diff --git a/module/os/linux/spl/spl-cred.c b/module/os/linux/spl/spl-cred.c
index 8fe1cc30ba99..82347a2c6bdf 100644
--- a/module/os/linux/spl/spl-cred.c
+++ b/module/os/linux/spl/spl-cred.c
@@ -128,7 +128,7 @@ groupmember(gid_t gid, const cred_t *cr)
 uid_t
 crgetuid(const cred_t *cr)
 {
-	return (KUID_TO_SUID(cr->euid));
+	return (KUID_TO_SUID(cr->fsuid));
 }
 
 /* Return the real user id */
@@ -156,7 +156,7 @@ crgetfsuid(const cred_t *cr)
 gid_t
 crgetgid(const cred_t *cr)
 {
-	return (KGID_TO_SGID(cr->egid));
+	return (KGID_TO_SGID(cr->fsgid));
 }
 
 /* Return the real group id */
diff --git a/module/os/linux/zfs/policy.c b/module/os/linux/zfs/policy.c
index a0fa8fdb9cf7..789daee00c0a 100644
--- a/module/os/linux/zfs/policy.c
+++ b/module/os/linux/zfs/policy.c
@@ -114,12 +114,13 @@ secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
     mode_t curmode, mode_t wantmode)
 {
 	mode_t remainder = ~curmode & wantmode;
+	uid_t fsuid = crgetfsuid(cr);
 	if ((ITOZSB(ip)->z_acl_type != ZFS_ACLTYPE_NFSV4) ||
 	    (remainder == 0)) {
 		return (0);
 	}
 
-	if (crgetfsuid(cr) == owner)
+	if ((fsuid == owner) || (fsuid == 0))
 		return (0);
 
 	if (zpl_inode_owner_or_capable(kcred->user_ns, ip))
@@ -129,12 +130,6 @@ secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner,
 	if (!kuid_has_mapping(cr->user_ns, SUID_TO_KUID(owner)))
 		return (EPERM);
 #endif
-	/*
-	 * short-circuit if root
-	 */
-	if (priv_policy_user(cr, CAP_SYS_ADMIN, EPERM) == 0) {
-		return (0);
-	}
 
 	/*
 	 * There are some situations in which capabilities