Redux: PSARC/2009/348 Security Labels for ZFS
Ric Aleshire
ric.aleshire at sun.com
Wed Jun 10 12:18:16 PDT 2009
Glenn Faden wrote:
> Ric Aleshire wrote:
>> Tim Haley wrote:
>>
>>> Will you allow label setting to be delegated (i.e, 'zfs allow')?
>>> All other properties support this.
>>
>> I don't have a final answer for this now. My initial reaction is "no
>> delegation", but I want to verify if there are indeed
>> special security considerations based on the MAC (mandatory access)
>> nature of this property. This differs from
>> DAC properties which are discretionary and can be modified by general
>> users. I'll get back on this one.
>>
> I don't see a problem with delegation as long as the same restrictions
> apply to the delegate as to the dataset owner.
>
> --Glenn
Ah, I may have misunderstood that part of zfs(1M):
zfs allow [-ld] -e perm|@setname[,...] filesystem|volume
Delegates ZFS administration permission for the file
systems to non-privileged users.
But I agree that so long as the privileges mentioned in the case are
enforced on delegates, this property will
support delegation. In that case an additional delta to zfs(1M) will be
needed and described in the case.
-Ric
More information about the opensolaris-arc
mailing list