zfs icon indicating copy to clipboard operation
zfs copied to clipboard
verified publisher icon openzfs

Allow destroying snapshots without allowing destroying datasets

Open ryantrinkle opened this issue 8 months ago • 2 comments

Describe the feature would like to see added to OpenZFS

I use syncoid to pull backups from my computers. Each machine has a backup user, who gets these rights: bookmark,hold,send,snapshot,destroy,mount. However, granting destroy rights on the filesystems meant to be backed up is a bit dangerous. It would be nice to remove that permission. Ideally, the backup account should only be allowed to destroy snapshots that it itself has created.

Here are two concrete changes that I believe would enable this:

  1. Change allow permissions so that they can apply to snapshots separately from datasets.
  2. Add an option to zfs snapshot that, when making the snapshot, also grants the creating user the destroy permission on that snapshot.

How will this feature improve OpenZFS?

Backing up a dataset should not require the ability to destroy the dataset. Granting that permission increases the risk of accidental or malicious destruction triggered by backup scripts. The changes proposed here would allow backups to be made without needing any dangerous permissions.

ryantrinkle avatar Apr 26 '25 16:04 ryantrinkle

As a workaround one can zfs hold a snapshot while not allowing zfs release to the user running the backup script.

GregorKopka avatar Apr 28 '25 06:04 GregorKopka

@GregorKopka Ah, ok! I guess that would prevent deletion of the underlying mutable dataset because it can't be deleted until all snapshots are deleted?

ryantrinkle avatar May 28 '25 09:05 ryantrinkle

Related:

  • #9522

almereyda avatar Oct 27 '25 22:10 almereyda