Hello! I’m going though the process of deactivating the root account on my 25.04.2.4 box, recently updated from Core. All has gone well, but I’m scratching my head about the best way to delegate permissions to enable remote replication. Currently I have the task set up as follows:
The truenas_admin user on the source machine is allowed to execute /sbin/zfs with passwordless sudo.
“Use Sudo For ZFS Commands” is set for each relevant replication task on the destination machine.
The destination machine uses the truenas_admin user to login
This works, but gives the admin user permission to use all ZFS commands with passwordless sudo, including zfs destroy. Is there a way to delegate these permissions in a more fine-grained way? If possible I’d like to use zfs allow to do this, but I’m not sure what permissions are required to make this work.
Personally I’d use a different user than truenas_admin if you’re going to this effort.
You shouldn’t need anything other than zfs allow.
Depending on if you are using PULL or PUSH replication will depend on if you need to allow send or receive to your user. I prefer PULL creating the replication user on the source machine and allowing them send permissions. This also means the user only needs zfs allow send as snapshot pruning happens on the destination end.
Your new user will need a home directory to store keys and a shell. Make sure this user has password disabled and has no other privileges.
This way giving user access to /sbin/zfs is not required and when prompted for “Use Sudo For ZFS Commands” just click cancel.
Thanks for your help! For posterity, creating a minimally privileged user, granting zfs send permissions on the relevant pools, swapping the user on the ssh connection, and disabling the “Use Sudo For ZFS Commands” checkbox works! Appreciate everyone’s help, though I do wish this was better documented.
Excellent, thanks for the feedback and glad you got it all working.
Agreed about this process being undocumented but officially this isn’t a standard way of setting up replication in TrueNAS although I could see it becoming standard in the future for this zero trust world we live in.
