7 #-----------------------------------------------------------------------
8 # Copyright (c) 2000 Silicon Graphics, Inc. All Rights Reserved.
10 # This program is free software; you can redistribute it and/or modify it
11 # under the terms of version 2 of the GNU General Public License as
12 # published by the Free Software Foundation.
14 # This program is distributed in the hope that it would be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
18 # Further, this software is distributed without any warranty that it is
19 # free of the rightful claim of any third person regarding infringement
20 # or the like. Any license provided herein, whether implied or
21 # otherwise, applies only to this software file. Patent licenses, if
22 # any, provided herein do not apply to combinations of this program with
23 # other software, or any other product whatsoever.
25 # You should have received a copy of the GNU General Public License along
26 # with this program; if not, write the Free Software Foundation, Inc., 59
27 # Temple Place - Suite 330, Boston MA 02111-1307, USA.
29 # Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy,
30 # Mountain View, CA 94043, or:
34 # For further information regarding this notice, see:
36 # http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/
37 #-----------------------------------------------------------------------
47 status=1 # FAILure is the default!
48 trap "_cleanup; exit \$status" 0 1 2 3 15
50 # get standard environment, filters and checks
57 rm -rf $TEST_DIR/$seq.dir1
62 ls -ln $* | awk '{ print $1, $3, $4, $NF }' | _filter_id
67 cat /etc/passwd /etc/group $tmp.ids | gawk -F: '
70 for(i=1;i<1000000;i++){
82 acl1=`_get_newid`; echo "::$acl1" >>$tmp.ids
83 acl2=`_get_newid`; echo "::$acl2" >>$tmp.ids
84 acl3=`_get_newid`; echo "::$acl3" >>$tmp.ids
90 -e "s/u:$acl1/u:id1/" \
91 -e "s/u:$acl2/u:id2/" \
92 -e "s/u:$acl3/u:id3/" \
93 -e "s/g:$acl1/g:id1/" \
94 -e "s/g:$acl2/g:id2/" \
95 -e "s/g:$acl3/g:id3/" \
96 -e "s/ $acl1 / id1 /" \
97 -e "s/ $acl2 / id2 /" \
98 -e "s/ $acl3 / id3 /" \
102 # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
103 # This is set with chacl(1) and can be changed by chmod(1).
105 # Test that this is being set for ACL and for std unix permissions
106 # Test that we can get back the same ACL.
107 # Test std permissions for rwx.
110 # Test out default ACLs and that the ACL is being PASSed
111 # onto the children of the dir.
114 # Test out access check for extended ACLs.
115 # -> 3 extra ACEs: MASK, GROUP, USER
116 # -> the GROUP compares with egid of process _and_ the supplementary
117 # groups (as found in /etc/group)
119 # Test that mask works for USER, GROUP, GROUP_OBJ
120 # Test that the ACE type priority is working
121 # -> this would be done by simultaneously matching on ACEs
122 # -> interesting if it allows user to specify ACEs in any order
129 [ -x /bin/chacl ] || _notrun "chacl command not found"
130 [ -x $runas ] || _notrun "$runas executable not found"
138 # test if acl_get syscall is operational
139 # and hence the ACL config has been turned on
141 if chacl -l syscalltest 2>&1 | tee -a $here/$seq.full | grep 'Function not implemented' >/dev/null
144 _notrun "requires kernel ACL support"
147 #-------------------------------------------------------
148 # real QA test starts here
149 echo "QA output created by $seq"
152 echo "=== Test minimal ACE ==="
158 echo "Test was executed"
163 chown $acl1.$acl2 file1
167 echo "--- Test get and set of ACL ---"
168 chacl -l file1 | _filter_id
169 echo "Expect to FAIL"
170 chacl u::r--,g::rwx,o:rw- file1 2>&1
171 echo "Expect to PASS"
172 chacl u::r--,g::rwx,o::rw- file1 2>&1
173 chacl -l file1 | _filter_id
176 echo "--- Test sync of ACL with std permissions ---"
180 chacl -l file1 | _filter_id
183 echo "--- Test owner permissions ---"
184 chacl u::r-x,g::---,o::--- file1 2>&1
185 chacl -l file1 | _filter_id
187 echo "Expect to PASS"
