zfs: merge openzfs/zfs@c0cf6ed67

[FreeBSD/FreeBSD.git] / sys / contrib / openzfs / man / man8 / zfs-allow.8

.\"
.\" CDDL HEADER START
.\"
.\" The contents of this file are subject to the terms of the
.\" Common Development and Distribution License (the "License").
.\" You may not use this file except in compliance with the License.
.\"
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
.\" or http://www.opensolaris.org/os/licensing.
.\" See the License for the specific language governing permissions
.\" and limitations under the License.
.\"
.\" When distributing Covered Code, include this CDDL HEADER in each
.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
.\" If applicable, add the following below this CDDL HEADER, with the
.\" fields enclosed by brackets "[]" replaced with your own identifying
.\" information: Portions Copyright [yyyy] [name of copyright owner]
.\"
.\" CDDL HEADER END
.\"
.\" Copyright (c) 2009 Sun Microsystems, Inc. All Rights Reserved.
.\" Copyright 2011 Joshua M. Clulow <josh@sysmgr.org>
.\" Copyright (c) 2011, 2019 by Delphix. All rights reserved.
.\" Copyright (c) 2013 by Saso Kiselkov. All rights reserved.
.\" Copyright (c) 2014, Joyent, Inc. All rights reserved.
.\" Copyright (c) 2014 by Adam Stevko. All rights reserved.
.\" Copyright (c) 2014 Integros [integros.com]
.\" Copyright 2019 Richard Laager. All rights reserved.
.\" Copyright 2018 Nexenta Systems, Inc.
.\" Copyright 2019 Joyent, Inc.
.\"
.Dd March 16, 2022
.Dt ZFS-ALLOW 8
.Os
.
.Sh NAME
.Nm zfs-allow
.Nd delegate ZFS administration permissions to unprivileged users
.Sh SYNOPSIS
.Nm zfs
.Cm allow
.Op Fl dglu
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm allow
.Op Fl dl
.Fl e Ns | Ns Sy everyone
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm allow
.Fl c
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm allow
.Fl s No @ Ns Ar setname
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl dglru
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl dlr
.Fl e Ns | Ns Sy everyone
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl r
.Fl c
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Nm zfs
.Cm unallow
.Op Fl r
.Fl s No @ Ns Ar setname
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.
.Sh DESCRIPTION
.Bl -tag -width ""
.It Xo
.Nm zfs
.Cm allow
.Ar filesystem Ns | Ns Ar volume
.Xc
Displays permissions that have been delegated on the specified filesystem or
volume.
See the other forms of
.Nm zfs Cm allow
for more information.
.Pp
Delegations are supported under Linux with the exception of
.Sy mount ,
.Sy unmount ,
.Sy mountpoint ,
.Sy canmount ,
.Sy rename ,
and
.Sy share .
These permissions cannot be delegated because the Linux
.Xr mount 8
command restricts modifications of the global namespace to the root user.
.It Xo
.Nm zfs
.Cm allow
.Op Fl dglu
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
.It Xo
.Nm zfs
.Cm allow
.Op Fl dl
.Fl e Ns | Ns Sy everyone
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
Delegates ZFS administration permission for the file systems to non-privileged
users.
.Bl -tag -width "-d"
.It Fl d
Allow only for the descendent file systems.
.It Fl e Ns | Ns Sy everyone
Specifies that the permissions be delegated to everyone.
.It Fl g Ar group Ns Oo , Ns Ar group Oc Ns …
Explicitly specify that permissions are delegated to the group.
.It Fl l
Allow
.Qq locally
only for the specified file system.
.It Fl u Ar user Ns Oo , Ns Ar user Oc Ns …
Explicitly specify that permissions are delegated to the user.
.It Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
Specifies to whom the permissions are delegated.
Multiple entities can be specified as a comma-separated list.
If neither of the
.Fl gu
options are specified, then the argument is interpreted preferentially as the
keyword
.Sy everyone ,
then as a user name, and lastly as a group name.
To specify a user or group named
.Qq everyone ,
use the
.Fl g
or
.Fl u
options.
To specify a group with the same name as a user, use the
.Fl g
options.
.It Xo
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Xc
The permissions to delegate.
Multiple permissions may be specified as a comma-separated list.
Permission names are the same as ZFS subcommand and property names.
See the property list below.
Property set names, which begin with
.Sy @ ,
may be specified.
See the
.Fl s
form below for details.
.El
.Pp
If neither of the
.Fl dl
options are specified, or both are, then the permissions are allowed for the
file system or volume, and all of its descendents.
.Pp
Permissions are generally the ability to use a ZFS subcommand or change a ZFS
property.
The following permissions are available:
.TS
l l l .
