From owner-freebsd-stable@FreeBSD.ORG Wed Oct 22 11:16:27 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E90D1065674 for ; Wed, 22 Oct 2008 11:16:27 +0000 (UTC) (envelope-from lhmwzy@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id D09E18FC1C for ; Wed, 22 Oct 2008 11:16:26 +0000 (UTC) (envelope-from lhmwzy@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so275744fgb.35 for ; Wed, 22 Oct 2008 04:16:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=qSSu/MSh+c4O0k0ssLdMZEIX+gpZyZNuIBH+IxGZQps=; b=OU4glPVGRzx2tWx/Kj0w0gpaBm7CecI45FTOJiRWYXC5j/wZ0z3asUlZh5Uy2WtaTz Cn9A6rWjYJRr2MSqUTtKxdRC/J9uQxL1qDroJM4+7x8DGXcmCx4J+0EYFawALOZ/Fc5f juSZdPPO+YXOCuSL4rdID3DkorN5S7zW0CkLc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=LPPj4nAjX4nCQVzDu1wkniMzX910OL2QJamioQ0S/o6u0ZgSkEtB93AIEm4Wys6D5+ +i5X9GW3nzdsY/HrhOGg7xy903I8H4YpoxvFraQ8Vo24Y/fGldXnkgVoD6v9o5AM1b+3 /DJUeJ/PL0sShcAV52i3nJZm3fEU5N7ogLim0= Received: by 10.86.1.1 with SMTP id 1mr836241fga.61.1224674185320; Wed, 22 Oct 2008 04:16:25 -0700 (PDT) Received: by 10.86.25.10 with HTTP; Wed, 22 Oct 2008 04:16:25 -0700 (PDT) Message-ID: <78fb9d960810220416u5616d975je141b3816b7eef9b@mail.gmail.com> Date: Wed, 22 Oct 2008 19:16:25 +0800 From: lhmwzy To: "Jeremy Chadwick" In-Reply-To: <20081022110503.GA56254@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <78fb9d960810220213l2dfc1b39ja717948c4913c360@mail.gmail.com> <20081022091949.GA53829@icarus.home.lan> <78fb9d960810220354u4a6ac8cy3975c2e309dd6b9a@mail.gmail.com> <20081022110503.GA56254@icarus.home.lan> Cc: freebsd-stable@freebsd.org Subject: Re: non-root user can not create zfs filesystem? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Oct 2008 11:16:27 -0000 Tks very much for your reply. I'm very sorry for the last mail,I didn't see the CC is empty,I'm not deliberately. 2008/10/22 Jeremy Chadwick : > On Wed, Oct 22, 2008 at 06:54:49PM +0800, lhmwzy wrote: >> hmm... >> I transfer data to a remote machine use zfs. >> for example: >> >> #zfs send pool/www@today | ssh -l lhm 10.67.141.80 zfs receive www/102 >> >> If login into 10.67.141.80 throught non-root user,it says: >> cannot receive: permission denied >> cannot send 'pool/www@today': Broken pipe >> >> But login into a remote machine use root through ssh is not a good idea,right? >> >> >> 2008/10/22 Jeremy Chadwick : >> > On Wed, Oct 22, 2008 at 05:13:21PM +0800, lhmwzy wrote: >> >> $zfs create www/lhm >> >> cannot create 'www/lhm': permission denied >> >> >> >> How to do this or when can do this? >> > >> > Creating a filesystem is something that can only be done by root. I'm >> > not sure what gave you the impression non-root users can do this...? > > This problem has nothing to do with ZFS, it has to do with SSH. > > You need to do a few things for this to work. Here's a very quick way: > > 1) Make a public key on the machine you're doing "zfs send" from. > Run ssh-keygen as root > 2) Place contents of /root/.ssh/id_rsa.pub in /root/.ssh/authorized_keys > on 10.67.141.80. Make sure the /root/.ssh directory is perm 0700, > and authorized_keys is perm 0600. > 3) On 10.67.141.80, edit /etc/ssh/sshd_config and change this line: > > #PermitRootLogin no > > ...to: > > PermitRootLogin without-password > > 4) Send a SIGHUP signal to the master sshd process. This might > disconnect any existing SSH sessions to the machine: > > kill -HUP `cat /var/run/sshd.pid` > > > If you're concerned about what "without-password" does, read the man > page. It WILL NOT let people SSH into the root account, UNLESS they > have the private key (on zfs_send_host). That's the ONLY WAY they can > get in as root. > > You may want to secure things down a bit more by editing > /root/.ssh/authorized_keys on 10.67.141.80 to only allow certain > commands to be executed (specifically "zfs receive"). You can look on > Google for how to do this. > > Finally, why did you remove the mailing list from the CC list? Now > no one knows what we've discussed, which isn't good. > > -- > | Jeremy Chadwick jdc at parodius.com | > | Parodius Networking http://www.parodius.com/ | > | UNIX Systems Administrator Mountain View, CA, USA | > | Making life hard for others since 1977. PGP: 4BD6C0CB | > >