7 #-----------------------------------------------------------------------
8 # Copyright (c) 2000-2002 Silicon Graphics, Inc. All Rights Reserved.
10 # This program is free software; you can redistribute it and/or modify it
11 # under the terms of version 2 of the GNU General Public License as
12 # published by the Free Software Foundation.
14 # This program is distributed in the hope that it would be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
18 # Further, this software is distributed without any warranty that it is
19 # free of the rightful claim of any third person regarding infringement
20 # or the like. Any license provided herein, whether implied or
21 # otherwise, applies only to this software file. Patent licenses, if
22 # any, provided herein do not apply to combinations of this program with
23 # other software, or any other product whatsoever.
25 # You should have received a copy of the GNU General Public License along
26 # with this program; if not, write the Free Software Foundation, Inc., 59
27 # Temple Place - Suite 330, Boston MA 02111-1307, USA.
29 # Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy,
30 # Mountain View, CA 94043, or:
34 # For further information regarding this notice, see:
36 # http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/
37 #-----------------------------------------------------------------------
47 status=1 # FAILure is the default!
48 trap "_cleanup; exit \$status" 0 1 2 3 15
50 # get standard environment, filters and checks
58 rm -rf $TEST_DIR/$seq.dir1
62 # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
63 # This is set with chacl(1) and can be changed by chmod(1).
65 # Test that this is being set for ACL and for std unix permissions
66 # Test that we can get back the same ACL.
67 # Test std permissions for rwx.
70 # Test out default ACLs and that the ACL is being PASSed
71 # onto the children of the dir.
74 # Test out access check for extended ACLs.
75 # -> 3 extra ACEs: MASK, GROUP, USER
76 # -> the GROUP compares with egid of process _and_ the supplementary
77 # groups (as found in /etc/group)
79 # Test that mask works for USER, GROUP, GROUP_OBJ
80 # Test that the ACE type priority is working
81 # -> this would be done by simultaneously matching on ACEs
82 # -> interesting if it allows user to specify ACEs in any order
89 [ -x $runas ] || _notrun "$runas executable not found"
97 #-------------------------------------------------------
98 # real QA test starts here
99 echo "QA output created by $seq"
102 echo "=== Test minimal ACE ==="
105 # Note: as this is a shell script,
106 # will need read and execute permission set
107 # in order to execute it.
111 echo "Test was executed"
116 chown $acl1.$acl2 file1
120 echo "--- Test get and set of ACL ---"
121 echo "Note: Old interface gave an empty ACL - now output an ACL"
122 chacl -l file1 | _acl_filter_id
123 echo "Try using single colon separator"
124 echo "Note: Old interface FAILed because of single colon - new one allows it"
125 chacl u::r--,g::rwx,o:rw- file1 2>&1
126 echo "Expect to PASS"
127 chacl u::r--,g::rwx,o::rw- file1 2>&1
128 chacl -l file1 | _acl_filter_id
131 echo "--- Test sync of ACL with std permissions ---"
135 chacl -l file1 | _acl_filter_id
138 echo "--- Test owner permissions ---"
139 chacl u::r-x,g::---,o::--- file1 2>&1
140 chacl -l file1 | _acl_filter_id
142 echo "Expect to PASS"
143 $runas -u $acl1 -g $acl1 ./file1 2>&1
144 echo "Expect to FAIL"
145 $runas -u $acl2 -g $acl2 ./file1 2>&1
148 echo "--- Test group permissions ---"
149 chacl u::---,g::r-x,o::--- file1 2>&1
150 chacl -l file1 | _acl_filter_id
151 echo "Expect to FAIL - acl1 is owner"
152 $runas -u $acl1 -g $acl1 ./file1 2>&1
153 echo "Expect to PASS - acl2 matches group"
154 $runas -u $acl2 -g $acl2 ./file1 2>&1
155 echo "Expect to PASS - acl2 matches sup group"
156 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
157 echo "Expect to FAIL - acl3 is not in group"
158 $runas -u $acl3 -g $acl3 ./file1 2>&1
161 echo "--- Test other permissions ---"
162 chacl u::---,g::---,o::r-x file1 2>&1
163 chacl -l file1 | _acl_filter_id
164 echo "Expect to FAIL - acl1 is owner"
165 $runas -u $acl1 -g $acl1 ./file1 2>&1
166 echo "Expect to FAIL - acl2 is in group"
167 $runas -u $acl2 -g $acl2 ./file1 2>&1
168 echo "Expect to FAIL - acl2 is in sup. group"
169 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
170 echo "Expect to PASS - acl3 is not owner or in group"
171 $runas -u $acl3 -g $acl3 ./file1 2>&1
173 #-------------------------------------------------------
176 echo "=== Test Extended ACLs ==="
179 echo "--- Test adding a USER ACE ---"
180 echo "Expect to FAIL as no MASK provided"
181 chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id
182 echo "Ensure that ACL has not been changed"
183 chacl -l file1 | _acl_filter_id
184 echo "Expect to PASS - USER ACE matches user"
