Problem:
When configuring TrueNAS-to-TrueNAS ZFS replication, the remote replication user must currently have sudo or root-level ZFS permissions.
This creates a built-in security risk:
If the backup system is compromised, an attacker automatically gains destructive access to the source system because the stored replication credentials have far more privileges than required.
There is no way in the GUI to create a safe, limited, send-only replication user.
Current limitation:
The replication wizard and SSH connection dialog require enabling sudo for ZFS commands.
TrueNAS does not expose native ZFS delegation in the GUI, so it is not possible to assign minimal rights such as:
-
zfs send only
-
no delete or destroy
-
no snapshot pruning
This forces users to run replication with overly powerful credentials
What is missing (two possible solutions):
Option 1: Built-in “Replication User”
TrueNAS provides a dedicated system user that automatically receives send-only privileges for all current and future datasets.
No sudo required.
Key-based auth supported.
The source system remains safe even if the backup system is compromised, because the user can send snapshots, but not delete.
Option 2: GUI support for ZFS delegation
Add a GUI interface to assign ZFS administrative permissions per dataset and user, such as send, snapshot, receive, destroy.
This would allow creating a true least-privilege replication user directly from the UI.
Why this matters:
Any replication setup currently exposes the source system to destructive access if the system holding the replication credentials is compromised.
A non-root, send-only replication user that can be configured in the GUI would close this vulnerability and align replication with standard least-privilege security practices.
I am aware that this can already be solved entirely via CLI, but through the GUI it is currently insecure by design.