NAME    TYPE    NOTES
_       _       _
allow   subcommand      Must also have the permission that is being allowed
bookmark        subcommand
clone   subcommand      Must also have the \fBcreate\fR ability and \fBmount\fR ability in the origin file system
create  subcommand      Must also have the \fBmount\fR ability. Must also have the \fBrefreservation\fR ability to create a non-sparse volume.
destroy subcommand      Must also have the \fBmount\fR ability
diff    subcommand      Allows lookup of paths within a dataset given an object number, and the ability to create snapshots necessary to \fBzfs diff\fR.
hold    subcommand      Allows adding a user hold to a snapshot
load-key        subcommand      Allows loading and unloading of encryption key (see \fBzfs load-key\fR and \fBzfs unload-key\fR).
change-key      subcommand      Allows changing an encryption key via \fBzfs change-key\fR.
mount   subcommand      Allows mounting/umounting ZFS datasets
promote subcommand      Must also have the \fBmount\fR and \fBpromote\fR ability in the origin file system
receive subcommand      Must also have the \fBmount\fR and \fBcreate\fR ability
release subcommand      Allows releasing a user hold which might destroy the snapshot
rename  subcommand      Must also have the \fBmount\fR and \fBcreate\fR ability in the new parent
rollback        subcommand      Must also have the \fBmount\fR ability
send    subcommand
share   subcommand      Allows sharing file systems over NFS or SMB protocols
snapshot        subcommand      Must also have the \fBmount\fR ability

groupquota      other   Allows accessing any \fBgroupquota@\fI…\fR property
groupobjquota   other   Allows accessing any \fBgroupobjquota@\fI…\fR property
groupused       other   Allows reading any \fBgroupused@\fI…\fR property
groupobjused    other   Allows reading any \fBgroupobjused@\fI…\fR property
userprop        other   Allows changing any user property
userquota       other   Allows accessing any \fBuserquota@\fI…\fR property
userobjquota    other   Allows accessing any \fBuserobjquota@\fI…\fR property
userused        other   Allows reading any \fBuserused@\fI…\fR property
userobjused     other   Allows reading any \fBuserobjused@\fI…\fR property
projectobjquota other   Allows accessing any \fBprojectobjquota@\fI…\fR property
projectquota    other   Allows accessing any \fBprojectquota@\fI…\fR property
projectobjused  other   Allows reading any \fBprojectobjused@\fI…\fR property
projectused     other   Allows reading any \fBprojectused@\fI…\fR property

aclinherit      property
aclmode property
acltype property
atime   property
canmount        property
casesensitivity property
checksum        property
compression     property
context property
copies  property
dedup   property
defcontext      property
devices property
dnodesize       property
encryption      property
exec    property
filesystem_limit        property
fscontext       property
keyformat       property
keylocation     property
logbias property
mlslabel        property
mountpoint      property
nbmand  property
normalization   property
overlay property
pbkdf2iters     property
primarycache    property
quota   property
readonly        property
recordsize      property
redundant_metadata      property
refquota        property
refreservation  property
relatime        property
reservation     property
rootcontext     property
secondarycache  property
setuid  property
sharenfs        property
sharesmb        property
snapdev property
snapdir property
snapshot_limit  property
special_small_blocks    property
sync    property
utf8only        property
version property
volblocksize    property
volmode property
volsize property
vscan   property
xattr   property
zoned   property
.TE
.It Xo
.Nm zfs
.Cm allow
.Fl c
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
Sets
.Qq create time
permissions.
These permissions are granted
.Pq locally
to the creator of any newly-created descendent file system.
.It Xo
.Nm zfs
.Cm allow
.Fl s No @ Ns Ar setname
.Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns …
.Ar filesystem Ns | Ns Ar volume
.Xc
Defines or adds permissions to a permission set.
The set can be used by other
.Nm zfs Cm allow
commands for the specified file system and its descendents.
Sets are evaluated dynamically, so changes to a set are immediately reflected.
Permission sets follow the same naming restrictions as ZFS file systems, but the
name must begin with
.Sy @ ,
and can be no more than 64 characters long.
.It Xo
.Nm zfs
.Cm unallow
.Op Fl dglru
.Ar user Ns | Ns Ar group Ns Oo , Ns Ar user Ns | Ns Ar group Oc Ns …
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
.It Xo
.Nm zfs
.Cm unallow
.Op Fl dlr
.Fl e Ns | Ns Sy everyone
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
.It Xo
.Nm zfs
.Cm unallow
.Op Fl r
.Fl c
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
Removes permissions that were granted with the
.Nm zfs Cm allow
command.
No permissions are explicitly denied, so other permissions granted are still in
effect.
For example, if the permission is granted by an ancestor.
