"Permission denied" for jails root for jailed ZFS datasets, trouble delegating permissions

Thomas Steen Rasmussen thomas at gibfest.dk
Tue Nov 11 10:18:29 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello list,

I am using jailed zfs datasets for backup purposes (I use one ezjail
per remote host that needs backing up, just so if a server is
compromised it can only access its own backups).

My notes from setting this up:

- - first set the following sysctls:
### allow zfs in jails
security.jail.mount_allowed=1
security.jail.enforce_statfs=1

Then repeat for each jail/dataset:
- - create a dataset
- - create a jail
- - jail the dataset
- - set the "jailed" property on the dataset

If I understand the manpage correctly this should be enough to manage
the dataset with the root user inside the jail.

But it isn't.

The only way I've found it possible to actually do anything with the
jailed dataset from inside the jail is to use zfs delegate *from the
host* to a user with the same uid as one inside the jail.

So I create a non-root user inside the jail with, say, uid 1001. Then
I try delegating the permissions it needs, but the root user in the
jail get permission denied whatever I try, including "zfs delegate".

However, the root user *on the host* can successfully delegate
permissions to a user inside the jail, provided that a user with the
same uid exists on the host. After delegating the non-root user in the
jail can manage the dataset, but the jails root user still can't.

This seems wrong to me. I should be able to do stuff with the root
user inside the jail, including delegating to other users in the jail.

What gives ?


Thanks!

/Thomas

ps. The behaviour is the same across various 9-stable and 10-stable
machines so I haven't included svn revisions as it doesn't seem to
make a difference. More details available on request.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJUYeJxAAoJEHcv938JcvpY8NkQAJBpwTulpDm7JHzySU9XBPCf
6bK9oM3GQZnd+CJoO4Zr0fe5FLnAAK3hhZ0SnFj/7d132JWhg/1H8Y8aRmd2amYc
/Qp5z8RdatkSQoRPQeEqHJTHnyS2lnQ74w9NdhyIb6C5/m21kTiXYhmWNji4ctRa
XnSJxPyTxU1is+c1bZnV6WcJfC6SpR4OTfE0UQU1AbgLpAaZRhPrRbjni9lluAXd
iIAr8ghIuy2A7nADS0ZOssrh5StBMS5r2k2nC9zoDcOPkVDdA2+71yKzhBM5sh3a
Jx2VyGyrsAJx6XAtsjcj/Hij3rQ31JrqcrIOQ+uT5wJrhI1QkFaJxSnbsVuJbnqo
jwTQsdM0RQoaxn7m0TPtD/2c+UC0FDyefHLCNIYE+7PaZ2Zb6d7xa0YyXmEMRhUe
5uHQMdyQD/3oKAa4s4Tr21kFnaxZ2ExhL6MlgQyyuxwluNnFViNPkoT90cW2TsMh
y5ACXSWlqhoeulwv3T+Of27+A6BZ9NtH+G9yqfA6B5ytotMnP/HGrg0jywu8FVQD
Ll+EmpyIpFNxGH9U0HJIpItzFuZPPLwVPhwER6ds34yWJhZOitcWtXlIETG4B6xH
Xg6PpIdxg82BrPjsPpr1l+rENi4h+1Pmgirp9Q5cV6XWjoKnWqITPtSsRXDLUZ9N
zSpchj5ar8osMNXkzY8V
=PpBz
-----END PGP SIGNATURE-----

More information about the freebsd-fs mailing list