Access Control

ZFS provides mechanisms to set and manage permissions for datasets, allowing administrators to control user access. Permissions can be configured using Unix-like permission bits, Access Control Lists (ACLs), and ZFS delegation.

Setting Permissions on Datasets

ZFS datasets follow the standard Unix permission model, where each file and directory has an owner, a group, and a set of permission bits for read, write, and execute access. These permissions can be adjusted using chmod, chown, and chgrp.

To modify basic Unix-like permissions for a ZFS dataset, the following command grants the owner full read, write, and execute permissions:

$ sudo chmod 700 /mypool/mydataset

This sets the permissions to 700, meaning the owner has full control (read, write, and execute), while no access is granted to the group or others.

Ownership of the dataset can be modified using chown:

$ sudo chown user:group /mypool/mydataset

This command assigns the specified user and group as the owner of the dataset.

In addition to standard Unix permissions, ZFS supports Access Control Lists (ACLs), allowing for more granular control over access. ACLs provide the ability to specify permissions for individual users or groups.

To assign an ACL for a specific user on a dataset:

$ sudo setfacl -m u:username:rwx /mypool/mydataset

This command grants the user username read, write, and execute access to the dataset mypool/mydataset.

Managing User Access

ZFS allows specific permissions to be delegated to non-privileged users through delegation. This feature enables users to perform certain operations (such as creating snapshots or mounting datasets) without requiring full administrative access.

Permissions can be delegated using the zfs allow command. For example, to allow a user to create snapshots on a dataset:

$ sudo zfs allow user create,snapshot mypool/mydataset

This grants the specified user permission to create datasets and snapshots on mypool/mydataset.

To view the permissions currently delegated on a dataset:

$ sudo zfs allow mypool/mydataset

To remove delegated permissions:

$ sudo zfs unallow user create,snapshot mypool/mydataset

ZFS also allows permissions to be assigned to groups, simplifying access control for multiple users. To delegate mount and unmount permissions to a group:

$ sudo zfs allow -g staff mount,unmount mypool/mydataset

The -g flag specifies that staff is a group name (-u similarly forces a user name, and -e or everyone grants a permission to all users).

Permission Sets and Delegation Scope

When the same combination of permissions is granted repeatedly, it can be named as a permission set. Set names begin with @ and are defined with the -s flag; the set can then be granted to users or groups like any single permission, and changing the set later updates every delegation that references it:

$ sudo zfs allow -s @backup snapshot,hold,send mypool
$ sudo zfs allow -u backupuser @backup mypool

By default a delegation applies to the named dataset and all of its descendants. The -l flag limits it to the named dataset only (local), and -d to the descendants only. The same flags apply to zfs unallow when removing permissions.

Delegation is not limited to subcommands: dataset properties can be delegated too, allowing a user to change them on their own datasets. For example, to let a user manage compression and quotas beneath their area:

$ sudo zfs allow -u alice compression,quota mypool/home/alice

Delegation for Non-Root Replication

The most common real-world use of delegation is replication without root. The examples on the Replication page run zfs send and zfs receive via sudo; with delegation, a dedicated unprivileged account can do this instead, so a compromised backup account cannot administer the rest of the system. On the source, the account needs to create and send snapshots; on the target, it needs to receive them:

$ sudo zfs allow -u backupuser snapshot,hold,send mypool/mydataset
$ sudo zfs allow -u backupuser receive,create,mount backuppool

Key points:

  • Delegated permissions are stored in the pool, so they survive reboots and travel with the pool if it is exported and imported elsewhere.
  • On Linux, the kernel does not permit unprivileged mounting, so delegations that involve mounting a dataset — mount itself, and the automatic mount step of create, clone, and receive — still need root to perform the mount. The datasets are created and received correctly; only the mount step is restricted. FreeBSD permits it when the vfs.usermount sysctl is enabled.
  • A user holding destroy or rollback on a dataset can delete data covered by that delegation, so grant the minimum permissions the task requires — a backup account needs send, not destroy.

By combining Unix permissions, ACLs, and delegation, ZFS provides flexible control over user access to datasets, suitable for various use cases, from simple to complex access control needs.