185 chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
186 chacl -l file1 | _acl_filter_id
187 $runas -u $acl2 -g $acl2 ./file1 2>&1
188 echo "Expect to FAIL - USER ACE does not match user"
189 $runas -u $acl3 -g $acl3 ./file1 2>&1
192 echo "--- Test adding a GROUP ACE ---"
193 echo "Expect to FAIL as no MASK provided"
194 chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id
195 echo "Ensure that ACL has not been changed"
196 chacl -l file1 | _acl_filter_id
197 chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
198 chacl -l file1 | _acl_filter_id
199 echo "Expect to PASS - GROUP ACE matches group"
200 $runas -u $acl2 -g $acl2 ./file1 2>&1
201 echo "Expect to PASS - GROUP ACE matches sup group"
202 $runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
203 echo "Expect to FAIL - GROUP ACE does not match group"
204 $runas -u $acl3 -g $acl3 ./file1 2>&1
206 #-------------------------------------------------------
209 echo "--- Test MASK ---"
212 chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
213 chacl -l file1 | _acl_filter_id
214 echo "Expect to FAIL as MASK prohibits execution"
215 $runas -u $acl2 -g $acl2 ./file1 2>&1
218 chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
219 echo "Expect to FAIL as MASK prohibits execution"
220 $runas -u $acl2 -g $acl2 ./file1 2>&1
223 chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
224 echo "Expect to PASS as MASK allows execution"
225 $runas -u $acl2 -g $acl2 ./file1 2>&1
227 #-------------------------------------------------------
230 echo "--- Test ACE priority ---"
232 chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
233 echo "Expect to FAIL as should match on owner"
234 $runas -u $acl1 -g $acl2 ./file1 2>&1
236 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
237 echo "Expect to PASS as should match on user"
238 $runas -u $acl2 -g $acl2 ./file1 2>&1
241 #-------------------------------------------------------
244 echo "=== Test can read ACLs without access permissions ==="
245 # This was a bug in kernel code where syscred wasn't being used
246 # to override the capabilities
247 chacl o::---,g::---,u::--- file1 2>&1
248 chacl -l file1 | _acl_filter_id
250 #-------------------------------------------------------
253 echo "=== Test Default ACLs ==="
254 # make test clearer by testing with and without umask
258 chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1
259 chacl -l acldir | _acl_filter_id
264 chacl -l file2 | _acl_filter_id
266 #ensure that umask is not having an effect
271 chacl -l file3 | _acl_filter_id
277 #-------------------------------------------------------
280 echo "=== Removing ACLs ==="
281 chacl -l file1 | _acl_filter_id
282 chacl -l acldir | _acl_filter_id
283 chacl -l acldir/file2 | _acl_filter_id
284 echo "Remove ACLs..."
287 chacl -R acldir/file2
288 echo "Note: Old interface would mean empty ACLs - now we show mode ACLs"
289 chacl -l file1 | _acl_filter_id
290 chacl -l acldir | _acl_filter_id
291 chacl -l acldir/file2 | _acl_filter_id
294 #-------------------------------------------------------
297 echo "=== Recursive change ACL ==="
300 pushd root >/dev/null
301 # create an arbitrary little tree
302 for i in 1 2 3 4 5 6 7 8 9 0
309 chown -R 12345.54321 root
311 $runas -u 12345 -g 54321 -- `which chacl` -r u::rwx,g::-w-,o::--x root
312 find root -print | xargs chacl -l
314 $runas -u 12345 -g 54321 -- `which chacl` -r u::---,g::---,o::--- root
315 find root -print | xargs chacl -l
318 #-------------------------------------------------------
321 echo "=== Test out error messages for ACL text parsing ==="
322 echo "Note: Old interface gave more informative error msgs"
328 chacl u:rumpledumpleunknownuser file1
329 chacl u:rumpledumpleunknownuser: file1
330 chacl g:rumpledumpleunknowngrp file1
331 chacl g:rumpledumpleunknowngrp: file1
332 chacl o:user1:rwx file1
333 chacl m:user1:rwx file1
337 #-------------------------------------------------------
340 echo "=== Test out large ACLs ==="
342 XFS_ACL_MAX_ENTRIES=25
343 num_aces_pre=`expr $XFS_ACL_MAX_ENTRIES - 1`
344 num_aces_post=`expr $XFS_ACL_MAX_ENTRIES + 1`
346 acl1=`_create_n_aces $num_aces_pre`
347 acl2=`_create_n_aces $XFS_ACL_MAX_ENTRIES`
348 acl3=`_create_n_aces $num_aces_post`
349 acl4=`_create_n_aces 16` # Andreas G. libacl size for initial get
350 acl5=`_create_n_aces 17` # 1 over A.G. libacl initial size
352 echo "1 below xfs acl max"
353 chacl $acl1 largeaclfile
354 getfacl largeaclfile | _filter_aces
357 chacl $acl2 largeaclfile
358 getfacl largeaclfile | _filter_aces
360 echo "1 above xfs acl max"
361 chacl $acl3 largeaclfile
362 getfacl largeaclfile | _filter_aces
365 chacl $acl4 largeaclfile
366 getfacl largeaclfile | _filter_aces
369 chacl $acl5 largeaclfile
370 getfacl largeaclfile | _filter_aces
372 #-------------------------------------------------------