ZFS Handbook

Access Control

ZFS provides mechanisms to set and manage permissions for datasets, allowing administrators to control user access. Permissions can be configured using Unix-like permission bits, Access Control Lists (ACLs), and ZFS delegation.

Setting Permissions on Datasets

ZFS datasets follow the standard Unix permission model, where each file and directory has an owner, a group, and a set of permission bits for read, write, and execute access. These permissions can be adjusted using chmod, chown, and chgrp.

To modify basic Unix-like permissions for a ZFS dataset, the following command grants the owner full read, write, and execute permissions:

$ sudo chmod 700 /mypool/mydataset

This sets the permissions to 700, meaning the owner has full control (read, write, and execute), while no access is granted to the group or others.

Ownership of the dataset can be modified using chown:

$ sudo chown user:group /mypool/mydataset

This command assigns the specified user and group as the owner of the dataset.

In addition to standard Unix permissions, ZFS supports Access Control Lists (ACLs), allowing for more granular control over access. ACLs provide the ability to specify permissions for individual users or groups.

To assign an ACL for a specific user on a dataset:

$ sudo setfacl -m u:username:rwx /mypool/mydataset

This command grants the user username read, write, and execute access to the dataset mypool/mydataset.

Managing User Access

ZFS allows specific permissions to be delegated to non-privileged users through delegation. This feature enables users to perform certain operations (such as creating snapshots or mounting datasets) without requiring full administrative access.

Permissions can be delegated using the zfs allow command. For example, to allow a user to create snapshots on a dataset:

$ sudo zfs allow user create,snapshot mypool/mydataset

This grants the specified user permission to create datasets and snapshots on mypool/mydataset.

To view the permissions currently delegated on a dataset:

$ sudo zfs allow mypool/mydataset

To remove delegated permissions:

$ sudo zfs unallow user create,snapshot mypool/mydataset

ZFS also allows permissions to be assigned to groups, simplifying access control for multiple users. To delegate mount and unmount permissions to a group:

$ sudo zfs allow @group mount,unmount mypool/mydataset

Here, @group refers to the group that will be granted these permissions.

By combining Unix permissions, ACLs, and delegation, ZFS provides flexible control over user access to datasets, suitable for various use cases, from simple to complex access control needs.

← Deduplication
Disaster Recovery →