Filter Electric Fence spam.

[xfstests-dev.git] / 051

#! /bin/sh
# XFS QA Test No. 051
# $Id: 1.1 $
#
# Test out ACLs.
#
#-----------------------------------------------------------------------
# Copyright (c) 2000 Silicon Graphics, Inc.  All Rights Reserved.
# 
# This program is free software; you can redistribute it and/or modify it
# under the terms of version 2 of the GNU General Public License as
# published by the Free Software Foundation.
# 
# This program is distributed in the hope that it would be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# 
# Further, this software is distributed without any warranty that it is
# free of the rightful claim of any third person regarding infringement
# or the like.  Any license provided herein, whether implied or
# otherwise, applies only to this software file.  Patent licenses, if
# any, provided herein do not apply to combinations of this program with
# other software, or any other product whatsoever.
# 
# You should have received a copy of the GNU General Public License along
# with this program; if not, write the Free Software Foundation, Inc., 59
# Temple Place - Suite 330, Boston MA 02111-1307, USA.
# 
# Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy,
# Mountain View, CA  94043, or:
# 
# http://www.sgi.com 
# 
# For further information regarding this notice, see: 
# 
# http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/
#-----------------------------------------------------------------------
#
# creator
owner=tes@sgi.com

seq=`basename $0`

here=`pwd`
tmp=/tmp/$$
runas=$here/src/runas
status=1        # FAILure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15

# get standard environment, filters and checks
. ./common.rc
. ./common.filter

_cleanup()
{
    rm -f $tmp.*
    rm -rf $TEST_DIR/$seq.dir1
}

_ls()
{
    ls -ln $* | awk '{ print $1, $3, $4, $NF }'
} 

# -----
# minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
# This is set with chacl(1) and can be changed by chmod(1).
#
# Test that this is being set for ACL and for std unix permissions
# Test that we can get back the same ACL.
# Test std permissions for rwx.
# -----
#
# Test out default ACLs and that the ACL is being PASSed
# onto the children of the dir.
#
# -----
# Test out access check for extended ACLs.
# -> 3 extra ACEs: MASK, GROUP, USER
# -> the GROUP compares with egid of process _and_ the supplementary
#    groups (as found in /etc/group)
#
# Test that mask works for USER, GROUP, GROUP_OBJ
# Test that the ACE type priority is working
#   -> this would be done by simultaneously matching on ACEs
#   -> interesting if it allows user to specify ACEs in any order
#
_need_to_be_root

rm -f $seq.full

acl1=1001;acl2=1002;acl3=1003

[ -x /bin/chacl ] || _notrun "chacl command not found"
[ -x $runas ] || _notrun "$runas executable not found"

# get dir
cd $TEST_DIR
rm -rf $seq.dir1
mkdir $seq.dir1
cd $seq.dir1

# test if acl_get syscall is operational
# and hence the ACL config has been turned on  
touch syscalltest
if chacl -l syscalltest 2>&1 | tee -a $here/$seq.full | grep 'Function not implemented' >/dev/null
then
  cd $here
  _notrun "requires kernel ACL support"
fi

#-------------------------------------------------------
# real QA test starts here
echo "QA output created by $seq"

echo ""
echo "=== Test minimal ACE ==="

echo "Setup file"
touch file1
cat <<EOF >file1
#!/bin/sh
echo "Test was executed"
EOF
chmod u=rwx file1
chmod g=rw- file1
chmod o=r-- file1
chown $acl1.$acl2 file1
_ls file1

echo ""
echo "--- Test get and set of ACL ---"
chacl -l file1
echo "Expect to FAIL" 
chacl u::r--,g::rwx,o:rw- file1 2>&1
echo "Expect to PASS" 
chacl u::r--,g::rwx,o::rw- file1 2>&1
chacl -l file1

echo ""
echo "--- Test sync of ACL with std permissions ---"
_ls file1
chmod u+w file1
_ls file1
chacl -l file1

echo ""
echo "--- Test owner permissions ---"
chacl u::r-x,g::---,o::--- file1 2>&1
chacl -l file1
# change to owner
echo "Expect to PASS" 
$runas -u $acl1 -g $acl1 ./file1 2>&1
echo "Expect to FAIL" 
$runas -u $acl2 -g $acl2 ./file1 2>&1

echo ""
echo "--- Test group permissions ---"
chacl u::---,g::r-x,o::--- file1 2>&1
chacl -l file1
echo "Expect to FAIL - acl1 is owner" 
$runas -u $acl1 -g $acl1 ./file1 2>&1
echo "Expect to PASS - acl2 matches group" 
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to PASS - acl2 matches sup group" 
$runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
echo "Expect to FAIL - acl3 is not in group" 
$runas -u $acl3 -g $acl3 ./file1 2>&1

echo ""
echo "--- Test other permissions ---"
chacl u::---,g::---,o::r-x file1 2>&1
chacl -l file1
echo "Expect to FAIL - acl1 is owner" 
$runas -u $acl1 -g $acl1 ./file1 2>&1
echo "Expect to FAIL - acl2 is in group" 
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to FAIL - acl2 is in sup. group" 
$runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
echo "Expect to PASS - acl3 is not owner or in group" 
$runas -u $acl3 -g $acl3 ./file1 2>&1

#-------------------------------------------------------

echo ""
echo "=== Test Extended ACLs ==="

echo ""
echo "--- Test adding a USER ACE ---"
echo "Expect to FAIL as no MASK provided"
chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1
echo "Ensure that ACL has not been changed"
chacl -l file1
echo "Expect to PASS - USER ACE matches user"
chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
chacl -l file1
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to FAIL - USER ACE does not match user"
$runas -u $acl3 -g $acl3 ./file1 2>&1

echo ""
echo "--- Test adding a GROUP ACE ---"
echo "Expect to FAIL as no MASK provided"
chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1
echo "Ensure that ACL has not been changed"
chacl -l file1
chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
chacl -l file1
echo "Expect to PASS - GROUP ACE matches group"
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to PASS - GROUP ACE matches sup group"
$runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
echo "Expect to FAIL - GROUP ACE does not match group"
$runas -u $acl3 -g $acl3 ./file1 2>&1

#-------------------------------------------------------

echo ""
echo "--- Test MASK ---"
chacl u::---,g::---,o::---,g:$acl2:r-x,m::-wx file1 2>&1
chacl -l file1
echo "Expect to FAIL as MASK prohibits execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1
chacl u::---,g::---,o::---,u:$acl2:r-x,m::-wx file1 2>&1
echo "Expect to FAIL as MASK prohibits execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1

chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
echo "Expect to PASS as MASK allows execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1

#-------------------------------------------------------

echo ""
echo "--- Test ACE priority ---"

chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
echo "Expect to FAIL as should match on owner"
$runas -u $acl1 -g $acl2 ./file1 2>&1

chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
echo "Expect to PASS as should match on user"
$runas -u $acl2 -g $acl2 ./file1 2>&1


#-------------------------------------------------------

echo ""
echo "=== Test can read ACLs without access permissions ==="
# This was a bug in kernel code where syscred wasn't being used
# to override the capabilities
chacl o::---,g::---,u::--- file1 2>&1
chacl -l ./file1


#-------------------------------------------------------

echo ""
echo "=== Test Default ACLs ==="
mkdir acldir
chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" ./acldir 2>&1
chacl -l ./acldir

cd acldir
touch file2
_ls file2
chacl -l ./file2
cd ..

#-------------------------------------------------------

# success, all done
status=0
exit