1.\" 2.\" CDDL HEADER START 3.\" 4.\" The contents of this file are subject to the terms of the 5.\" Common Development and Distribution License (the "License"). 6.\" You may not use this file except in compliance with the License. 7.\" 8.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9.\" or http://www.opensolaris.org/os/licensing. 10.\" See the License for the specific language governing permissions 11.\" and limitations under the License. 12.\" 13.\" When distributing Covered Code, include this CDDL HEADER in each 14.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15.\" If applicable, add the following below this CDDL HEADER, with the 16.\" fields enclosed by brackets "[]" replaced with your own identifying 17.\" information: Portions Copyright [yyyy] [name of copyright owner] 18.\" 19.\" CDDL HEADER END 20.\" 21.\" 22.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved. 23.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org> 24.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved. 25.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved. 26.\" Copyright (c) 2014, Joyent, Inc. All rights reserved. 27.\" Copyright (c) 2014 by Adam Stevko. All rights reserved. 28.\" Copyright (c) 2014 Integros [integros.com] 29.\" Copyright 2019 Richard Laager. All rights reserved. 30.\" Copyright 2018 Nexenta Systems, Inc. 31.\" Copyright 2019 Joyent, Inc. 32.\" 33.Dd June 30, 2019 34.Dt ZFS-ALLOW 8 35.Os 36.Sh NAME 37.Nm zfs-allow 38.Nd Delegates ZFS administration permission for the file systems to non-privileged users. 39.Sh SYNOPSIS 40.Nm zfs 41.Cm allow 42.Op Fl dglu 43.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 44.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 45.Ar setname Oc Ns ... 46.Ar filesystem Ns | Ns Ar volume 47.Nm zfs 48.Cm allow 49.Op Fl dl 50.Fl e Ns | Ns Sy everyone 51.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 52.Ar setname Oc Ns ... 53.Ar filesystem Ns | Ns Ar volume 54.Nm zfs 55.Cm allow 56.Fl c 57.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 58.Ar setname Oc Ns ... 59.Ar filesystem Ns | Ns Ar volume 60.Nm zfs 61.Cm allow 62.Fl s No @ Ns Ar setname 63.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 64.Ar setname Oc Ns ... 65.Ar filesystem Ns | Ns Ar volume 66.Nm zfs 67.Cm unallow 68.Op Fl dglru 69.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 70.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 71.Ar setname Oc Ns ... Oc 72.Ar filesystem Ns | Ns Ar volume 73.Nm zfs 74.Cm unallow 75.Op Fl dlr 76.Fl e Ns | Ns Sy everyone 77.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 78.Ar setname Oc Ns ... Oc 79.Ar filesystem Ns | Ns Ar volume 80.Nm zfs 81.Cm unallow 82.Op Fl r 83.Fl c 84.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 85.Ar setname Oc Ns ... Oc 86.Ar filesystem Ns | Ns Ar volume 87.Nm zfs 88.Cm unallow 89.Op Fl r 90.Fl s No @ Ns Ar setname 91.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 92.Ar setname Oc Ns ... Oc 93.Ar filesystem Ns | Ns Ar volume 94.Sh DESCRIPTION 95.Bl -tag -width "" 96.It Xo 97.Nm zfs 98.Cm allow 99.Ar filesystem Ns | Ns Ar volume 100.Xc 101Displays permissions that have been delegated on the specified filesystem or 102volume. 103See the other forms of 104.Nm zfs Cm allow 105for more information. 106.Pp 107Delegations are supported under Linux with the exception of 108.Sy mount , 109.Sy unmount , 110.Sy mountpoint , 111.Sy canmount , 112.Sy rename , 113and 114.Sy share . 115These permissions cannot be delegated because the Linux 116.Xr mount 8 117command restricts modifications of the global namespace to the root user. 118.It Xo 119.Nm zfs 120.Cm allow 121.Op Fl dglu 122.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 123.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 124.Ar setname Oc Ns ... 125.Ar filesystem Ns | Ns Ar volume 126.Xc 127.It Xo 128.Nm zfs 129.Cm allow 130.Op Fl dl 131.Fl e Ns | Ns Sy everyone 132.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 133.Ar setname Oc Ns ... 134.Ar filesystem Ns | Ns Ar volume 135.Xc 136Delegates ZFS administration permission for the file systems to non-privileged 137users. 138.Bl -tag -width "-d" 139.It Fl d 140Allow only for the descendent file systems. 141.It Fl e Ns | Ns Sy everyone 142Specifies that the permissions be delegated to everyone. 143.It Fl g Ar group Ns Oo , Ns Ar group Oc Ns ... 144Explicitly specify that permissions are delegated to the group. 145.It Fl l 146Allow 147.Qq locally 148only for the specified file system. 149.It Fl u Ar user Ns Oo , Ns Ar user Oc Ns ... 150Explicitly specify that permissions are delegated to the user. 151.It Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 152Specifies to whom the permissions are delegated. 153Multiple entities can be specified as a comma-separated list. 154If neither of the 155.Fl gu 156options are specified, then the argument is interpreted preferentially as the 157keyword 158.Sy everyone , 159then as a user name, and lastly as a group name. 160To specify a user or group named 161.Qq everyone , 162use the 163.Fl g 164or 165.Fl u 166options. 167To specify a group with the same name as a user, use the 168.Fl g 169options. 170.It Xo 171.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 172.Ar setname Oc Ns ... 173.Xc 174The permissions to delegate. 175Multiple permissions may be specified as a comma-separated list. 176Permission names are the same as ZFS subcommand and property names. 177See the property list below. 178Property set names, which begin with 179.Sy @ , 180may be specified. 181See the 182.Fl s 183form below for details. 184.El 185.Pp 186If neither of the 187.Fl dl 188options are specified, or both are, then the permissions are allowed for the 189file system or volume, and all of its descendents. 