svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
zfs_allow(8)
System Administration Commands zfs_allow(8)
NAME
zfs_allow - delegates ZFS file system administration permission to non-
privileged users
SYNOPSIS
zfs help subcommand | help | property property-name | permission
zfs help -l properties
zfs allow filesystem|volume
zfs allow [-ldug] everyone|user|group[,...] perm|@setname[,...]
filesystem|volume
zfs allow [-ld] -e perm|@setname[,...] filesystem|volume
zfs allow -c perm|@setname[,...] filesystem|volume
zfs allow -s @setname perm|@setname[,...] filesystem|volume
zfs unallow [-rldug] everyone|user|group[,...] [perm|@setname[,... ]]
filesystem|volume
zfs unallow [-rld] -e [perm|@setname[,... ]] filesystem|volume
zfs unallow [-r] -c [perm|@setname[ ... ]] filesystem|volume
zfs unallow [-r] -s @setname [perm|@setname[,... ]] filesystem|volume
DESCRIPTION
The zfs allow command can be used to delegate permissions to non-privi‐
leged users for administering ZFS file systems in a ZFS storage pool,
as described in zpool(8). You can use the zfs unallow command to revoke
administrative permissions.
Permissions are generally the ability to use a ZFS subcommand or change
a ZFS property. The following permissions are available:
# zfs help permissions
The following delegated permissions are supported:
NAME TYPE NOTES
allow subcommand Must also have the permission that is being
allowed
clone subcommand Must also have the 'create' ability and 'mount'
ability in the origin file system
create subcommand Must also have the 'mount' ability
destroy subcommand Must also have the 'mount' ability
diff subcommand Allows lookup of paths within a dataset,
given an object number. Ordinary users need this
in order to use zfs diff
hold subcommand Allows adding a user hold to a snapshot
mount subcommand Allows mount/umount of ZFS datasets
promote subcommand Must also have the 'mount'
and 'promote' ability in the origin file system
receive subcommand Must also have the 'mount' and 'create' ability
release subcommand Allows releasing a user hold which
might destroy the snapshot
rename subcommand Must also have the 'mount' and 'create'
ability in the new parent
rollback subcommand Allows rolling back datasets to previously-taken snapshots
send subcommand Allows sending of snapshots
share subcommand Allows sharing file systems over NFS or SMB
protocols
snapshot subcommand Allows taking of snapshots
groupquota other Allows accessing any groupquota@... property
groupused other Allows reading any groupused@... property
key other Allows load/unload of dataset key
keychange other Allows key change operations
userprop other Allows changing any user property
userquota other Allows accessing any userquota@... property
userused other Allows reading any userused@... property
The following properties can have delegated permissions applied:
aclinherit aclmode atime canmount
casesensitivity checksum compression copies
dedup defaultuserquota defaultgroupquota devices
encryption exec keysource logbias
mountpoint multilevel nbmand normalization
primarycache quota readonly recordsize
refquota refreservation reservation rstchown
secondarycache setuid shadow sharenfs
sharesmb snapdir sync utf8only
version volblocksize volsize vscan
xattr zoned
SUBCOMMANDS
All subcommands that modify state are logged persistently to the pool
in their original form.
zfs ?
Displays a help message.
zfs help command | help | property property-name | permission
Displays zfs command usage information. You can display help for a
specific command, property, or delegated permission. If you display
help for a specific command or property, the command syntax or
property value is displayed. Using zfs help without any arguments
displays a complete list of zfs commands.
zfs help -l properties
Displays zfs property information, including whether the property
value is editable and inheritable, and their possible values.
zfs allow filesystem | volume
Displays permissions that have been delegated on the specified
filesystem or volume. See the other forms of zfs allow for more
information.
zfs allow [-ldug] everyone|user|group[,...] perm|@setname[,...]
filesystem| volume
zfs allow [-ld] -e perm|@setname[,...] filesystem | volume
Delegates ZFS administration permission for the file systems to
non-privileged users.
[-ug] everyone|user|group[,...]
Specifies to whom the permissions are delegated. Multiple enti‐
ties can be specified as a comma-separated list. If neither of
the -ug options are specified, then the argument is interpreted
preferentially as the keyword everyone, then as a user name,
and lastly as a group name. To specify a user or group named
"everyone", use the -u or -g options. To specify a group with
the same name as a user, use the -g options.
[-e] perm|@setname[,...]
Specifies that the permissions be delegated to everyone. Multi‐
ple permissions may be specified as a comma-separated list.
Permission names are the same as ZFS subcommand and property
names. See the property list below. Property set names, which
begin with an at sign (@) , may be specified. See the -s form
below for details.
