1.\" 2.\" CDDL HEADER START 3.\" 4.\" The contents of this file are subject to the terms of the 5.\" Common Development and Distribution License (the "License"). 6.\" You may not use this file except in compliance with the License. 7.\" 8.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9.\" or http://www.opensolaris.org/os/licensing. 10.\" See the License for the specific language governing permissions 11.\" and limitations under the License. 12.\" 13.\" When distributing Covered Code, include this CDDL HEADER in each 14.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15.\" If applicable, add the following below this CDDL HEADER, with the 16.\" fields enclosed by brackets "[]" replaced with your own identifying 17.\" information: Portions Copyright [yyyy] [name of copyright owner] 18.\" 19.\" CDDL HEADER END 20.\" 21.\" 22.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved. 23.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org> 24.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved. 25.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved. 26.\" Copyright (c) 2014, Joyent, Inc. All rights reserved. 27.\" Copyright (c) 2014 by Adam Stevko. All rights reserved. 28.\" Copyright (c) 2014 Integros [integros.com] 29.\" Copyright 2019 Richard Laager. All rights reserved. 30.\" Copyright 2018 Nexenta Systems, Inc. 31.\" Copyright 2019 Joyent, Inc. 32.\" 33.Dd June 30, 2019 34.Dt ZFS-ALLOW 8 35.Os 36.Sh NAME 37.Nm zfs Ns Pf - Cm allow 38.Nd Delegates ZFS administration permission for the file systems to non-privileged users. 39.Sh SYNOPSIS 40.Nm 41.Cm allow 42.Op Fl dglu 43.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 44.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 45.Ar setname Oc Ns ... 46.Ar filesystem Ns | Ns Ar volume 47.Nm 48.Cm allow 49.Op Fl dl 50.Fl e Ns | Ns Sy everyone 51.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 52.Ar setname Oc Ns ... 53.Ar filesystem Ns | Ns Ar volume 54.Nm 55.Cm allow 56.Fl c 57.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 58.Ar setname Oc Ns ... 59.Ar filesystem Ns | Ns Ar volume 60.Nm 61.Cm allow 62.Fl s No @ Ns Ar setname 63.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 64.Ar setname Oc Ns ... 65.Ar filesystem Ns | Ns Ar volume 66.Nm 67.Cm unallow 68.Op Fl dglru 69.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 70.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 71.Ar setname Oc Ns ... Oc 72.Ar filesystem Ns | Ns Ar volume 73.Nm 74.Cm unallow 75.Op Fl dlr 76.Fl e Ns | Ns Sy everyone 77.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 78.Ar setname Oc Ns ... Oc 79.Ar filesystem Ns | Ns Ar volume 80.Nm 81.Cm unallow 82.Op Fl r 83.Fl c 84.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 85.Ar setname Oc Ns ... Oc 86.Ar filesystem Ns | Ns Ar volume 87.Nm 88.Cm unallow 89.Op Fl r 90.Fl s No @ Ns Ar setname 91.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 92.Ar setname Oc Ns ... Oc 93.Ar filesystem Ns | Ns Ar volume 94.Sh DESCRIPTION 95.Bl -tag -width "" 96.It Xo 97.Nm 98.Cm allow 99.Ar filesystem Ns | Ns Ar volume 100.Xc 101Displays permissions that have been delegated on the specified filesystem or 102volume. 103See the other forms of 104.Nm zfs Cm allow 105for more information. 106.Pp 107Delegations are supported under Linux with the exception of 108.Sy mount , 109.Sy unmount , 110.Sy mountpoint , 111.Sy canmount , 112.Sy rename , 113and 114.Sy share . 115These permissions cannot be delegated because the Linux 116.Xr mount 8 117command restricts modifications of the global namespace to the root user. 118.It Xo 119.Nm 120.Cm allow 121.Op Fl dglu 122.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 123.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 124.Ar setname Oc Ns ... 125.Ar filesystem Ns | Ns Ar volume 126.Xc 127.It Xo 128.Nm 129.Cm allow 130.Op Fl dl 131.Fl e Ns | Ns Sy everyone 132.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 133.Ar setname Oc Ns ... 134.Ar filesystem Ns | Ns Ar volume 135.Xc 136Delegates ZFS administration permission for the file systems to non-privileged 137users. 138.Bl -tag -width "-d" 139.It Fl d 140Allow only for the descendent file systems. 141.It Fl e Ns | Ns Sy everyone 142Specifies that the permissions be delegated to everyone. 143.It Fl g Ar group Ns Oo , Ns Ar group Oc Ns ... 144Explicitly specify that permissions are delegated to the group. 145.It Fl l 146Allow 147.Qq locally 148only for the specified file system. 149.It Fl u Ar user Ns Oo , Ns Ar user Oc Ns ... 150Explicitly specify that permissions are delegated to the user. 151.It Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 152Specifies to whom the permissions are delegated. 153Multiple entities can be specified as a comma-separated list. 154If neither of the 155.Fl gu 156options are specified, then the argument is interpreted preferentially as the 157keyword 158.Sy everyone , 159then as a user name, and lastly as a group name. 160To specify a user or group named 161.Qq everyone , 162use the 163.Fl g 164or 165.Fl u 166options. 167To specify a group with the same name as a user, use the 168.Fl g 169options. 170.It Xo 171.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 172.Ar setname Oc Ns ... 173.Xc 174The permissions to delegate. 175Multiple permissions may be specified as a comma-separated list. 176Permission names are the same as ZFS subcommand and property names. 177See the property list below. 178Property set names, which begin with 179.Sy @ , 180may be specified. 181See the 182.Fl s 183form below for details. 