Permission delegation doesn't appear to work on parent - but on grandparent dataset

Function · April 24, 2025, 10:03pm

I’m trying to allow user foo to run zfs create -o mountpoint=none tank/foo-space/test.

tank/foo-space exists and i allowed create using zfs allow -u foo create tank/foo-space.

I’ve checked delegated permissions using zfs allow tank/foo-space.

However, running above zfs create command fails with permission denied. BUT if i allow create on tank, it works! (zfs allow -u foo create tank).

Can someone explain this to me? Also, how can i fix this and prevent foo from creating datasets like tank/outside-foo-space?

I’m running ZFS on Ubuntu:

# zfs --version
zfs-2.2.2-0ubuntu9.1
zfs-kmod-2.2.2-0ubuntu9

(Crossposted on Reddit here https://www.reddit.com/r/zfs/comments/1k7412a/permission_delegation_doesnt_appear_to_work_on/ )

Function · April 24, 2025, 10:24pm

I messed up with some of the commands above and most likely gave mount permission on tank and didn’t give it on tank/foo-space.
According to ZFS documentation, mount is a dependency of create, which would explain the behaviour i encountered - regardless of mountpoint=none or not (at least i think so).

mercenary_sysadmin · April 24, 2025, 10:58pm

This is correct. Glad you got it sorted!