"Permission denied" for jails root for jailed ZFS datasets, trouble delegating permissions
Thomas Steen Rasmussen
thomas at gibfest.dk
Tue Nov 11 10:18:29 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
I am using jailed zfs datasets for backup purposes (I use one ezjail
per remote host that needs backing up, just so if a server is
compromised it can only access its own backups).
My notes from setting this up:
- - first set the following sysctls:
### allow zfs in jails
Then repeat for each jail/dataset:
- - create a dataset
- - create a jail
- - jail the dataset
- - set the "jailed" property on the dataset
If I understand the manpage correctly this should be enough to manage
the dataset with the root user inside the jail.
But it isn't.
The only way I've found it possible to actually do anything with the
jailed dataset from inside the jail is to use zfs delegate *from the
host* to a user with the same uid as one inside the jail.
So I create a non-root user inside the jail with, say, uid 1001. Then
I try delegating the permissions it needs, but the root user in the
jail get permission denied whatever I try, including "zfs delegate".
However, the root user *on the host* can successfully delegate
permissions to a user inside the jail, provided that a user with the
same uid exists on the host. After delegating the non-root user in the
jail can manage the dataset, but the jails root user still can't.
This seems wrong to me. I should be able to do stuff with the root
user inside the jail, including delegating to other users in the jail.
What gives ?
ps. The behaviour is the same across various 9-stable and 10-stable
machines so I haven't included svn revisions as it doesn't seem to
make a difference. More details available on request.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
-----END PGP SIGNATURE-----
More information about the freebsd-fs