Other geli attach and mount for non-root user

Hello!

I am setting up a FreeBSD file server with encrypted storage. The root filesystem is on ZFS and the storage disks are encrypted with GELI with ZFS on top of that.

Now I want to make it easy for both me and my wife to mount the pool using a password after the server boots. I have created a zvol on the zroot pool. This zvol is encrypted with GELI and then has a filesystem created with newfs on top of that. In this filesystem I will store all the keys for the storage disks. I don't have any success with letting non-root users attach this zvol and then mount the filesystem.

I have added this to /etc/sysctl.conf:

Code:
vfs.usermount=1
and this to /etc/devfs.conf:

Code:
# Allow member of priv to mount /dev/zvol/zroot/priv and priv.eli
own     /dev/zvol/zroot/priv    root:priv
perm    /dev/zvol/zroot/priv    0660

When I execute geli attach as a non-root user (member of the priv group) this is the result:

brydling@beta:/priv % geli attach -vv /dev/zvol/zroot/priv
Enter passphrase:
Done.


No /dev/zvol/zroot/priv.eli shows up after this.

If I run the same command as root this is the result:
root@beta:~ # geli attach -vv /dev/zvol/zroot/priv
Enter passphrase:
Attached to /dev/zvol/zroot/priv.
Done.


Now the /dev/zvol/zroot/priv.eli device shows up.

I have verified the permissions on the /dev/zvol/zroot/priv device:
brydling@beta:/priv % ll /dev/zvol/zroot/priv
crw-rw---- 1 root priv 0x76 Jan 14 13:13 /dev/zvol/zroot/priv


Does anyone know why this does not work?

Regards,
Niclas
 
Just my newbie's 2¢ : Doesn't there need to be some /etc/devfs.rules included (with line
devfs_system_ruleset="system" in /etc/rc.conf ) to accomplish Your task?
 
brydling I came across the same issue some time ago and the only solution which I found was adding user to operator group. I don't like that solution as it allows user to shutdown server. In your case it probably won't be an issue (based on your post).
 
Back
Top