6 #-----------------------------------------------------------------------
7 # Copyright (c) 2000-2002 Silicon Graphics, Inc. All Rights Reserved.
9 # This program is free software; you can redistribute it and/or modify it
10 # under the terms of version 2 of the GNU General Public License as
11 # published by the Free Software Foundation.
13 # This program is distributed in the hope that it would be useful, but
14 # WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
17 # Further, this software is distributed without any warranty that it is
18 # free of the rightful claim of any third person regarding infringement
19 # or the like. Any license provided herein, whether implied or
20 # otherwise, applies only to this software file. Patent licenses, if
21 # any, provided herein do not apply to combinations of this program with
22 # other software, or any other product whatsoever.
24 # You should have received a copy of the GNU General Public License along
25 # with this program; if not, write the Free Software Foundation, Inc., 59
26 # Temple Place - Suite 330, Boston MA 02111-1307, USA.
28 # Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy,
29 # Mountain View, CA 94043, or:
33 # For further information regarding this notice, see:
35 # http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/
36 #-----------------------------------------------------------------------
46 status=1 # FAILure is the default!
47 trap "_cleanup; exit \$status" 0 1 2 3 15
49 # get standard environment, filters and checks
57 rm -rf $TEST_DIR/$seq.dir1
61 # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
62 # This is set with chacl(1) and can be changed by chmod(1).
64 # Test that this is being set for ACL and for std unix permissions
65 # Test that we can get back the same ACL.
66 # Test std permissions for rwx.
69 # Test out default ACLs and that the ACL is being PASSed
70 # onto the children of the dir.
73 # Test out access check for extended ACLs.
74 # -> 3 extra ACEs: MASK, GROUP, USER
75 # -> the GROUP compares with egid of process _and_ the supplementary
76 # groups (as found in /etc/group)
78 # Test that mask works for USER, GROUP, GROUP_OBJ
79 # Test that the ACE type priority is working
80 # -> this would be done by simultaneously matching on ACEs
81 # -> interesting if it allows user to specify ACEs in any order
88 [ -x $runas ] || _notrun "$runas executable not found"
96 #-------------------------------------------------------
97 # real QA test starts here
98 echo "QA output created by $seq"
101 echo "=== Test minimal ACE ==="
104 # Note: as this is a shell script,
105 # will need read and execute permission set
106 # in order to execute it.
110 echo "Test was executed"
115 chown $acl1.$acl2 file1
119 echo "--- Test get and set of ACL ---"
120 echo "Note: Old interface gave an empty ACL - now output an ACL"
121 chacl -l file1 | _acl_filter_id
122 echo "Try using single colon separator"
123 echo "Note: Old interface FAILed because of single colon - new one allows it"
124 chacl u::r--,g::rwx,o:rw- file1 2>&1
125 echo "Expect to PASS"
126 chacl u::r--,g::rwx,o::rw- file1 2>&1
127 chacl -l file1 | _acl_filter_id
130 echo "--- Test sync of ACL with std permissions ---"
134 chacl -l file1 | _acl_filter_id
137 echo "--- Test owner permissions ---"
138 chacl u::r-x,g::---,o::--- file1 2>&1
139 chacl -l file1 | _acl_filter_id
141 echo "Expect to PASS"
142 $runas -u $acl1 -g $acl1 ./file1 2>&1
143 echo "Expect to FAIL"
144 $runas -u $acl2 -g $acl2 ./file1 2>&1
147 echo "--- Test group permissions ---"
148 chacl u::---,g::r-x,o::--- file1 2>&1
149 chacl -l file1 | _acl_filter_id
150 echo "Expect to FAIL - acl1 is owner"
151 $runas -u $acl1 -g $acl1 ./file1 2>&1
152 echo "Expect to PASS - acl2 matches group"
153 $runas -u $acl2 -g $acl2 ./file1 2>&1
154 echo "Expect to PASS - acl2 matches sup group"
155 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
156 echo "Expect to FAIL - acl3 is not in group"
157 $runas -u $acl3 -g $acl3 ./file1 2>&1
160 echo "--- Test other permissions ---"
161 chacl u::---,g::---,o::r-x file1 2>&1
162 chacl -l file1 | _acl_filter_id
163 echo "Expect to FAIL - acl1 is owner"
164 $runas -u $acl1 -g $acl1 ./file1 2>&1
165 echo "Expect to FAIL - acl2 is in group"
166 $runas -u $acl2 -g $acl2 ./file1 2>&1
167 echo "Expect to FAIL - acl2 is in sup. group"
168 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
169 echo "Expect to PASS - acl3 is not owner or in group"
170 $runas -u $acl3 -g $acl3 ./file1 2>&1
172 #-------------------------------------------------------
175 echo "=== Test Extended ACLs ==="
178 echo "--- Test adding a USER ACE ---"
179 echo "Expect to FAIL as no MASK provided"
180 chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id
181 echo "Ensure that ACL has not been changed"
182 chacl -l file1 | _acl_filter_id
