Sh SYNOPSIS
40.Nm
41.Cm allow
42.Op Fl dglu
43.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
44.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
45.Ar setname Oc Ns ...
46.Ar filesystem Ns | Ns Ar volume
47.Nm
48.Cm allow
49.Op Fl dl
50.Fl e Ns | Ns Sy everyone
51.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
52.Ar setname Oc Ns ...
53.Ar filesystem Ns | Ns Ar volume
54.Nm
55.Cm allow
56.Fl c
57.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
58.Ar setname Oc Ns ...
59.Ar filesystem Ns | Ns Ar volume
60.Nm
61.Cm allow
62.Fl s No @ Ns Ar setname
63.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
64.Ar setname Oc Ns ...
65.Ar filesystem Ns | Ns Ar volume
66.Nm
67.Cm unallow
68.Op Fl dglru
69.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
70.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
71.Ar setname Oc Ns ... Oc
72.Ar filesystem Ns | Ns Ar volume
73.Nm
74.Cm unallow
75.Op Fl dlr
76.Fl e Ns | Ns Sy everyone
77.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
78.Ar setname Oc Ns ... Oc
79.Ar filesystem Ns | Ns Ar volume
80.Nm
81.Cm unallow
82.Op Fl r
83.Fl c
84.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
85.Ar setname Oc Ns ... Oc
86.Ar filesystem Ns | Ns Ar volume
87.Nm
88.Cm unallow
89.Op Fl r
90.Fl s No @ Ns Ar setname
91.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
92.Ar setname Oc Ns ... Oc
93.Ar filesystem Ns | Ns Ar volume
94.Sh DESCRIPTION
95.Bl -tag -width ""
96.It Xo
97.Nm
98.Cm allow
99.Ar filesystem Ns | Ns Ar volume
100.Xc
101Displays permissions that have been delegated on the specified filesystem or
102volume.
103See the other forms of
104.Nm zfs Cm allow
105for more information.
106.Pp
107Delegations are supported under Linux with the exception of
108.Sy mount ,
109.Sy unmount ,
110.Sy mountpoint ,
111.Sy canmount ,
112.Sy rename ,
113and
114.Sy share .
115These permissions cannot be delegated because the Linux
116.Xr mount 8
117command restricts modifications of the global namespace to the root user.
118.It Xo
119.Nm
120.Cm allow
121.Op Fl dglu
122.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
123.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
124.Ar setname Oc Ns ...
125.Ar filesystem Ns | Ns Ar volume
126.Xc
127.It Xo
128.Nm
129.Cm allow
130.Op Fl dl
131.Fl e Ns | Ns Sy everyone
132.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
133.Ar setname Oc Ns ...
134.Ar filesystem Ns | Ns Ar volume
135.Xc
136Delegates ZFS administration permission for the file systems to non-privileged
137users.
138.Bl -tag -width "-d"
139.It Fl d
140Allow only for the descendent file systems.
141.It Fl e Ns | Ns Sy everyone
142Specifies that the permissions be delegated to everyone.
143.It Fl g Ar group Ns Oo , Ns Ar group Oc Ns ...
144Explicitly specify that permissions are delegated to the group.
145.It Fl l
146Allow
147.Qq locally
148only for the specified file system.
149.It Fl u Ar user Ns Oo , Ns Ar user Oc Ns ...
150Explicitly specify that permissions are delegated to the user.
151.It Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
152Specifies to whom the permissions are delegated.
153Multiple entities can be specified as a comma-separated list.
154If neither of the
155.Fl gu
156options are specified, then the argument is interpreted preferentially as the
157keyword
158.Sy everyone ,
159then as a user name, and lastly as a group name.
160To specify a user or group named
161.Qq everyone ,
162use the
163.Fl g
164or
165.Fl u
166options.
167To specify a group with the same name as a user, use the
168.Fl g
169options.
170.It Xo
171.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
172.Ar setname Oc Ns ...
173.Xc
174The permissions to delegate.
175Multiple permissions may be specified as a comma-separated list.
176Permission names are the same as ZFS subcommand and property names.
177See the property list below.
178Property set names, which begin with
179.Sy @ ,
180may be specified.
181See the
182.Fl s
183form below for details.
184.El
185.Pp
186If neither of the
187.Fl dl
188options are specified, or both are, then the permissions are allowed for the
189file system or volume, and all of its descendents.
190.Pp
191Permissions are generally the ability to use a ZFS subcommand or change a ZFS
192property.
193The following permissions are available:
194.Bd -literal
195NAME             TYPE           NOTES
196allow            subcommand     Must also have the permission that is
197                                being allowed
198clone            subcommand     Must also have the 'create' ability and
199                                'mount' ability in the origin file system
200create           subcommand     Must also have the 'mount' ability.
201                                Must also have the 'refreservation' ability to
202                                create a non-sparse volume.