If no permissions are specified, then all permissions for the specified
.Ar user ,
.Ar group ,
or
.Sy everyone
are removed.
Specifying
.Sy everyone
.Po or using the
.Fl e
option
.Pc
only removes the permissions that were granted to everyone, not all permissions
for every user and group.
See the
.Nm zfs Cm allow
command for a description of the
.Fl ldugec
options.
.Bl -tag -width "-r"
.It Fl r
Recursively remove the permissions from this file system and all descendents.
.El
.It Xo
.Nm zfs
.Cm unallow
.Op Fl r
.Fl s No @ Ns Ar setname
.Oo Ar perm Ns | Ns @ Ns Ar setname Ns Oo , Ns Ar perm Ns | Ns @ Ns
.Ar setname Oc Ns … Oc
.Ar filesystem Ns | Ns Ar volume
.Xc
Removes permissions from a permission set.
If no permissions are specified, then all permissions are removed, thus removing
the set entirely.
.El
.
.Sh EXAMPLES
.\" These are, respectively, examples 17, 18, 19, 20 from zfs.8
.\" Make sure to update them bidirectionally
.Ss Example 1 : No Delegating ZFS Administration Permissions on a ZFS Dataset
The following example shows how to set permissions so that user
.Ar cindys
can create, destroy, mount, and take snapshots on
.Ar tank/cindys .
The permissions on
.Ar tank/cindys
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Sy cindys create , Ns Sy destroy , Ns Sy mount , Ns Sy snapshot Ar tank/cindys
.No # Nm zfs Cm allow Ar tank/cindys
---- Permissions on tank/cindys --------------------------------------
Local+Descendent permissions:
        user cindys create,destroy,mount,snapshot
.Ed
.Pp
Because the
.Ar tank/cindys
mount point permission is set to 755 by default, user
.Ar cindys
will be unable to mount file systems under
.Ar tank/cindys .
Add an ACE similar to the following syntax to provide mount point access:
.Dl # Cm chmod No A+user: Ns Ar cindys Ns :add_subdirectory:allow Ar /tank/cindys
.
.Ss Example 2 : No Delegating Create Time Permissions on a ZFS Dataset
The following example shows how to grant anyone in the group
.Ar staff
to create file systems in
.Ar tank/users .
This syntax also allows staff members to destroy their own file systems, but not
destroy anyone else's file system.
The permissions on
.Ar tank/users
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Ar staff Sy create , Ns Sy mount Ar tank/users
.No # Nm zfs Cm allow Fl c Sy destroy Ar tank/users
.No # Nm zfs Cm allow Ar tank/users
---- Permissions on tank/users ---------------------------------------
Permission sets:
        destroy
Local+Descendent permissions:
        group staff create,mount
.Ed
.
.Ss Example 3 : No Defining and Granting a Permission Set on a ZFS Dataset
The following example shows how to define and grant a permission set on the
.Ar tank/users
file system.
The permissions on
.Ar tank/users
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Fl s No @ Ns Ar pset Sy create , Ns Sy destroy , Ns Sy snapshot , Ns Sy mount Ar tank/users
.No # Nm zfs Cm allow staff No @ Ns Ar pset tank/users
.No # Nm zfs Cm allow Ar tank/users
---- Permissions on tank/users ---------------------------------------
Permission sets:
        @pset create,destroy,mount,snapshot
Local+Descendent permissions:
        group staff @pset
.Ed
.
.Ss Example 4 : No Delegating Property Permissions on a ZFS Dataset
The following example shows to grant the ability to set quotas and reservations
on the
.Ar users/home
file system.
The permissions on
.Ar users/home
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm allow Ar cindys Sy quota , Ns Sy reservation Ar users/home
.No # Nm zfs Cm allow Ar users/home
---- Permissions on users/home ---------------------------------------
Local+Descendent permissions:
        user cindys quota,reservation
cindys% zfs set quota=10G users/home/marks
cindys% zfs get quota users/home/marks
NAME              PROPERTY  VALUE  SOURCE
users/home/marks  quota     10G    local
.Ed
.
.Ss Example 5 : No Removing ZFS Delegated Permissions on a ZFS Dataset
The following example shows how to remove the snapshot permission from the
.Ar staff
group on the
.Sy tank/users
file system.
The permissions on
.Sy tank/users
are also displayed.
.Bd -literal -compact -offset Ds
.No # Nm zfs Cm unallow Ar staff Sy snapshot Ar tank/users
.No # Nm zfs Cm allow Ar tank/users
---- Permissions on tank/users ---------------------------------------
Permission sets:
        @pset create,destroy,mount,snapshot
Local+Descendent permissions:
        group staff @pset
.Ed