search

allanjude / zxfer

A continuation of development on zxfer, a popular script for managing ZFS snapshot replication
BSD 2-Clause "Simplified" License
123 stars 40 forks source link

Documentation of required permissions for sender/receiver? #31

Open DarwinAwardWinner opened 7 years ago

DarwinAwardWinner commented 7 years ago

I'm in the process of setting up cross-host backup of snapshots using zxfer, and I want to do so without giving either system passwordless root ssh access to the other. So I would like to set up a dedicated sender account on one host and a receiver account on the other and then use zfs allow to give these accounts the minimum required set of permissions to do their jobs. To this end, it would be useful to document which privileges are required for the sending side and which are required for the receiving side.

DarwinAwardWinner commented 7 years ago

Alternatively, for linux users who (as far as I know) don't have ZFS delegation yet, it would be good to document the minimum required set of commands to allow in the sudoers file.

allanjude commented 7 years ago

This is difficult to document, because it is different depending on a number of factors.

Basically, you need create/destroy/mount/unmount, plus access to set every property you are going to replicate.

For instructions on setting up passwordless ssh (ideally without root), see: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/zfs-zfs.html#zfs-send-ssh

The instructions are for FreeBSD, but ZFS and SSH are the same everywhere.

DarwinAwardWinner commented 7 years ago

So, I discovered that ZFS delegation won't be supported until the next release of ZFS on Linux. I came up with the minimal set of commands to allow via sudoers to allow zxfer to run:

## Allow zfs-backup-sender to execute zxfer-related commands
## through sudo without a password.
##
## Cmnd alias specification
Cmnd_Alias C_ZXFER_SEND = \
  /bin/uname, /bin/uname *, /sbin/zfs "", \
  /sbin/zfs destroy, /sbin/zfs destroy *, \
  /sbin/zfs get, /sbin/zfs get *, \
  /sbin/zfs list, /sbin/zfs list *, \
  /sbin/zfs send, /sbin/zfs send *, \
  /sbin/zfs snapshot, /sbin/zfs snapshot *

zfs-backup-sender ALL = (root) NOPASSWD: C_ZXFER_SEND

This is clearly not ideal since anyone who can log in as the sender account can now run zfs destroy on any filesystem. The snapshot and destroy commands are required to create and then delete a temporary snapshot. If those parts of the script could be made optional, then the sender side of zxfer would be able to run with only get, list, and send commands, all read-only. I think this has value regardless of whether one is using zfs allow or sudoers.