190.Pp 191Permissions are generally the ability to use a ZFS subcommand or change a ZFS 192property. 193The following permissions are available: 194.Bd -literal 195NAME TYPE NOTES 196allow subcommand Must also have the permission that is 197 being allowed 198clone subcommand Must also have the 'create' ability and 199 'mount' ability in the origin file system 200create subcommand Must also have the 'mount' ability. 201 Must also have the 'refreservation' ability to 202 create a non-sparse volume. 203destroy subcommand Must also have the 'mount' ability 204diff subcommand Allows lookup of paths within a dataset 205 given an object number, and the ability 206 to create snapshots necessary to 207 'zfs diff'. 208hold subcommand Allows adding a user hold to a snapshot 209load-key subcommand Allows loading and unloading of encryption key 210 (see 'zfs load-key' and 'zfs unload-key'). 211change-key subcommand Allows changing an encryption key via 212 'zfs change-key'. 213mount subcommand Allows mount/umount of ZFS datasets 214promote subcommand Must also have the 'mount' and 'promote' 215 ability in the origin file system 216receive subcommand Must also have the 'mount' and 'create' 217 ability 218release subcommand Allows releasing a user hold which might 219 destroy the snapshot 220rename subcommand Must also have the 'mount' and 'create' 221 ability in the new parent 222rollback subcommand Must also have the 'mount' ability 223send subcommand 224share subcommand Allows sharing file systems over NFS 225 or SMB protocols 226snapshot subcommand Must also have the 'mount' ability 227 228groupquota other Allows accessing any groupquota@... 229 property 230groupused other Allows reading any groupused@... property 231userprop other Allows changing any user property 232userquota other Allows accessing any userquota@... 233 property 234userused other Allows reading any userused@... property 235projectobjquota other Allows accessing any projectobjquota@... 236 property 237projectquota other Allows accessing any projectquota@... property 238projectobjused other Allows reading any projectobjused@... property 239projectused other Allows reading any projectused@... property 240 241aclinherit property 242acltype property 243atime property 244canmount property 245casesensitivity property 246checksum property 247compression property 248copies property 249devices property 250exec property 251filesystem_limit property 252mountpoint property 253nbmand property 254normalization property 255primarycache property 256quota property 257readonly property 258recordsize property 259refquota property 260refreservation property 261reservation property 262secondarycache property 263setuid property 264sharenfs property 265sharesmb property 266snapdir property 267snapshot_limit property 268utf8only property 269version property 270volblocksize property 271volsize property 272vscan property 273xattr property 274zoned property 275.Ed 276.It Xo 277.Nm zfs 278.Cm allow 279.Fl c 280.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 281.Ar setname Oc Ns ... 282.Ar filesystem Ns | Ns Ar volume 283.Xc 284Sets 285.Qq create time 286permissions. 287These permissions are granted 288.Pq locally 289to the creator of any newly-created descendent file system. 290.It Xo 291.Nm zfs 292.Cm allow 293.Fl s No @ Ns Ar setname 294.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 295.Ar setname Oc Ns ... 296.Ar filesystem Ns | Ns Ar volume 297.Xc 298Defines or adds permissions to a permission set. 299The set can be used by other 300.Nm zfs Cm allow 301commands for the specified file system and its descendents. 302Sets are evaluated dynamically, so changes to a set are immediately reflected. 303Permission sets follow the same naming restrictions as ZFS file systems, but the 304name must begin with 305.Sy @ , 306and can be no more than 64 characters long. 307.It Xo 308.Nm zfs 309.Cm unallow 310.Op Fl dglru 311.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns ... 312.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 313.Ar setname Oc Ns ... Oc 314.Ar filesystem Ns | Ns Ar volume 315.Xc 316.It Xo 317.Nm zfs 318.Cm unallow 319.Op Fl dlr 320.Fl e Ns | Ns Sy everyone 321.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 322.Ar setname Oc Ns ... Oc 323.Ar filesystem Ns | Ns Ar volume 324.Xc 325.It Xo 326.Nm zfs 327.Cm unallow 328.Op Fl r 329.Fl c 330.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 331.Ar setname Oc Ns ... Oc 332.Ar filesystem Ns | Ns Ar volume 333.Xc 334Removes permissions that were granted with the 335.Nm zfs Cm allow 336command. 337No permissions are explicitly denied, so other permissions granted are still in 338effect. 339For example, if the permission is granted by an ancestor. 340If no permissions are specified, then all permissions for the specified 341.Ar user , 342.Ar group , 343or 344.Sy everyone 345are removed. 346Specifying 347.Sy everyone 348.Po or using the 349.Fl e 350option 351.Pc 352only removes the permissions that were granted to everyone, not all permissions 353for every user and group. 354See the 355.Nm zfs Cm allow 356command for a description of the 357.Fl ldugec 358options. 359.Bl -tag -width "-r" 360.It Fl r 361Recursively remove the permissions from this file system and all descendents. 362.El 363.It Xo 364.Nm zfs 365.Cm unallow 366.Op Fl r 367.Fl s No @ Ns Ar setname 368.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns 369.Ar setname Oc Ns ... Oc 370.Ar filesystem Ns | Ns Ar volume 371.Xc 372Removes permissions from a permission set. 373If no permissions are specified, then all permissions are removed, thus removing 374the set entirely. 375.El 376