203destroy          subcommand     Must also have the 'mount' ability
204diff             subcommand     Allows lookup of paths within a dataset
205                                given an object number, and the ability
206                                to create snapshots necessary to
207                                'zfs diff'.
208load-key         subcommand     Allows loading and unloading of encryption key
209                                (see 'zfs load-key' and 'zfs unload-key').
210change-key       subcommand     Allows changing an encryption key via
211                                'zfs change-key'.
212mount            subcommand     Allows mount/umount of ZFS datasets
213promote          subcommand     Must also have the 'mount' and 'promote'
214                                ability in the origin file system
215receive          subcommand     Must also have the 'mount' and 'create'
216                                ability
217rename           subcommand     Must also have the 'mount' and 'create'
218                                ability in the new parent
219rollback         subcommand     Must also have the 'mount' ability
220send             subcommand
221share            subcommand     Allows sharing file systems over NFS
222                                or SMB protocols
223snapshot         subcommand     Must also have the 'mount' ability
224
225groupquota       other          Allows accessing any groupquota@...
226                                property
227groupused        other          Allows reading any groupused@... property
228userprop         other          Allows changing any user property
229userquota        other          Allows accessing any userquota@...
230                                property
231userused         other          Allows reading any userused@... property
232projectobjquota  other          Allows accessing any projectobjquota@...
233                                property
234projectquota     other          Allows accessing any projectquota@... property
235projectobjused   other          Allows reading any projectobjused@... property
236projectused      other          Allows reading any projectused@... property
237
238aclinherit       property
239acltype          property
240atime            property
241canmount         property
242casesensitivity  property
243checksum         property
244compression      property
245copies           property
246devices          property
247exec             property
248filesystem_limit property
249mountpoint       property
250nbmand           property
251normalization    property
252primarycache     property
253quota            property
254readonly         property
255recordsize       property
256refquota         property
257refreservation   property
258reservation      property
259secondarycache   property
260setuid           property
261sharenfs         property
262sharesmb         property
263snapdir          property
264snapshot_limit   property
265utf8only         property
266version          property
267volblocksize     property
268volsize          property
269vscan            property
270xattr            property
271zoned            property
272.Ed
273.It Xo
274.Nm
275.Cm allow
276.Fl c
277.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
278.Ar setname Oc Ns ...
279.Ar filesystem Ns | Ns Ar volume
280.Xc
281Sets
282.Qq create time
283permissions.
284These permissions are granted
285.Pq locally
286to the creator of any newly-created descendent file system.
287.It Xo
288.Nm
289.Cm allow
290.Fl s No @ Ns Ar setname
291.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
292.Ar setname Oc Ns ...
293.Ar filesystem Ns | Ns Ar volume
294.Xc
295Defines or adds permissions to a permission set.
296The set can be used by other
297.Nm zfs Cm allow
298commands for the specified file system and its descendents.
299Sets are evaluated dynamically, so changes to a set are immediately reflected.
300Permission sets follow the same naming restrictions as ZFS file systems, but the
301name must begin with
302.Sy @ ,
303and can be no more than 64 characters long.
304.It Xo
305.Nm
306.Cm unallow
307.Op Fl dglru
308.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ...
309.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
310.Ar setname Oc Ns ... Oc
311.Ar filesystem Ns | Ns Ar volume
312.Xc
313.It Xo
314.Nm
315.Cm unallow
316.Op Fl dlr
317.Fl e Ns | Ns Sy everyone
318.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
319.Ar setname Oc Ns ... Oc
320.Ar filesystem Ns | Ns Ar volume
321.Xc
322.It Xo
323.Nm
324.Cm unallow
325.Op Fl r
326.Fl c
327.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
328.Ar setname Oc Ns ... Oc
329.Ar filesystem Ns | Ns Ar volume
330.Xc
331Removes permissions that were granted with the
332.Nm zfs Cm allow
333command.
334No permissions are explicitly denied, so other permissions granted are still in
335effect.
336For example, if the permission is granted by an ancestor.
337If no permissions are specified, then all permissions for the specified
338.Ar user ,
339.Ar group ,
340or
341.Sy everyone
342are removed.
343Specifying
344.Sy everyone
345.Po or using the
346.Fl e
347option
348.Pc
349only removes the permissions that were granted to everyone, not all permissions
350for every user and group.
351See the
352.Nm zfs Cm allow
353command for a description of the
354.Fl ldugec
355options.
356.Bl -tag -width "-r"
357.It Fl r
358Recursively remove the permissions from this file system and all descendents.
359.El
360.It Xo
361.Nm
362.Cm unallow
363.Op Fl r
364.Fl s No @ Ns Ar setname
365.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
366.Ar setname Oc Ns ... Oc
367.Ar filesystem Ns | Ns Ar volume
368.Xc
369Removes permissions from a permission set.
370If no permissions are specified, then all permissions are removed, thus removing
371the set entirely.
372.El
373