Zpool scrub and not-root users
Jeremy Chadwick
freebsd at jdc.parodius.com
Tue May 25 20:13:18 UTC 2010
On Tue, May 25, 2010 at 03:21:56PM -0400, jhell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/24/2010 15:04, Jeremy Chadwick wrote:
> > On Mon, May 24, 2010 at 05:00:03PM +0200, Mikkel Skaerris wrote:
> >> Im wondering if there is a way of allowing non-root users to perform a disk
> >> scrub using zpool scrub <pool>. I've been messing around with permissions,
> >> but no luck so far. Anyone got a clue?
> >
> > One question: why? Followed by one answer: sudo. :-)
> >
>
> He does not need to add another layer of insecurity to his system such
> as sudo. Not saying that this is bad but it feels like a little overkill
> for something as simple as this.
>
> This can be done old-school.
>
> pw groupadd _zfsadm
> pw groupmod _zfsadm -m {username}
> chmod u+s,o-rx /sbin/zpool
> chown :_zfsadm /sbin/zpool
>
> Repeat command line 2 for every user you want to have root type access
> to /sbin/zpool.
>
> Of course you do not need the zfsadm group to do this. You could just
> use the wheel group which in turn gives any member of that group su(1)
> access to the root user, so you commands would turn into...
>
> pw groupmod wheel -m {username}
> chmod u+s,o-rx /sbin/zpool
>
> Because this binary is already installed group wheel there is no need to
> chown it. And this is a little more implicit that you trust anyone with
> access to the zpool command will also be having access to su(1)
>
> Pick one, and Ill leave the "how to keep these permissions through
> upgrades/updates of world" up to you.
If I'm misunderstanding what the OP wants, then I welcome correction. I
read the Op to want users to be able to run "zpool scrub", so I took
that literally -- "/sbin/zpool scrub <pool>" and nothing more.
sudo offers the ability for the OP to provide root-level access to
defined users and ONLY the ability to run "/sbin/zpool scrub {pool}" and
nothing more (e.g. not "/sbin/zpool remove" or similar). It could also
be used to define certain users to scrub only certain pools.
Your first and second solutions allow any user added to _zfsadm and
group wheel, respectively, the ability to use /sbin/zpool. I hear
"zpool destroy -f" is a fun command to run while the system
administrator isn't looking. :-)
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable
mailing list