Feature: `zfs allow send-raw` for raw/encrypted sends only

[pacien]

trafficstars

Describe the feature would like to see added to OpenZFS

Add a new delegable permission send-raw to allow some user/group to send dataset snapshots, but only in their raw/encrypted form.

How will this feature improve OpenZFS?

Currently, zfs allow send allows some user/group to send an encrypted dataset in both its encrypted and decrypted forms. Allowing the latter is not always desirable.

For example, one might want to set up pull-mode backups without the backup host being able to access the content of the dataset. For this, the pull user should not be allowed to do non-raw sends.

Additional context

A workaround is to have zfs send --raw in a script and have the backup user call only that wrapper, through setuid or sudo. This integrates badly with existing ZFS-based backup tools.

[FunctionDJ]

I'm really surprised this isn't easily possible right now. Basically it means that if i don't wanna trust the backup host, i must use a push configuration. In my case i'd like to use pull because my local backup host is not in my DMZ, but i also don't want to have to protect the backup host and just make it never decrypt the data.

[decayingabstractions]

Anyone using the wrapper script workaround with resumable sends should probably note the following issue: Security: Resume tokens can send anything. #14153

Adding an explicit --raw option when resuming a send can guard against malicious tokens as far as unintentional decryption is concerned.