non-root user can not create zfs filesystem?
lhmwzy at gmail.com
Wed Oct 22 04:16:27 PDT 2008
Tks very much for your reply.
I'm very sorry for the last mail,I didn't see the CC is empty,I'm not
2008/10/22 Jeremy Chadwick <koitsu at freebsd.org>:
> On Wed, Oct 22, 2008 at 06:54:49PM +0800, lhmwzy wrote:
>> I transfer data to a remote machine use zfs.
>> for example:
>> #zfs send pool/www at today | ssh -l lhm 10.67.141.80 zfs receive www/102
>> If login into 10.67.141.80 throught non-root user,it says:
>> cannot receive: permission denied
>> cannot send 'pool/www at today': Broken pipe
>> But login into a remote machine use root through ssh is not a good idea,right?
>> 2008/10/22 Jeremy Chadwick <koitsu at freebsd.org>:
>> > On Wed, Oct 22, 2008 at 05:13:21PM +0800, lhmwzy wrote:
>> >> $zfs create www/lhm
>> >> cannot create 'www/lhm': permission denied
>> >> How to do this or when can do this?
>> > Creating a filesystem is something that can only be done by root. I'm
>> > not sure what gave you the impression non-root users can do this...?
> This problem has nothing to do with ZFS, it has to do with SSH.
> You need to do a few things for this to work. Here's a very quick way:
> 1) Make a public key on the machine you're doing "zfs send" from.
> Run ssh-keygen as root
> 2) Place contents of /root/.ssh/id_rsa.pub in /root/.ssh/authorized_keys
> on 10.67.141.80. Make sure the /root/.ssh directory is perm 0700,
> and authorized_keys is perm 0600.
> 3) On 10.67.141.80, edit /etc/ssh/sshd_config and change this line:
> #PermitRootLogin no
> PermitRootLogin without-password
> 4) Send a SIGHUP signal to the master sshd process. This might
> disconnect any existing SSH sessions to the machine:
> kill -HUP `cat /var/run/sshd.pid`
> If you're concerned about what "without-password" does, read the man
> page. It WILL NOT let people SSH into the root account, UNLESS they
> have the private key (on zfs_send_host). That's the ONLY WAY they can
> get in as root.
> You may want to secure things down a bit more by editing
> /root/.ssh/authorized_keys on 10.67.141.80 to only allow certain
> commands to be executed (specifically "zfs receive"). You can look on
> Google for how to do this.
> Finally, why did you remove the mailing list from the CC list? Now
> no one knows what we've discussed, which isn't good.
> | Jeremy Chadwick jdc at parodius.com |
> | Parodius Networking http://www.parodius.com/ |
> | UNIX Systems Administrator Mountain View, CA, USA |
> | Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable