Browse files

Honor user namespace privileges with zfs unallow

Regular users can only remove permissions from themselves in
addition to requiring the allow permission to do so. It
makes more sense for privileged users in a user namespace
to be able to manage permissions of all users of that
Thus, when the user has CAP_SYS_ADMIN in their current
namespace, use the same check as for 'zfs allow' instead.

Signed-off-by: Wolfgang Bumiller <>
  • Loading branch information...
Blub committed Nov 7, 2017
1 parent 0c8e0ee commit f77c4225ffa120120247dfba7c048a42391abd2f
@@ -3094,6 +3094,7 @@ zfs_ioc_set_fsacl(zfs_cmd_t *zc)
int error;
nvlist_t *fsaclnv = NULL;
cred_t *cr;
if ((error = get_nvlist(zc->zc_nvlist_src, zc->zc_nvlist_src_size,
zc->zc_iflags, &fsaclnv)) != 0)
@@ -3124,14 +3125,26 @@ zfs_ioc_set_fsacl(zfs_cmd_t *zc)
* the nvlist(s)
error = secpolicy_zfs(CRED());
cr = CRED();
error = secpolicy_zfs(cr);
if (error != 0) {
if (zc->zc_perm_action == B_FALSE) {
uint64_t action = zc->zc_perm_action;
* In user namespaces fsacl_map_user_ns already errored if the
* user ids aren't mappable, and when we're privileged within
* our user namespace use the same check for unallow as for
* allow.
#if defined(CONFIG_USER_NS) && defined(HAVE_CRED_USER_NS)
if (ns_capable(cr->user_ns, CAP_SYS_ADMIN))
action = B_FALSE;
if (action == B_FALSE) {
error = dsl_deleg_can_allow(zc->zc_name,
fsaclnv, CRED());
fsaclnv, cr);
} else {
error = dsl_deleg_can_unallow(zc->zc_name,
fsaclnv, CRED());
fsaclnv, cr);
@@ -25,3 +25,4 @@ export USER_TESTFS=$TESTPOOL/$TESTFS/user
export STAFF_USER=zfsusr
export STAFF_GROUP=zfsgrp
export OUTSIDE_UID=5000
@@ -65,6 +65,14 @@ log_mustnot chg_usr_exec $STAFF_USER zfs set ${perm}=${perm_state_2} $USER_TESTF
# make sure the staff user *inside* the user namespace functions as expected
log_must user_ns_exec chg_usr_exec $STAFF_USER zfs set ${perm}=${perm_state_2} $USER_TESTFS
log_must user_ns_exec zfs unallow $STAFF_USER ${perm} $USER_TESTFS
# Negative check: Allow an arbitrary user to access the dataset.
# Root in a user namespace which does not have the id mapped should not be
# able to remove the permission.
log_must zfs allow -u $OUTSIDE_UID ${perm},allow $USER_TESTFS
log_must user_ns_exec zfs unallow $OUTSIDE_UID ${perm} $USER_TESTFS
log_must zfs destroy -r $USER_TESTFS
log_pass "Check user mapping in user namespaces"

0 comments on commit f77c422

Please sign in to comment.