On Thu, Sep 10, 2020 at 12:46:45PM -0400, Ryan Moeller wrote: > > On 9/10/20 12:33 PM, Shawn Webb wrote: > > I used to be able to run `zfs list` as an unprivileged user. Now I > > can't, even when my user is in the operator group. > > > > ==== BEGIN LOG ==== > > hbsd-current-01[shawn]:/home/shawn $ zfs list > > Operation not permitted > > hbsd-current-01[shawn]:/home/shawn (1) $ id > > uid=1001(shawn) gid=1001(shawn) groups=1001(shawn),0(wheel),5(operator) > > hbsd-current-01[shawn]:/home/shawn $ ls -l /dev/zfs > > crw-rw-rw- 1 root operator 0x52 Sep 10 10:43 /dev/zfs > > ==== END LOG ==== > > > > Thanks, > > > You probably don't have the zfs module loaded. The commands will try to load > it if it isn't, and that will fail if you aren't root. Using root on ZFS: ==== BEGIN LOG ==== hbsd-current-01[shawn]:/scratch/logs (141) $ sudo kldstat Password: Id Refs Address Size Name 1 15 0x0 2343700 kernel 2 1 0x0 652cb0 zfs.ko 3 1 0x0 b778 opensolaris.ko 4 1 0x0 2a10 mac_ntpd.ko ==== END LOG ==== I think I see the problem with your hint. Prior to the post-ZoL OpenZFS merge, we had detected whether the user running the command was non-root and only attempted module load if the user was root. We do this because we restrict access to kld*/mod* syscalls to root. And, as you can see from the output above, we scrub sensitive data from being returned from the kldstat syscall. I think I just need to re-apply that logic after this OpenZFS merge. Thanks for the hint! Sometimes I forget having written code from years back. ;) Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:25 UTC