xref: /freebsd/sys/contrib/openzfs/man/man8/zfs-unallow.8

.\" SPDX-License-Identifier: CDDL-1.0
.\"
.\" CDDL HEADER START
.\"
.\" The contents of this file are subject to the terms of the
.\" Common Development and Distribution License (the "License").
.\" You may not use this file except in compliance with the License.
.\"
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
.\" or https://opensource.org/licenses/CDDL-1.0.
.\" See the License for the specific language governing permissions
.\" and limitations under the License.
.\"
.\" When distributing Covered Code, include this CDDL HEADER in each
.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
.\" If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying
.\" information: Portions Copyright [yyyy] [name of copyright owner]
.\"
.\" CDDL HEADER END
.\"
.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org>
.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved.
.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
.\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
.\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
.\" Copyright (c) 2014 Integros [integros.com]
.\" Copyright 2019 Richard Laager. All rights reserved.
.\" Copyright 2018 Nexenta Systems, Inc.
.\" Copyright 2019 Joyent, Inc.
.\"
.Dd March 16, 2022
.Dt ZFS-ALLOW 8
.Os
.
.Sh NAME
.Nm zfs-allow
.Nd delegate ZFS administration permissions to unprivileged users
.Sh SYNOPSIS
.Nm zfs
.Cm allow
.Op Fl dglu
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm allow
.Op Fl dl
.Fl e Ns | Ns Sy everyone
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm allow
.Fl c
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm allow
.Fl s No @ Ns Ar setname
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl dglru
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl dlr
.Fl e Ns | Ns Sy everyone
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl r
.Fl c
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl r
.Fl s No @ Ns Ar setname
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.
.Sh DESCRIPTION
.Bl -tag -width ""
.It Xo
.Nm zfs
.Cm allow
.Ar filesystem Ns | Ns Ar volume
.Xc
Displays permissions that have been delegated on the specified filesystem or
volume.
See the other forms of
.Nm zfs Cm allow
for more information.
.Pp
Delegations are supported under Linux with the exception of
.Sy mount ,
.Sy unmount ,
.Sy mountpoint ,
.Sy canmount ,
.Sy rename ,
and
.Sy share .
These permissions cannot be delegated because the Linux
.Xr mount 8
command restricts modifications of the global namespace to the root user.
.It Xo
.Nm zfs
.Cm allow
.Op Fl dglu
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
.It Xo
.Nm zfs
.Cm allow
.Op Fl dl
.Fl e Ns | Ns Sy everyone
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
Delegates ZFS administration permission for the file systems to non-privileged
users.
.Bl -tag -width "-d"
.It Fl d
Allow only for the descendent file systems.
.It Fl e Ns | Ns Sy everyone
Specifies that the permissions be delegated to everyone.
.It Fl g Ar group Ns Oo , Ns Ar group Oc Ns …
Explicitly specify that permissions are delegated to the group.
.It Fl l
Allow
.Qq locally
only for the specified file system.
.It Fl u Ar user Ns Oo , Ns Ar user Oc Ns …
Explicitly specify that permissions are delegated to the user.
.It Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
Specifies to whom the permissions are delegated.
Multiple entities can be specified as a comma-separated list.
If neither of the
.Fl gu
options are specified, then the argument is interpreted preferentially as the
keyword
.Sy everyone ,
then as a user name, and lastly as a group name.
To specify a user or group named
.Qq everyone ,
use the
.Fl g
or
.Fl u
options.
To specify a group with the same name as a user, use the
.Fl g
options.
.It Xo
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Xc
The permissions to delegate.
Multiple permissions may be specified as a comma-separated list.
Permission names are the same as ZFS subcommand and property names.
See the property list below.
Property set names, which begin with
.Sy @ ,
may be specified.
See the
.Fl s
form below for details.
.El
.Pp
If neither of the
.Fl dl
options are specified, or both are, then the permissions are allowed for the
file system or volume, and all of its descendants.
.Pp
Permissions are generally the ability to use a ZFS subcommand or change a ZFS
property.
The following permissions are available:
.TS
l l l .
