| $ mkdir d |
| $ cd d |
| |
| $ whoami |
| > root |
| |
| $ id -Gn daemon |
| > daemon bin |
| |
| $ mkdir n1 |
| $ touch n1/f |
| |
| $ mkdir d2 d3 d4 d5 d6 d7 |
| $ touch d2/f d3/f d4/f d5/f d6/f d7/f d7/g |
| $ chown daemon d2 |
| $ chgrp bin d3 |
| $ chmod g+w d3 |
| $ nfs4acl --set 'daemon:wx::allow' d4 |
| $ nfs4acl --set 'daemon:d::allow' d5 |
| $ nfs4acl --set 'daemon:xd::allow' d6 |
| $ nfs4acl --set 'daemon:D::allow' d7/f d7/g |
| $ chmod 664 d7/g |
| |
| $ mkdir s2 s3 s4 s5 s6 s7 |
| $ chmod +t s2 s3 s4 s5 s6 s7 |
| $ touch s2/f s3/f s4/f s5/f s6/f s7/f s7/g |
| $ chown daemon s2 |
| $ chgrp bin s3 |
| $ chmod g+w s3 |
| $ nfs4acl --set 'daemon:wx::allow' s4 |
| $ nfs4acl --set 'daemon:d::allow' s5 |
| $ nfs4acl --set 'daemon:xd::allow' s6 |
| $ nfs4acl --set 'daemon:D::allow' s7/f |
| $ nfs4acl --set 'daemon:D::allow' s7/g s7/g |
| $ chmod 664 s7/g |
| |
| $ su daemon |
| |
| Cannot delete files without permissions: |
| $ rm n1/f |
| > rm: cannot remove `n1/f': Permission denied |
| |
| Can delete files we own: |
| $ rm d2/f s2/f |
| |
| Cannot delete files where we are in the owning group in a non-sticky directory, |
| but not in a sticky one: |
| $ rm d3/f s3/f |
| > rm: cannot remove `s3/f': Operation not permitted |
| |
| "Write_data/execute" access does not include delete_child access, and so this |
| is not enough for deleting: |
| $ rm d4/f s4/f |
| > rm: cannot remove `d4/f': Permission denied |
| > rm: cannot remove `s4/f': Permission denied |
| |
| "Delete_child" access alone also is not sufficient: |
| $ rm d5/f s5/f |
| > rm: cannot remove `d5/f': Permission denied |
| > rm: cannot remove `s5/f': Permission denied |
| |
| "Execute/delete_child" on the directory does allow that, though, but only in |
| a non-sticky directory: |
| $ rm d6/f s6/f |
| > rm: cannot remove `s6/f': Operation not permitted |
| |
| "Delete" on the child itself overrides the sticky check as well: |
| $ rm d7/f s7/f |
| |
| But Delete is not a subset of POSIX read/write, so chmod turns it off: |
| $ rm d7/g s7/g |
| > rm: cannot remove `d7/g': Permission denied |
| > rm: cannot remove `s7/g': Permission denied |
| |
| $ su |
| $ cd .. |
| $ rm -rf d |