| #! /bin/bash |
| # FS QA Test No. 099. Modified from UDFQA test 036. |
| # |
| # ACL test |
| #----------------------------------------------------------------------- |
| # Copyright (c) 2000-2004 Silicon Graphics, Inc. All Rights Reserved. |
| # |
| # This program is free software; you can redistribute it and/or |
| # modify it under the terms of the GNU General Public License as |
| # published by the Free Software Foundation. |
| # |
| # This program is distributed in the hope that it would be useful, |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| # GNU General Public License for more details. |
| # |
| # You should have received a copy of the GNU General Public License |
| # along with this program; if not, write the Free Software Foundation, |
| # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA |
| # |
| #----------------------------------------------------------------------- |
| # |
| #_acl_list |
| # modifier |
| owner=ajones@sgi.com |
| |
| seq=`basename $0` |
| echo "QA output created by $seq" |
| |
| here=`pwd` |
| tmp=/tmp/$$ |
| status=1 # failure is the default! |
| trap "_cleanup; exit \$status" 0 1 2 3 15 |
| |
| # get standard environment, filters and checks |
| . ./common.rc |
| . ./common.filter |
| . ./common.attr |
| |
| runas=$here/src/runas |
| |
| TARGET_DIR=$SCRATCH_MNT |
| [ "$FSTYP" == "xfs" ] && TARGET_DIR=$TEST_DIR |
| |
| _cleanup() |
| { |
| rm -f $tmp.* |
| cd $TARGET_DIR |
| rm -rf $seq.dir1 |
| cd / |
| } |
| |
| # ----- |
| # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ |
| # This is set with chacl(1) and can be changed by chmod(1). |
| # |
| # Test that this is being set for ACL and for std unix permissions |
| # Test that we can get back the same ACL. |
| # Test std permissions for rwx. |
| # ----- |
| # |
| # Test out default ACLs and that the ACL is being PASSed |
| # onto the children of the dir. |
| # |
| # ----- |
| # Test out access check for extended ACLs. |
| # -> 3 extra ACEs: MASK, GROUP, USER |
| # -> the GROUP compares with egid of process _and_ the supplementary |
| # groups (as found in /etc/group) |
| # |
| # Test that mask works for USER, GROUP, GROUP_OBJ |
| # Test that the ACE type priority is working |
| # -> this would be done by simultaneously matching on ACEs |
| # -> interesting if it allows user to specify ACEs in any order |
| # |
| rm -f $seq.full |
| |
| #------------------------------------------------------- |
| # real QA test starts here |
| _supported_fs generic |
| _supported_os IRIX |
| |
| _acl_setup_ids |
| _require_acls |
| |
| [ -x $runas ] || _notrun "$runas executable not found" |
| |
| # get dir |
| #export FILE_SYS=xfs |
| _require_scratch |
| _setup_testdir |
| |
| cd $TARGET_DIR |
| rm -rf $seq.dir1 # in case file is left over from previous runs. |
| mkdir $seq.dir1 |
| cd $seq.dir1 |
| |
| echo "" |
| echo "=== Test minimal ACE ===" |
| |
| echo "Setup file" |
| # Note: as this is a shell script, |
| # will need read and execute permission set |
| # in order to execute it. |
| touch file1 |
| cat <<EOF >file1 |
| #!/bin/bash |
| echo "Test was executed" |
| EOF |
| chmod u=rwx file1 |
| chmod g=rw- file1 |
| chmod o=r-- file1 |
| chown $acl1.$acl2 file1 |
| _acl_ls file1 |
| |
| echo "" |
| echo "--- Test get and set of ACL ---" |
| echo "Note: IRIX interface gave an empty ACL - Linux outputs an ACL" |
| _acl_list file1 |
| echo "Try using single colon separator" |
| echo "Note: IRIX interface FAILs because of single colon - Linux one allows it" |
| chacl u::r--,g::rwx,o:rw- file1 2>&1 |
| echo "Expect to PASS" |
| chacl u::r--,g::rwx,o::rw- file1 2>&1 |
| _acl_list file1 |
| |
| echo "" |
| echo "--- Test sync of ACL with std permissions ---" |
| _acl_ls file1 |
| chmod u+w file1 |
| _acl_ls file1 |
| _acl_list file1 |
| |
| echo "" |
| echo "--- Test owner permissions ---" |
| chacl u::r-x,g::---,o::--- file1 2>&1 |
| _acl_list file1 |
| # change to owner |
| echo "Expect to PASS" |
| $runas -u $acl1 -g $acl1 ./file1 2>&1 |
| echo "Expect to FAIL" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| |
| echo "" |
| echo "--- Test group permissions ---" |
| chacl u::---,g::r-x,o::--- file1 2>&1 |
| _acl_list file1 |
| echo "Expect to FAIL - acl1 is owner" |
| $runas -u $acl1 -g $acl1 ./file1 2>&1 |
| echo "Expect to PASS - acl2 matches group" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| echo "Expect to PASS - acl2 matches sup group" |
| $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1 |
| echo "Expect to FAIL - acl3 is not in group" |
| $runas -u $acl3 -g $acl3 ./file1 2>&1 |
| |
| echo "" |
| echo "--- Test other permissions ---" |
| chacl u::---,g::---,o::r-x file1 2>&1 |
| _acl_list file1 |
| echo "Expect to FAIL - acl1 is owner" |
| $runas -u $acl1 -g $acl1 ./file1 2>&1 |
| echo "Expect to FAIL - acl2 is in group" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| echo "Expect to FAIL - acl2 is in sup. group" |