NAME	TYPE	NOTES
_	_	_
allow	subcommand	Must also have the permission that is being allowed
bookmark	subcommand
clone	subcommand	Must also have the \fBcreate\fR ability and \fBmount\fR ability in the origin file system
create	subcommand	Must also have the \fBmount\fR ability. Must also have the \fBrefreservation\fR ability to create a non-sparse volume.
destroy	subcommand	Must also have the \fBmount\fR ability
diff	subcommand	Allows lookup of paths within a dataset given an object number, and the ability to create snapshots necessary to \fBzfs diff\fR.
hold	subcommand	Allows adding a user hold to a snapshot
load-key	subcommand	Allows loading and unloading of encryption key (see \fBzfs load-key\fR and \fBzfs unload-key\fR).
change-key	subcommand	Allows changing an encryption key via \fBzfs change-key\fR.
mount	subcommand	Allows mounting/unmounting ZFS datasets
promote	subcommand	Must also have the \fBmount\fR and \fBpromote\fR ability in the origin file system
receive	subcommand	Must also have the \fBmount\fR and \fBcreate\fR ability, required for \fBzfs receive -F\fR (see also \fBreceive:append\fR for limited, non forced receive)
release	subcommand	Allows releasing a user hold which might destroy the snapshot
rename	subcommand	Must also have the \fBmount\fR and \fBcreate\fR ability in the new parent
rollback	subcommand	Must also have the \fBmount\fR ability
send	subcommand
share	subcommand	Allows sharing file systems over NFS or SMB protocols
snapshot	subcommand	Must also have the \fBmount\fR ability

receive:append	other	Must also have the \fBmount\fR and \fBcreate\fR ability, limited receive ability (can not do receive -F)
groupquota	other	Allows accessing any \fBgroupquota@\fI…\fR property
groupobjquota	other	Allows accessing any \fBgroupobjquota@\fI…\fR property
groupused	other	Allows reading any \fBgroupused@\fI…\fR property
groupobjused	other	Allows reading any \fBgroupobjused@\fI…\fR property
userprop	other	Allows changing any user property
userquota	other	Allows accessing any \fBuserquota@\fI…\fR property
userobjquota	other	Allows accessing any \fBuserobjquota@\fI…\fR property
userused	other	Allows reading any \fBuserused@\fI…\fR property
userobjused	other	Allows reading any \fBuserobjused@\fI…\fR property
projectobjquota	other	Allows accessing any \fBprojectobjquota@\fI…\fR property
projectquota	other	Allows accessing any \fBprojectquota@\fI…\fR property
projectobjused	other	Allows reading any \fBprojectobjused@\fI…\fR property
projectused	other	Allows reading any \fBprojectused@\fI…\fR property

aclinherit	property
aclmode	property
acltype	property
atime	property
canmount	property
casesensitivity	property
checksum	property
compression	property
context	property
copies	property
dedup	property
defcontext	property
devices	property
dnodesize	property
encryption	property
exec	property
filesystem_limit	property
fscontext	property
keyformat	property
keylocation	property
logbias	property
mlslabel	property
mountpoint	property
nbmand	property
normalization	property
overlay	property
pbkdf2iters	property
primarycache	property
quota	property
readonly	property
recordsize	property
redundant_metadata	property
refquota	property
refreservation	property
relatime	property
reservation	property
rootcontext	property
secondarycache	property
setuid	property
sharenfs	property
sharesmb	property
snapdev	property
snapdir	property
snapshot_limit	property
special_small_blocks	property
sync	property
utf8only	property
version	property
volblocksize	property
volmode	property
volsize	property
vscan	property
xattr	property
zoned	property
.TE
.It Xo
.Nm zfs
.Cm allow
.Fl c
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
Sets
.Qq create time
permissions.
These permissions are granted
.Pq locally
to the creator of any newly-created descendent file system.
.It Xo
.Nm zfs
.Cm allow
.Fl s No @ Ns Ar setname
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
Defines or adds permissions to a permission set.
The set can be used by other
.Nm zfs Cm allow
commands for the specified file system and its descendants.
Sets are evaluated dynamically, so changes to a set are immediately reflected.
Permission sets follow the same naming restrictions as ZFS file systems, but the
name must begin with
.Sy @ ,
and can be no more than 64 characters long.
.It Xo
.Nm zfs
.Cm unallow
.Op Fl dglru
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
.It Xo
.Nm zfs
.Cm unallow
.Op Fl dlr
.Fl e Ns | Ns Sy everyone
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
.It Xo
.Nm zfs
.Cm unallow
.Op Fl r
.Fl c
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
Removes permissions that were granted with the
.Nm zfs Cm allow
command.
No permissions are explicitly denied, so other permissions granted are still in
effect.
