[OpenIndiana-discuss] zfs snapshot script
Gregory Youngblood
gregory at youngblood.me
Sun May 1 20:49:32 UTC 2011
On May 1, 2011, at 1:34 PM, Jamon Camisso wrote:
> On 05/01/2011 02:10 PM, Dan Swartzendruber wrote:
>>
>> Can zfssnap role be restricted to specific filesystems? If not, I'd be
>> concerned about allowing too much power...
>
> If that's an issue (I have no idea, haven't investigated), one option
> would be to match users in sshd_config and use the ForceCommand
> directive to limit acccess to a particular script that would run the
> snapshot command(s).
>
> That is one way to achieve the intended functionality while limiting the
> remote backup user to running a single command or script on backup
> completion.
>
Another option, if using sudo, is the sudoers file to restrict the commands and options the user is allowed to run. What I don't know off the top of my head is how well that will work if you want to use date based snapshot names that will change from one run to the next. For that reason you're best bet is probably as Jamon suggested and use specific scripts and restrict the user to just those either through ssh or sudo options.
More information about the OpenIndiana-discuss
mailing list