188 $runas -u $acl1 -g $acl1 ./file1 2>&1
189 echo "Expect to FAIL"
190 $runas -u $acl2 -g $acl2 ./file1 2>&1
193 echo "--- Test group permissions ---"
194 chacl u::---,g::r-x,o::--- file1 2>&1
195 chacl -l file1 | _filter_id
196 echo "Expect to FAIL - acl1 is owner"
197 $runas -u $acl1 -g $acl1 ./file1 2>&1
198 echo "Expect to PASS - acl2 matches group"
199 $runas -u $acl2 -g $acl2 ./file1 2>&1
200 echo "Expect to PASS - acl2 matches sup group"
201 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
202 echo "Expect to FAIL - acl3 is not in group"
203 $runas -u $acl3 -g $acl3 ./file1 2>&1
206 echo "--- Test other permissions ---"
207 chacl u::---,g::---,o::r-x file1 2>&1
208 chacl -l file1 | _filter_id
209 echo "Expect to FAIL - acl1 is owner"
210 $runas -u $acl1 -g $acl1 ./file1 2>&1
211 echo "Expect to FAIL - acl2 is in group"
212 $runas -u $acl2 -g $acl2 ./file1 2>&1
213 echo "Expect to FAIL - acl2 is in sup. group"
214 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
215 echo "Expect to PASS - acl3 is not owner or in group"
216 $runas -u $acl3 -g $acl3 ./file1 2>&1
218 #-------------------------------------------------------
221 echo "=== Test Extended ACLs ==="
224 echo "--- Test adding a USER ACE ---"
225 echo "Expect to FAIL as no MASK provided"
226 chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1
227 echo "Ensure that ACL has not been changed"
228 chacl -l file1 | _filter_id
229 echo "Expect to PASS - USER ACE matches user"
230 chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
231 chacl -l file1 | _filter_id
232 $runas -u $acl2 -g $acl2 ./file1 2>&1
233 echo "Expect to FAIL - USER ACE does not match user"
234 $runas -u $acl3 -g $acl3 ./file1 2>&1
237 echo "--- Test adding a GROUP ACE ---"
238 echo "Expect to FAIL as no MASK provided"
239 chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1
240 echo "Ensure that ACL has not been changed"
241 chacl -l file1 | _filter_id
242 chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
243 chacl -l file1 | _filter_id
244 echo "Expect to PASS - GROUP ACE matches group"
245 $runas -u $acl2 -g $acl2 ./file1 2>&1
246 echo "Expect to PASS - GROUP ACE matches sup group"
247 $runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
248 echo "Expect to FAIL - GROUP ACE does not match group"
249 $runas -u $acl3 -g $acl3 ./file1 2>&1
251 #-------------------------------------------------------
254 echo "--- Test MASK ---"
255 chacl u::---,g::---,o::---,g:$acl2:r-x,m::-wx file1 2>&1
256 chacl -l file1 | _filter_id
257 echo "Expect to FAIL as MASK prohibits execution"
258 $runas -u $acl2 -g $acl2 ./file1 2>&1
259 chacl u::---,g::---,o::---,u:$acl2:r-x,m::-wx file1 2>&1
260 echo "Expect to FAIL as MASK prohibits execution"
261 $runas -u $acl2 -g $acl2 ./file1 2>&1
263 chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
264 echo "Expect to PASS as MASK allows execution"
265 $runas -u $acl2 -g $acl2 ./file1 2>&1
267 #-------------------------------------------------------
270 echo "--- Test ACE priority ---"
272 chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
273 echo "Expect to FAIL as should match on owner"
274 $runas -u $acl1 -g $acl2 ./file1 2>&1
276 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
277 echo "Expect to PASS as should match on user"
278 $runas -u $acl2 -g $acl2 ./file1 2>&1
281 #-------------------------------------------------------
284 echo "=== Test can read ACLs without access permissions ==="
285 # This was a bug in kernel code where syscred wasn't being used
286 # to override the capabilities
287 chacl o::---,g::---,u::--- file1 2>&1
288 chacl -l file1 | _filter_id
290 #-------------------------------------------------------
293 echo "=== Test Default ACLs ==="
295 chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" ./acldir 2>&1
296 chacl -l acldir | _filter_id
301 chacl -l file2 | _filter_id
304 #-------------------------------------------------------