Ric Aleshire wrote: > Glenn Faden wrote: >> Ric Aleshire wrote: >>> Tim Haley wrote: >>> >>>> Will you allow label setting to be delegated (i.e, 'zfs allow')? >>>> All other properties support this. >>> >>> I don't have a final answer for this now. My initial reaction is "no >>> delegation", but I want to verify if there are indeed >>> special security considerations based on the MAC (mandatory access) >>> nature of this property. This differs from >>> DAC properties which are discretionary and can be modified by general >>> users. I'll get back on this one. >>> >> I don't see a problem with delegation as long as the same restrictions >> apply to the delegate as to the dataset owner. >> >> --Glenn > > Ah, I may have misunderstood that part of zfs(1M): > > zfs allow [-ld] -e perm|@setname[,...] filesystem|volume > > Delegates ZFS administration permission for the file > systems to non-privileged users. > > But I agree that so long as the privileges mentioned in the case are > enforced on delegates, this property will > support delegation. In that case an additional delta to zfs(1M) will be > needed and described in the case. > That would be inconsistent with the model we use for other delegations, being "allow"ed to do something is the same as if the privilege were granted.
-tim
