How to create a user that only can "zfs receiv "

C

Chris&Patte

Renowned Member
Sep 3, 2013
58
1
73
Hello,
i have written a script that every day creates a zfs-snapshot on my VMs and zfs send incremential snapshots of them via a ssh-tunnel to a host as a form of failsafe offline server.

My problem is that everything runs as root user and the pwds are hardcoded in that script.

I would like to create dedicated user on the receiving host that only have the permission to "zfs recev" into a dedicated VM-storage (e.g. into rpool/data/vm-100-disk-0 only)

Is that possible at all? Which type of user would i need and which permissions/Privileges?


Thanks a lot
 
Hm, seems i had some wrong thoughts.

OK, i understand what you mean. Define on the target host what a OS-User can do via ssh-server settings and do not touch Proxmox logic at all.

I had thought to restrict that user via proxmox permission system, but that would not work via ssh at all i gues.

Ok, thank you.
 
Chris&Patte said:
I would like to create dedicated user on the receiving host that only have the permission to "zfs recev"
Click to expand...
You may lookup how "sudo" works. I am not sure if it is installed by default but is is definitely available in Debian too.

You can define precisely which commands (including forced parameters) a specific user can do.

## Allow read-only ZoL commands to be called through sudo
## without a password. Remove the first '#' column to enable.
##
## CAUTION: Any syntax error introduced here will break sudo.
##
## Cmnd alias specification
Cmnd_Alias C_ZFS = \
/sbin/zfs "", /sbin/zfs help *, \
/sbin/zfs get, /sbin/zfs get *, \
/sbin/zfs list, /sbin/zfs list *, \
/sbin/zpool "", /sbin/zpool help *, \
/sbin/zpool iostat, /sbin/zpool iostat *, \
/sbin/zpool list, /sbin/zpool list *, \
/sbin/zpool status, /sbin/zpool status *, \
/sbin/zpool upgrade, /sbin/zpool upgrade -v
#
## allow any user to use basic read-only ZFS commands
ALL ALL = (root) NOPASSWD: C_ZFS
This specific example works for all users in the group "sudo".
 
You must log in or register to reply here.
Top Bottom