| $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1 |
| echo "Expect to PASS - acl3 is not owner or in group" |
| $runas -u $acl3 -g $acl3 ./file1 2>&1 |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "=== Test Extended ACLs ===" |
| |
| echo "" |
| echo "--- Test adding a USER ACE ---" |
| echo "Expect to FAIL as no MASK provided" |
| chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id |
| echo "Ensure that ACL has not been changed" |
| _acl_list file1 |
| echo "Expect to PASS - USER ACE matches user" |
| chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1 |
| _acl_list file1 |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| echo "Expect to FAIL - USER ACE does not match user" |
| $runas -u $acl3 -g $acl3 ./file1 2>&1 |
| |
| echo "" |
| echo "--- Test adding a GROUP ACE ---" |
| echo "Expect to FAIL as no MASK provided" |
| chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id |
| echo "Ensure that ACL has not been changed" |
| _acl_list file1 |
| chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1 |
| _acl_list file1 | _acl_filter_id |
| echo "Expect to PASS - GROUP ACE matches group" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| echo "Expect to PASS - GROUP ACE matches sup group" |
| $runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1 |
| echo "Expect to FAIL - GROUP ACE does not match group" |
| $runas -u $acl3 -g $acl3 ./file1 2>&1 |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "--- Test MASK ---" |
| |
| # group |
| chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1 |
| _acl_list file1 |
| echo "Expect to FAIL as MASK prohibits execution" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| |
| # user |
| chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1 |
| echo "Expect to FAIL as MASK prohibits execution" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| |
| # user |
| chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1 |
| echo "Expect to PASS as MASK allows execution" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "--- Test ACE priority ---" |
| |
| chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1 |
| echo "Expect to FAIL as should match on owner" |
| $runas -u $acl1 -g $acl2 ./file1 2>&1 |
| |
| chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1 |
| echo "Expect to PASS as should match on user" |
| $runas -u $acl2 -g $acl2 ./file1 2>&1 |
| |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "=== Test can read ACLs without access permissions ===" |
| # This was a bug in kernel code where syscred wasn't being used |
| # to override the capabilities |
| chacl o::---,g::---,u::--- file1 2>&1 |
| _acl_list file1 |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "=== Test Default ACLs ===" |
| # make test clearer by testing with and without umask |
| umask 0 |
| |
| mkdir acldir |
| chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1 |
| _acl_list acldir |
| cd acldir |
| |
| touch file2 |
| _acl_ls file2 |
| _acl_list file2 |
| |
| #ensure that umask is not having an effect |
| #so set it and see |
| umask 722 |
| touch file3 |
| _acl_ls file3 |
| _acl_list file3 |
| |
| cd .. |
| umask 022 |
| |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "=== Removing ACLs ===" |
| _acl_list file1 |
| _acl_list acldir |
| _acl_list acldir/file2 |
| echo "Remove ACLs..." |
| chacl -R file1 |
| chacl -B acldir |
| chacl -R acldir/file2 |
| echo "Note: IRIX interface would mean empty ACLs - Linux would show mode ACLs" |
| _acl_list file1 |
| _acl_list acldir |
| _acl_list acldir/file2 |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "=== Test out error messages for ACL text parsing ===" |
| |
| touch file1 |
| set -x |
| chacl u file1 |
| chacl u: file1 |
| chacl u:rumpledumpleunknownuser file1 |
| chacl u:rumpledumpleunknownuser: file1 |
| chacl g:rumpledumpleunknowngrp file1 |
| chacl g:rumpledumpleunknowngrp: file1 |
| chacl o:user1:rwx file1 |
| chacl m:user1:rwx file1 |
| chacl a::rwx file1 |
| set +x |
| |
| #------------------------------------------------------- |
| |
| echo "" |
| echo "=== Test out large ACLs ===" |
| touch largeaclfile |
| XFS_ACL_MAX_ENTRIES=25 |
| num_aces_pre=`expr $XFS_ACL_MAX_ENTRIES - 1` |
| num_aces_post=`expr $XFS_ACL_MAX_ENTRIES + 1` |
| |
| acl1=`_create_n_aces $num_aces_pre` |
| acl2=`_create_n_aces $XFS_ACL_MAX_ENTRIES` |
| acl3=`_create_n_aces $num_aces_post` |
| |
| echo "1 below xfs acl max" |
| chacl $acl1 largeaclfile |
| _acl_list largeaclfile | _filter_aces_notypes |
| |
| echo "xfs acl max" |
| chacl $acl2 largeaclfile |
| _acl_list largeaclfile | _filter_aces_notypes |
| |
| echo "1 above xfs acl max" |
| chacl $acl3 largeaclfile |
| _acl_list largeaclfile | _filter_aces_notypes |
| |
| #------------------------------------------------------- |
| |
| if [ "$FSTYP" == "udf" ]; then |
| cd / |
| umount $TARGET_DIR |
| # Check the filesystem |
| _check_scratch_fs |
| fi |
| # success, all done |
| status=0 |
| exit |