For example, if the permission is granted by an ancestor.
If no permissions are specified, then all permissions for the specified
.Ar user ,
.Ar group ,
or
.Sy everyone
are removed.
Specifying
.Sy everyone
.Po or using the
.Fl e
option
.Pc
only removes the permissions that were granted to everyone, not all permissions
for every user and group.
See the
.Nm zfs Cm allow
command for a description of the
.Fl ldugec
options.
.Bl -tag -width "-r"
.It Fl r
Recursively remove the permissions from this file system and all descendants.
.El
.It Xo
.Nm zfs
.Cm unallow
.Op Fl r
.Fl s No @ Ns Ar setname
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
Removes permissions from a permission set.
If no permissions are specified, then all permissions are removed, thus removing
the set entirely.
.El
.
.Sh EXAMPLES
.\" These are, respectively, examples 17, 18, 19, 20 from zfs.8
.\" Make sure to update them bidirectionally
.Ss Example 1 : No Delegating ZFS Administration Permissions on a ZFS Dataset
The following example shows how to set permissions so that user
.Ar cindys
can create, destroy, mount, and take snapshots on
.Ar tank/cindys .
The permissions on
.Ar tank/cindys
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Sy cindys create , Ns Sy destroy , Ns Sy mount , Ns Sy snapshot Ar tank/cindys
.No # Nm zfs Cm allow Ar tank/cindys
---- Permissions on tank/cindys --------------------------------------
Local+Descendent permissions:
        user cindys create,destroy,mount,snapshot
.Ed
.Pp
Because the
.Ar tank/cindys
mount point permission is set to 755 by default, user
.Ar cindys
will be unable to mount file systems under
.Ar tank/cindys .
Add an ACE similar to the following syntax to provide mount point access:
.Dl # Cm chmod No A+user : Ns Ar cindys Ns :add_subdirectory:allow Ar /tank/cindys
.
.Ss Example 2 : No Delegating Create Time Permissions on a ZFS Dataset
The following example shows how to grant anyone in the group
.Ar staff
to create file systems in
.Ar tank/users .
This syntax also allows staff members to destroy their own file systems, but not
destroy anyone else's file system.
The permissions on
.Ar tank/users
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Ar staff Sy create , Ns Sy mount Ar tank/users
.No # Nm zfs Cm allow Fl c Sy destroy Ar tank/users
.No # Nm zfs Cm allow Ar tank/users
---- Permissions on tank/users ---------------------------------------
Permission sets:
        destroy
Local+Descendent permissions:
        group staff create,mount
.Ed
.
.Ss Example 3 : No Defining and Granting a Permission Set on a ZFS Dataset
The following example shows how to define and grant a permission set on the
.Ar tank/users
file system.
The permissions on
.Ar tank/users
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Fl s No @ Ns Ar pset Sy create , Ns Sy destroy , Ns Sy snapshot , Ns Sy mount Ar tank/users
.No # Nm zfs Cm allow staff No @ Ns Ar pset tank/users
.No # Nm zfs Cm allow Ar tank/users
---- Permissions on tank/users ---------------------------------------
Permission sets:
        @pset create,destroy,mount,snapshot
Local+Descendent permissions:
        group staff @pset
.Ed
.
.Ss Example 4 : No Delegating Property Permissions on a ZFS Dataset
The following example shows to grant the ability to set quotas and reservations
on the
.Ar users/home
file system.
The permissions on
.Ar users/home
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Ar cindys Sy quota , Ns Sy reservation Ar users/home
.No # Nm zfs Cm allow Ar users/home
---- Permissions on users/home ---------------------------------------
Local+Descendent permissions:
        user cindys quota,reservation
cindys% zfs set quota=10G users/home/marks
cindys% zfs get quota users/home/marks
NAME              PROPERTY  VALUE  SOURCE
users/home/marks  quota     10G    local
.Ed
.
.Ss Example 5 : No Removing ZFS Delegated Permissions on a ZFS Dataset
The following example shows how to remove the snapshot permission from the
.Ar staff
group on the
.Sy tank/users
file system.
The permissions on
.Sy tank/users
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm unallow Ar staff Sy snapshot Ar tank/users
.No # Nm zfs Cm allow Ar tank/users
---- Permissions on tank/users ---------------------------------------
Permission sets:
        @pset create,destroy,mount,snapshot
Local+Descendent permissions:
        group staff @pset
.Ed