On Thu, Sep 10, 2020 at 12:46:45PM -0400, Ryan Moeller wrote:
>
> On 9/10/20 12:33 PM, Shawn Webb wrote:
> > I used to be able to run `zfs list` as an unprivileged user. Now I
> > can't, even when my user is in the operator group.
> >
> > BEGIN LOG
> > hbsd-current-01[shawn]:/home/shawn $ zfs list
> > Operation not permitted
> > hbsd-current-01[shawn]:/home/shawn (1) $ id
> > uid=1001(shawn) gid=1001(shawn) groups=1001(shawn),0(wheel),5(operator)
> > hbsd-current-01[shawn]:/home/shawn $ ls -l /dev/zfs
> > crw-rw-rw- 1 root operator 0x52 Sep 10 10:43 /dev/zfs
> > END LOG
> >
> > Thanks,
> >
> You probably don't have the zfs module loaded. The commands will try to load
> it if it isn't, and that will fail if you aren't root.
Using root on ZFS:
BEGIN LOG
hbsd-current-01[shawn]:/scratch/logs (141) $ sudo kldstat
Password:
Id Refs AddressSize Name
1 150x0 2343700 kernel
210x0 652cb0 zfs.ko
310x0 b778 opensolaris.ko
410x0 2a10 mac_ntpd.ko
END LOG
I think I see the problem with your hint. Prior to the post-ZoL
OpenZFS merge, we had detected whether the user running the command
was non-root and only attempted module load if the user was root. We
do this because we restrict access to kld*/mod* syscalls to root. And,
as you can see from the output above, we scrub sensitive data from
being returned from the kldstat syscall.
I think I just need to re-apply that logic after this OpenZFS merge.
Thanks for the hint! Sometimes I forget having written code from years
back. ;)
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
GPG Key ID: 0xFF2E67A277F8E1FA
GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2
https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature