How to create a user that only can "zfs receiv "

Chris&Patte

Renowned Member
Sep 3, 2013
56
1
73
Hello,
i have written a script that every day creates a zfs-snapshot on my VMs and zfs send incremential snapshots of them via a ssh-tunnel to a host as a form of failsafe offline server.

My problem is that everything runs as root user and the pwds are hardcoded in that script.

I would like to create dedicated user on the receiving host that only have the permission to "zfs recev" into a dedicated VM-storage (e.g. into rpool/data/vm-100-disk-0 only)

Is that possible at all? Which type of user would i need and which permissions/Privileges?


Thanks a lot
 
Hm, seems i had some wrong thoughts.

OK, i understand what you mean. Define on the target host what a OS-User can do via ssh-server settings and do not touch Proxmox logic at all.

I had thought to restrict that user via proxmox permission system, but that would not work via ssh at all i gues.

Ok, thank you.
 
I would like to create dedicated user on the receiving host that only have the permission to "zfs recev"
You may lookup how "sudo" works. I am not sure if it is installed by default but is is definitely available in Debian too.

You can define precisely which commands (including forced parameters) a specific user can do.

## Allow read-only ZoL commands to be called through sudo
## without a password. Remove the first '#' column to enable.
##
## CAUTION: Any syntax error introduced here will break sudo.
##
## Cmnd alias specification
Cmnd_Alias C_ZFS = \
/sbin/zfs "", /sbin/zfs help *, \
/sbin/zfs get, /sbin/zfs get *, \
/sbin/zfs list, /sbin/zfs list *, \
/sbin/zpool "", /sbin/zpool help *, \
/sbin/zpool iostat, /sbin/zpool iostat *, \
/sbin/zpool list, /sbin/zpool list *, \
/sbin/zpool status, /sbin/zpool status *, \
/sbin/zpool upgrade, /sbin/zpool upgrade -v
#
## allow any user to use basic read-only ZFS commands
ALL ALL = (root) NOPASSWD: C_ZFS
This specific example works for all users in the group "sudo".
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!