Access Control
ZFS provides mechanisms to set and manage permissions for datasets, allowing administrators to control user access. Permissions can be configured using Unix-like permission bits, Access Control Lists (ACLs), and ZFS delegation.
Setting Permissions on Datasets
ZFS datasets follow the standard Unix permission model, where each file and directory has an owner, a group, and a set of permission bits for read, write, and execute access. These permissions can be adjusted using chmod, chown, and chgrp.
To modify basic Unix-like permissions for a ZFS dataset, the following command grants the owner full read, write, and execute permissions:
$ sudo chmod 700 /mypool/mydataset
This sets the permissions to 700, meaning the owner has full control (read, write, and execute), while no access is granted to the group or others.
Ownership of the dataset can be modified using chown:
$ sudo chown user:group /mypool/mydataset
This command assigns the specified user and group as the owner of the dataset.
In addition to standard Unix permissions, ZFS supports Access Control Lists (ACLs), allowing for more granular control over access. ACLs provide the ability to specify permissions for individual users or groups.
To assign an ACL for a specific user on a dataset:
$ sudo setfacl -m u:username:rwx /mypool/mydataset
This command grants the user username read, write, and execute access to the dataset mypool/mydataset.
Managing User Access
ZFS allows specific permissions to be delegated to non-privileged users through delegation. This feature enables users to perform certain operations (such as creating snapshots or mounting datasets) without requiring full administrative access.
Permissions can be delegated using the zfs allow command. For example, to allow a user to create snapshots on a dataset:
$ sudo zfs allow user create,snapshot mypool/mydataset
This grants the specified user permission to create datasets and snapshots on mypool/mydataset.
To view the permissions currently delegated on a dataset:
$ sudo zfs allow mypool/mydataset
To remove delegated permissions:
$ sudo zfs unallow user create,snapshot mypool/mydataset
ZFS also allows permissions to be assigned to groups, simplifying access control for multiple users. To delegate mount and unmount permissions to a group:
$ sudo zfs allow -g staff mount,unmount mypool/mydataset
The -g flag specifies that staff is a group name (-u similarly forces a user name, and -e or everyone grants a permission to all users).
Permission Sets and Delegation Scope
When the same combination of permissions is granted repeatedly, it can be named as a permission set. Set names begin with @ and are defined with the -s flag; the set can then be granted to users or groups like any single permission, and changing the set later updates every delegation that references it:
$ sudo zfs allow -s @backup snapshot,hold,send mypool
$ sudo zfs allow -u backupuser @backup mypool
By default a delegation applies to the named dataset and all of its descendants. The -l flag limits it to the named dataset only (local), and -d to the descendants only. The same flags apply to zfs unallow when removing permissions.
Delegation is not limited to subcommands: dataset properties can be delegated too, allowing a user to change them on their own datasets. For example, to let a user manage compression and quotas beneath their area:
$ sudo zfs allow -u alice compression,quota mypool/home/alice
Delegation for Non-Root Replication
The most common real-world use of delegation is replication without root. The examples on the Replication page run zfs send and zfs receive via sudo; with delegation, a dedicated unprivileged account can do this instead, so a compromised backup account cannot administer the rest of the system. On the source, the account needs to create and send snapshots; on the target, it needs to receive them:
$ sudo zfs allow -u backupuser snapshot,hold,send mypool/mydataset
$ sudo zfs allow -u backupuser receive,create,mount backuppool
Key points:
- Delegated permissions are stored in the pool, so they survive reboots and travel with the pool if it is exported and imported elsewhere.
- On Linux, the kernel does not permit unprivileged mounting, so delegations that involve mounting a dataset —
mountitself, and the automatic mount step ofcreate,clone, andreceive— still need root to perform the mount. The datasets are created and received correctly; only the mount step is restricted. FreeBSD permits it when thevfs.usermountsysctl is enabled. - A user holding
destroyorrollbackon a dataset can delete data covered by that delegation, so grant the minimum permissions the task requires — a backup account needssend, notdestroy.
By combining Unix permissions, ACLs, and delegation, ZFS provides flexible control over user access to datasets, suitable for various use cases, from simple to complex access control needs.