ZFS Can unprivileged user create encrypted filesystem?

[jeltoesolnce]

Hello.
Try to create encrypted filesystem as user. Earlier I allow permission:

zfs allow sailorsamoor encryption,create zroot/usr/home/sailorsamoor

But I get this:

temp% zfs create -o encryption=on -o keyformat=passphrase -o keylocation=prompt zroot/usr/home/sailorsamoor/encrypted
Enter new passphrase:
Re-enter new passphrase:
cannot create 'zroot/usr/home/sailorsamoor/encrypted': permission denied
temp%


 

[freejlr]

The create permission requires the mount permission. Have you enabled it? At least in the instruction you shared, no.

create subcommand Must also have the mount ability. Must also have the refreservation ability to create a non-sparse volume.

zfs-allow(8)

 

[T-Daemon]

Grant user mount privileges:

sysctl vfs.usermount=1

Permanently in /etc/sysctl.conf.

Set allow permissions:

zfs allow -u sailorsamoor encryption,load-key,keyformat,keylocation zroot/home/sailorsamoor

load-key to load / unload encryption key of ZFS dataset and mount / umount encrypted dataset.

zfs mount -l <enc_dataset>
zfs umount -u <enc_dataset>

create,destroy,mount,snapshot normally are on by default for user home dataset, when created by adduser(8) (>=13.4, >=14.1).

 

[jeltoesolnce]

Grant user mount privileges:

sysctl vfs.usermount=1

Permanently in /etc/sysctl.conf.

Set allow permissions:

zfs allow -u sailorsamoor encryption,load-key,keyformat,keylocation zroot/home/sailorsamoor/encrypted

load-key to load / unload encryption key of ZFS dataset and mount / umount encrypted dataset.

zfs mount -l <enc_dataset>
zfs umount -u <enc_dataset>

create,destroy,mount,snapshot normally are on by default for user home dataset, when created by adduser(8) (>=13.4, >=14.1).

I did:

# zfs allow -u sailorsamoor create,mount,encryption,load-key,keyformat,keylocation zroot/usr/home/sailorsamoor

What I getting:

temp% zfs umount -u zroot/usr/home/sailorsamoor/encrypted/OneDrive
temp% zfs mount -l zroot/usr/home/sailorsamoor/encrypted/OneDrive
cannot mount 'zroot/usr/home/sailorsamoor/encrypted/OneDrive': Insufficient privileges
temp%

I can mount. Umount I can't.

 

[freejlr]

Do you have a mount point assigned in the dataset?

zfs get mountpoint zroot/usr/home/sailorsamoor/encrypted/OneDrive

What are the values of the ACL properties in your dataset? aclmode, aclinherit. What are the permissions for that mount point? chmod(1) chown(1) setfacl(1)

 

[T-Daemon]

zfs-allow(8) permissions are granted for user "sailorsamoor",

zfs allow -u sailorsamoor create,mount,encryption,load-key,keyformat,keylocation zroot/usr/home/sailorsamoor

but you are logged in as user "temp", who doesn't have privileges to mount those specific encrypted datasets.

temp% zfs mount -l zroot/usr/home/sailorsamoor/encrypted/OneDrive
cannot mount 'zroot/usr/home/sailorsamoor/encrypted/OneDrive': Insufficient privileges

Edit: Privileges to mount at those specific mount points, to be exactly. A user can only mount at a mount point that belongs to the mounting user.

/usr/home/sailorsamoor/encrypted and ../encrypted/OneDrive are owned by user "sailorsamoor". User "temp" can't mount on those mountpoints.