[-ld] filesystem|volume
Specifies where the permissions are delegated. If neither of
the -ld options are specified, or both are, then the permis‐
sions are allowed for the file system or volume, and all of its
descendents. If only the -l option is used, then is allowed
"locally" only for the specified file system. If only the -d
option is used, then is allowed only for the descendent file
systems.
zfs allow -c perm|@setname[,...] filesystem|volume
Sets "create time" permissions. These permissions are granted
(locally) to the creator of any newly-created descendent file sys‐
tem.
zfs allow -s @setname perm|@setname[,...] filesystem|volume
Defines or adds permissions to a permission set. The set can be
used by other zfs allow commands for the specified file system and
its descendents. Sets are evaluated dynamically, so changes to a
set are immediately reflected. Permission sets follow the same nam‐
ing restrictions as ZFS file systems, but the name must begin with
an "at sign" (@), and can be no more than 64 characters long.
zfs unallow [-rldug] everyone|user|group[,...] [perm|@setname[, ...]]
filesystem|volume
zfs unallow [-rld] -e [perm|@setname [,...]] filesystem|volume
zfs unallow [-r] -c [perm|@setname[,...]]
filesystem|volume
Removes permissions that were granted with the zfs allow command.
No permissions are explicitly denied, so other permissions granted
are still in effect. For example, if the permission is granted by
an ancestor. If no permissions are specified, then all permissions
for the specified user, group, or everyone are removed. Specifying
everyone (or using the -e option) only removes the permissions that
were granted to everyone, not all permissions for every user and
group. See the zfs allow command for a description of the -ldugec
options.
-r
Recursively remove the permissions from this file system and
all descendents.
zfs unallow [-r] -s @setname [perm|@setname[,...]]
filesystem|volume
Removes permissions from a permission set. If no permissions are
specified, then all permissions are removed, thus removing the set
entirely.
EXAMPLES
Example 1 Delegating ZFS Administration Permissions on a ZFS Dataset
The following example shows how to set permissions so that user anne
can create, destroy, mount, and take snapshots on pool/home/anne. The
permissions on pool/home/anne are also displayed.
# zfs allow anne create,destroy,mount,snapshot pool/home/anne
# zfs allow pool/home/anne
---- Permissions on pool/home/anne -----------------------------------
Local+Descendent permissions:
user anne create,destroy,mount,snapshot
Because the pool/home/anne mount point permission is set to 755 by
default, user anne will be unable to mount file systems under
pool/home/anne. Set an ACL similar to the following syntax to provide
mount point access:
# chmod A+user:anne:add_subdirectory:allow /pool/home/anne
Example 2 Delegating Create Time Permissions on a ZFS Dataset
The following example shows how to grant anyone in the group staff to
create file systems in pool/home. This syntax also allows staff members
to destroy their own file systems, but not destroy anyone else's file
system. The permissions on pool/home are also displayed.
# zfs allow staff create,mount pool/home
# zfs allow -c destroy pool/home
# zfs allow pool/home
---- Permissions on pool/home ----------------------------------------
Create time permissions:
destroy
Local+Descendent permissions:
group staff create,mount
Example 3 Defining and Granting a Permission Set on a ZFS Dataset
The following example shows how to define and grant a permission set on
the pool/home file system. The permissions on pool/home are also dis‐
played.
# zfs allow -s @pset create,destroy,snapshot,mount pool/home
# zfs allow staff @pset pool/home
# zfs allow pool/home
---- Permissions on pool/home ----------------------------------------
Permission sets:
@pset create,destroy,mount,snapshot
Create time permissions:
destroy
Local+Descendent permissions:
group staff @pset,create,mount
Example 4 Delegating Property Permissions on a ZFS Dataset
The following example shows to grant the ability to set quotas and
reservations on the tank/users file system. The permissions on
tank/users are also displayed.
# zfs allow mark quota,reservation tank/users
# zfs allow tank/users
---- Permissions on tank/users ---------------------------------------
Local+Descendent permissions:
user mark quota,reservation
mark% zfs set quota=10G tank/users/tim
mark% zfs get quota tank/users/tim
NAME PROPERTY VALUE SOURCE
tank/users/tim quota 10G local
Example 5 Removing ZFS Delegated Permissions on a ZFS Dataset
The following example shows how to remove the snapshot permission from
the @pset permission set for the staff group on the pool/home file sys‐
tem. The permissions on pool/home are also displayed.
# zfs unallow -s @pset snapshot pool/home
# zfs allow pool/home
---- Permissions on pool/home ----------------------------------------
Permission sets:
@pset create,destroy,mount
Create time permissions:
destroy
Local+Descendent permissions:
group staff @pset,create,mount
EXIT STATUS
The following exit values are returned:
0
Successful completion.
1
An error occurred.
2
Invalid command line options were specified.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/file-system/zfs _ Interface Stabili‐
tyCommitted
SEE ALSO
chmod(2), chown(2), attributes(7), zfs(8), zpool(8)
For information about using other ZFS features, see zfs_encrypt.8,
zfs_share.8, zfs(8) and the Managing ZFS File Systems in Oracle Solaris
11.4.
Oracle Solaris 11.4 3 Jul 2012 zfs_allow(8)