Allow destroying snapshots without allowing destroying datasets

[ryantrinkle]

Describe the feature would like to see added to OpenZFS

I use syncoid to pull backups from my computers. Each machine has a backup user, who gets these rights: bookmark,hold,send,snapshot,destroy,mount. However, granting destroy rights on the filesystems meant to be backed up is a bit dangerous. It would be nice to remove that permission. Ideally, the backup account should only be allowed to destroy snapshots that it itself has created.

Here are two concrete changes that I believe would enable this:

1. Change allow permissions so that they can apply to snapshots separately from datasets.
2. Add an option to zfs snapshot that, when making the snapshot, also grants the creating user the destroy permission on that snapshot.

How will this feature improve OpenZFS?

Backing up a dataset should not require the ability to destroy the dataset. Granting that permission increases the risk of accidental or malicious destruction triggered by backup scripts. The changes proposed here would allow backups to be made without needing any dangerous permissions.

[GregorKopka]

As a workaround one can zfs hold a snapshot while not allowing zfs release to the user running the backup script.

[ryantrinkle]

@GregorKopka Ah, ok! I guess that would prevent deletion of the underlying mutable dataset because it can't be deleted until all snapshots are deleted?

[almereyda]

Potentially a duplicate of

• Ability to specify type to 'zfs destroy` #9522