ZFS send/receive as a regular user

Published: 2024-02-02

In some scenarios, you'd rather not have some operations run with elevated privileges. ZFS send/receive typically requires root privileges, but you can grant the necessary privileges to regular, unprivileged users through zfs allow (see the man page).

Sender privileges

The privilege set for the sending user is rather limited:

# zfs allow shania hold,send zpool_two/pictures

Receiver privileges

To receive, you need the following privileges. While the mount privilege might seem unnecessary, it is indeed required to unmount a data set.

# zfs allow shania create,mount,receive,rollback zpool_one/pictures

Setting up unprivileged send/receive

With the right privileges set, sending and receiving snapshots is now easy. To allow for unattended syncing, I previously set up a passwordless SSH key, just for the ZFS sync.

$ zfs send -I zpool_two/pictures@snapshot{a,n} | ssh -i .ssh/id_ed25519-someserver_zfs "zfs recv -Fv zpool_one/pictures"

Gotchas

You might see a failed to create mountpoint error upon initial replication. This is because the receiving user has no UNIX (!) mounting privileges. As explained here, there are a few workarounds: either unset the mountpoint:

# zfs set mountpoint=none zpool_two/pictures

Or, if your setup (and security requirements) allow, you can perform the first replication as the root user.