184.El 185.Pp 186If neither of the 187.Fl dl 188options are specified, or both are, then the permissions are allowed for the 189file system or volume, and all of its descendents. 190.Pp 191Permissions are generally the ability to use a ZFS subcommand or change a ZFS 192property. 193The following permissions are available: 194.Bd -literal 195NAME TYPE NOTES 196allow subcommand Must also have the permission that is 197 being allowed 198clone subcommand Must also have the 'create' ability and 199 'mount' ability in the origin file system 200create subcommand Must also have the 'mount' ability. 201 Must also have the 'refreservation' ability to 202 create a non-sparse volume. 203destroy subcommand Must also have the 'mount' ability 204diff subcommand Allows lookup of paths within a dataset 205 given an object number, and the ability 206 to create snapshots necessary to 207 'zfs diff'. 208load-key subcommand Allows loading and unloading of encryption key 209 (see 'zfs load-key' and 'zfs unload-key'). 210change-key subcommand Allows changing an encryption key via 211 'zfs change-key'. 212mount subcommand Allows mount/umount of ZFS datasets 213promote subcommand Must also have the 'mount' and 'promote' 214 ability in the origin file system 215receive subcommand Must also have the 'mount' and 'create' 216 ability 217rename subcommand Must also have the 'mount' and 'create' 218 ability in the new parent 219rollback subcommand Must also have the 'mount' ability 220send subcommand 221share subcommand Allows sharing file systems over NFS 222 or SMB protocols 223snapshot subcommand Must also have the 'mount' ability 224 225groupquota other Allows accessing any groupquota@... 226 property 227groupused other Allows reading any groupused@... property 228userprop other Allows changing any user property 229userquota other Allows accessing any userquota@... 230 property 231userused other Allows reading any userused@... property 232projectobjquota other Allows accessing any projectobjquota@... 233 property 234projectquota other Allows accessing any projectquota@... property 235projectobjused other Allows reading any projectobjused@... property 236projectused other Allows reading any projectused@... property 237 238aclinherit property 239acltype property 240atime property 241canmount property 242casesensitivity property 243checksum property 244compression property 245copies property 246devices property 247exec property 248filesystem_limit property 249mountpoint property 250nbmand property 251normalization property 252primarycache property 253quota property 254readonly property 255recordsize property 256refquota property 257refreservation property 258reservation property 259secondarycache property 260setuid property 261sharenfs property 262sharesmb property 263snapdir property 264snapshot_limit property 265utf8only property 266version property 267volblocksize property 268volsize property 269vscan property 270xattr property 271zoned property 272.Ed 273.It Xo 274.Nm 275.Cm allow 276.Fl c 277.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 278.Ar setname Oc Ns ... 279.Ar filesystem Ns | Ns Ar volume 280.Xc 281Sets 282.Qq create time 283permissions. 284These permissions are granted 285.Pq locally 286to the creator of any newly-created descendent file system. 287.It Xo 288.Nm 289.Cm allow 290.Fl s No @ Ns Ar setname 291.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 292.Ar setname Oc Ns ... 293.Ar filesystem Ns | Ns Ar volume 294.Xc 295Defines or adds permissions to a permission set. 296The set can be used by other 297.Nm zfs Cm allow 298commands for the specified file system and its descendents. 299Sets are evaluated dynamically, so changes to a set are immediately reflected. 300Permission sets follow the same naming restrictions as ZFS file systems, but the 301name must begin with 302.Sy @ , 303and can be no more than 64 characters long. 304.It Xo 305.Nm 306.Cm unallow 307.Op Fl dglru 308.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 309.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 310.Ar setname Oc Ns ... Oc 311.Ar filesystem Ns | Ns Ar volume 312.Xc 313.It Xo 314.Nm 315.Cm unallow 316.Op Fl dlr 317.Fl e Ns | Ns Sy everyone 318.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 319.Ar setname Oc Ns ... Oc 320.Ar filesystem Ns | Ns Ar volume 321.Xc 322.It Xo 323.Nm 324.Cm unallow 325.Op Fl r 326.Fl c 327.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 328.Ar setname Oc Ns ... Oc 329.Ar filesystem Ns | Ns Ar volume 330.Xc 331Removes permissions that were granted with the 332.Nm zfs Cm allow 333command. 334No permissions are explicitly denied, so other permissions granted are still in 335effect. 336For example, if the permission is granted by an ancestor. 337If no permissions are specified, then all permissions for the specified 338.Ar user , 339.Ar group , 340or 341.Sy everyone 342are removed. 343Specifying 344.Sy everyone 345.Po or using the 346.Fl e 347option 348.Pc 349only removes the permissions that were granted to everyone, not all permissions 350for every user and group. 351See the 352.Nm zfs Cm allow 353command for a description of the 354.Fl ldugec 355options. 356.Bl -tag -width "-r" 357.It Fl r 358Recursively remove the permissions from this file system and all descendents. 359.El 360.It Xo 361.Nm 362.Cm unallow 363.Op Fl r 364.Fl s No @ Ns Ar setname 365.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 366.Ar setname Oc Ns ... Oc 367.Ar filesystem Ns | Ns Ar volume 368.Xc 369Removes permissions from a permission set. 370If no permissions are specified, then all permissions are removed, thus removing 371the set entirely. 372.El 373