`zfs list` permission denied

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

`zfs list` permission denied

Shawn Webb-3
I used to be able to run `zfs list` as an unprivileged user. Now I
can't, even when my user is in the operator group.

==== BEGIN LOG ====
hbsd-current-01[shawn]:/home/shawn $ zfs list
Operation not permitted
hbsd-current-01[shawn]:/home/shawn (1) $ id
uid=1001(shawn) gid=1001(shawn) groups=1001(shawn),0(wheel),5(operator)
hbsd-current-01[shawn]:/home/shawn $ ls -l /dev/zfs
crw-rw-rw-  1 root  operator  0x52 Sep 10 10:43 /dev/zfs
==== END LOG ====

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: `zfs list` permission denied

Ryan Moeller-2

On 9/10/20 12:33 PM, Shawn Webb wrote:

> I used to be able to run `zfs list` as an unprivileged user. Now I
> can't, even when my user is in the operator group.
>
> ==== BEGIN LOG ====
> hbsd-current-01[shawn]:/home/shawn $ zfs list
> Operation not permitted
> hbsd-current-01[shawn]:/home/shawn (1) $ id
> uid=1001(shawn) gid=1001(shawn) groups=1001(shawn),0(wheel),5(operator)
> hbsd-current-01[shawn]:/home/shawn $ ls -l /dev/zfs
> crw-rw-rw-  1 root  operator  0x52 Sep 10 10:43 /dev/zfs
> ==== END LOG ====
>
> Thanks,
>
You probably don't have the zfs module loaded. The commands will try to
load it if it isn't, and that will fail if you aren't root.


-Ryan

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: `zfs list` permission denied

Shawn Webb-3
On Thu, Sep 10, 2020 at 12:46:45PM -0400, Ryan Moeller wrote:

>
> On 9/10/20 12:33 PM, Shawn Webb wrote:
> > I used to be able to run `zfs list` as an unprivileged user. Now I
> > can't, even when my user is in the operator group.
> >
> > ==== BEGIN LOG ====
> > hbsd-current-01[shawn]:/home/shawn $ zfs list
> > Operation not permitted
> > hbsd-current-01[shawn]:/home/shawn (1) $ id
> > uid=1001(shawn) gid=1001(shawn) groups=1001(shawn),0(wheel),5(operator)
> > hbsd-current-01[shawn]:/home/shawn $ ls -l /dev/zfs
> > crw-rw-rw-  1 root  operator  0x52 Sep 10 10:43 /dev/zfs
> > ==== END LOG ====
> >
> > Thanks,
> >
> You probably don't have the zfs module loaded. The commands will try to load
> it if it isn't, and that will fail if you aren't root.
Using root on ZFS:

==== BEGIN LOG ====
hbsd-current-01[shawn]:/scratch/logs (141) $ sudo kldstat
Password:
Id Refs Address                Size Name
 1   15                0x0  2343700 kernel
 2    1                0x0   652cb0 zfs.ko
 3    1                0x0     b778 opensolaris.ko
 4    1                0x0     2a10 mac_ntpd.ko
==== END LOG ====

I think I see the problem with your hint. Prior to the post-ZoL
OpenZFS merge, we had detected whether the user running the command
was non-root and only attempted module load if the user was root. We
do this because we restrict access to kld*/mod* syscalls to root. And,
as you can see from the output above, we scrub sensitive data from
being returned from the kldstat syscall.

I think I just need to re-apply that logic after this OpenZFS merge.
Thanks for the hint! Sometimes I forget having written code from years
back. ;)

Thanks,

--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

GPG Key ID:          0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9  3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc

signature.asc (849 bytes) Download Attachment