this post was submitted on 05 Oct 2023
2 points (100.0% liked)

Linux

1 readers
2 users here now

founded 2 years ago
 

Hello all. I am using zabbix to monitor my system, and the zabbix agent user is obviously not elevated in any way. I would like to give my zabbix user the ability to run some zfs commands to query information about my pools.

At the moment, if I "zfs status" as my zabbix user (sudo -u zabbix -c 'zfs status'), it returns details on the pools, but in the real details, you can see "permission denied"....

config:

        NAME                                        STATE     READ WRITE CKSUM
        rpool                                       ONLINE       0     0     0
          ata-SAMSUNG_HD161HJ_S14LJA0Q536960-part3  ONLINE       0     0     4
          ata-SAMSUNG_HD161GJ_S1VCJ9FZ318818-part3  ONLINE       0     0     0
errors: List of errors unavailable: permission denied

If I run the same command as root, I get the details.

What zfs permissions do I need to give the zabbix user for this kind of detail, assuming that this is a "zfs allow...." fix? Or is this some other fix?

Thanks

top 2 comments
sorted by: hot top controversial new old
[โ€“] spencer@lemmy.ca 1 points 1 year ago (1 children)

You can create sudoers rules that allow users to run specific commands with root privileges.

Create a file in /etc/sudoers.d with the contents:

zabbix ALL=(ALL:ALL) NOPASSWD: /sbin/zfs status

This will grant the zabbix user the ability to run /sbin/zfs status as root without a password. However, they will need to run the command with sudo. If you want to allow that user to run additional commands, just add them to the end of that line like this:

zabbix ALL=(ALL:ALL) NOPASSWORD: /sbin/zfs status, /sbin/zpool status

[โ€“] leaskovski@kbin.social 1 points 1 year ago

Thats a better way! I didn't realise the sudoers could be restricted to commands! Thanks