Incremental receives can destroy snapshots without the destroy permission

[randomnetcat]

System information

Type	Version/Name
Distribution Name	NixOS
Distribution Version	25.05.20250108.bffc22e (Warbler)
Kernel Version	6.6.69
Architecture	x86_64
OpenZFS Version	zfs-2.2.7-1

Describe the problem you're observing

If a user is delegated the receive permission, they can use zfs receive -F on that dataset to destroy snapshots, even when they have not been granted the rollback or destroy permission on the same dataset.

This may be as intended, but it is extremely surprising to me as a user. At the very least, the documentation should be updated to make this clear.

Describe how to reproduce the problem

# As root:
zfs create rpool/test
zfs create rpool/test/src
zfs create rpool/test/dest
zfs allow -u user send,snapshot,receive,mount,hold,create rpool/test

# As user:
zfs snapshot rpool/test/src@a
zfs send -R rpool/test/src@a | zfs receive rpool/dest
zfs snapshot rpool/test/src@b
zfs snapshot rpool/test/dest@x
zfs send -I rpool/test/src@a rpool/test/src@b | zfs receive -F rpool/test/dest

Results: rpool/test/dest has two snapshots, @a and @b. rpool/test/dest@x has been destroyed, despite the fact that user did not have permission to destroy it directly. I would expect that user does not have a way to do this.

[shodanshok]

I agree: force receive basically allows rollbacks on destination pools where no rollback permission was granted.

This seems wrong - should zfs receive -F depend on explicit rollback permission being granted via zfs allow?