Hello all. I am using zabbix to monitor my system, and the zabbix agent user is obviously not elevated in any way. I would like to give my zabbix user the ability to run some zfs commands to query information about my pools.
At the moment, if I "zfs status" as my zabbix user (sudo -u zabbix -c 'zfs status'), it returns details on the pools, but in the real details, you can see "permission denied"....
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
ata-SAMSUNG_HD161HJ_S14LJA0Q536960-part3 ONLINE 0 0 4
ata-SAMSUNG_HD161GJ_S1VCJ9FZ318818-part3 ONLINE 0 0 0
errors: List of errors unavailable: permission denied
If I run the same command as root, I get the details.
What zfs permissions do I need to give the zabbix user for this kind of detail, assuming that this is a "zfs allow...." fix? Or is this some other fix?
You can create sudoers rules that allow users to run specific commands with root privileges.
Create a file in /etc/sudoers.d with the contents:
zabbix ALL=(ALL:ALL) NOPASSWD: /sbin/zfs status
This will grant the zabbix user the ability to run /sbin/zfs status as root without a password. However, they will need to run the command with sudo. If you want to allow that user to run additional commands, just add them to the end of that line like this:
zabbix ALL=(ALL:ALL) NOPASSWORD: /sbin/zfs status, /sbin/zpool status