183 echo "Expect to PASS - USER ACE matches user"
184 chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
185 chacl -l file1 | _acl_filter_id
186 $runas -u $acl2 -g $acl2 ./file1 2>&1
187 echo "Expect to FAIL - USER ACE does not match user"
188 $runas -u $acl3 -g $acl3 ./file1 2>&1
191 echo "--- Test adding a GROUP ACE ---"
192 echo "Expect to FAIL as no MASK provided"
193 chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id
194 echo "Ensure that ACL has not been changed"
195 chacl -l file1 | _acl_filter_id
196 chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
197 chacl -l file1 | _acl_filter_id
198 echo "Expect to PASS - GROUP ACE matches group"
199 $runas -u $acl2 -g $acl2 ./file1 2>&1
200 echo "Expect to PASS - GROUP ACE matches sup group"
201 $runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
202 echo "Expect to FAIL - GROUP ACE does not match group"
203 $runas -u $acl3 -g $acl3 ./file1 2>&1
205 #-------------------------------------------------------
208 echo "--- Test MASK ---"
211 chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
212 chacl -l file1 | _acl_filter_id
213 echo "Expect to FAIL as MASK prohibits execution"
214 $runas -u $acl2 -g $acl2 ./file1 2>&1
217 chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
218 echo "Expect to FAIL as MASK prohibits execution"
219 $runas -u $acl2 -g $acl2 ./file1 2>&1
222 chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
223 echo "Expect to PASS as MASK allows execution"
224 $runas -u $acl2 -g $acl2 ./file1 2>&1
226 #-------------------------------------------------------
229 echo "--- Test ACE priority ---"
231 chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
232 echo "Expect to FAIL as should match on owner"
233 $runas -u $acl1 -g $acl2 ./file1 2>&1
235 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
236 echo "Expect to PASS as should match on user"
237 $runas -u $acl2 -g $acl2 ./file1 2>&1
240 #-------------------------------------------------------
243 echo "=== Test can read ACLs without access permissions ==="
244 # This was a bug in kernel code where syscred wasn't being used
245 # to override the capabilities
246 chacl o::---,g::---,u::--- file1 2>&1
247 chacl -l file1 | _acl_filter_id
249 #-------------------------------------------------------
252 echo "=== Test Default ACLs ==="
253 # make test clearer by testing with and without umask
257 chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1
258 chacl -l acldir | _acl_filter_id
263 chacl -l file2 | _acl_filter_id
265 #ensure that umask is not having an effect
270 chacl -l file3 | _acl_filter_id
276 #-------------------------------------------------------
279 echo "=== Removing ACLs ==="
280 chacl -l file1 | _acl_filter_id
281 chacl -l acldir | _acl_filter_id
282 chacl -l acldir/file2 | _acl_filter_id
283 echo "Remove ACLs..."
286 chacl -R acldir/file2
287 echo "Note: Old interface would mean empty ACLs - now we show mode ACLs"
288 chacl -l file1 | _acl_filter_id
289 chacl -l acldir | _acl_filter_id
290 chacl -l acldir/file2 | _acl_filter_id
293 #-------------------------------------------------------
296 echo "=== Recursive change ACL ==="
299 pushd root >/dev/null
300 # create an arbitrary little tree
301 for i in 1 2 3 4 5 6 7 8 9 0
308 chown -R 12345.54321 root
310 $runas -u 12345 -g 54321 -- `which chacl` -r u::rwx,g::-w-,o::--x root
311 find root -print | xargs chacl -l
313 $runas -u 12345 -g 54321 -- `which chacl` -r u::---,g::---,o::--- root
314 find root -print | xargs chacl -l
317 #-------------------------------------------------------
320 echo "=== Test out error messages for ACL text parsing ==="
321 echo "Note: Old interface gave more informative error msgs"
327 chacl u:rumpledumpleunknownuser file1
328 chacl u:rumpledumpleunknownuser: file1
329 chacl g:rumpledumpleunknowngrp file1
330 chacl g:rumpledumpleunknowngrp: file1
331 chacl o:user1:rwx file1
332 chacl m:user1:rwx file1
336 #-------------------------------------------------------
339 echo "=== Test out large ACLs ==="
341 XFS_ACL_MAX_ENTRIES=25
342 num_aces_pre=`expr $XFS_ACL_MAX_ENTRIES - 1`
343 num_aces_post=`expr $XFS_ACL_MAX_ENTRIES + 1`
345 acl1=`_create_n_aces $num_aces_pre`
346 acl2=`_create_n_aces $XFS_ACL_MAX_ENTRIES`
347 acl3=`_create_n_aces $num_aces_post`
348 acl4=`_create_n_aces 16` # Andreas G. libacl size for initial get
349 acl5=`_create_n_aces 17` # 1 over A.G. libacl initial size
351 echo "1 below xfs acl max"
352 chacl $acl1 largeaclfile
353 getfacl largeaclfile | _filter_aces
356 chacl $acl2 largeaclfile
357 getfacl largeaclfile | _filter_aces
359 echo "1 above xfs acl max"
360 chacl $acl3 largeaclfile
361 getfacl largeaclfile | _filter_aces
364 chacl $acl4 largeaclfile
365 getfacl largeaclfile | _filter_aces
368 chacl $acl5 largeaclfile
369 getfacl largeaclfile | _filter_aces
371 #-------------------------------------------------------