Zpool scrub and not-root users

Jeremy Chadwick freebsd at jdc.parodius.com
Tue May 25 20:13:18 UTC 2010 

On Tue, May 25, 2010 at 03:21:56PM -0400, jhell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 05/24/2010 15:04, Jeremy Chadwick wrote:
> > On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote:
> >> Im wondering if there is a way of allowing non-root users to perform a disk
> >> scrub using zpool scrub <pool>. I've been messing around with permissions,
> >> but no luck so far. Anyone got a clue?
> > 
> > One question: why?  Followed by one answer: sudo.  :-)
> > 
> 
> He does not need to add another layer of insecurity to his system such
> as sudo. Not saying that this is bad but it feels like a little overkill
> for something as simple as this.
> 
> This can be done old-school.
> 
> pw groupadd _zfsadm
> pw groupmod _zfsadm -m {username}
> chmod u+s,o-rx /sbin/zpool
> chown :_zfsadm /sbin/zpool
> 
> Repeat command line 2 for every user you want to have root type access
> to /sbin/zpool.
> 
> Of course you do not need the zfsadm group to do this. You could just
> use the wheel group which in turn gives any member of that group su(1)
> access to the root user, so you commands would turn into...
> 
> pw groupmod wheel -m {username}
> chmod u+s,o-rx /sbin/zpool
> 
> Because this binary is already installed group wheel there is no need to
> chown it. And this is a little more implicit that you trust anyone with
> access to the zpool command will also be having access to su(1)
> 
> Pick one, and Ill leave the "how to keep these permissions through
> upgrades/updates of world" up to you.

If I'm misunderstanding what the OP wants, then I welcome correction.  I
read the Op to want users to be able to run "zpool scrub", so I took
that literally -- "/sbin/zpool scrub <pool>" and nothing more.

sudo offers the ability for the OP to provide root-level access to
defined users and ONLY the ability to run "/sbin/zpool scrub {pool}" and
nothing more (e.g. not "/sbin/zpool remove" or similar).  It could also
be used to define certain users to scrub only certain pools.

Your first and second solutions allow any user added to _zfsadm and
group wheel, respectively, the ability to use /sbin/zpool.  I hear
"zpool destroy -f" is a fun command to run while the system
administrator isn't looking.  :-)

-- 
| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-stable mailing list