7 #-----------------------------------------------------------------------
8 # Copyright (c) 2000 Silicon Graphics, Inc. All Rights Reserved.
10 # This program is free software; you can redistribute it and/or modify it
11 # under the terms of version 2 of the GNU General Public License as
12 # published by the Free Software Foundation.
14 # This program is distributed in the hope that it would be useful, but
15 # WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
18 # Further, this software is distributed without any warranty that it is
19 # free of the rightful claim of any third person regarding infringement
20 # or the like. Any license provided herein, whether implied or
21 # otherwise, applies only to this software file. Patent licenses, if
22 # any, provided herein do not apply to combinations of this program with
23 # other software, or any other product whatsoever.
25 # You should have received a copy of the GNU General Public License along
26 # with this program; if not, write the Free Software Foundation, Inc., 59
27 # Temple Place - Suite 330, Boston MA 02111-1307, USA.
29 # Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy,
30 # Mountain View, CA 94043, or:
34 # For further information regarding this notice, see:
36 # http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/
37 #-----------------------------------------------------------------------
47 status=1 # FAILure is the default!
48 trap "_cleanup; exit \$status" 0 1 2 3 15
50 # get standard environment, filters and checks
58 rm -rf $TEST_DIR/$seq.dir1
62 # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
63 # This is set with chacl(1) and can be changed by chmod(1).
65 # Test that this is being set for ACL and for std unix permissions
66 # Test that we can get back the same ACL.
67 # Test std permissions for rwx.
70 # Test out default ACLs and that the ACL is being PASSed
71 # onto the children of the dir.
74 # Test out access check for extended ACLs.
75 # -> 3 extra ACEs: MASK, GROUP, USER
76 # -> the GROUP compares with egid of process _and_ the supplementary
77 # groups (as found in /etc/group)
79 # Test that mask works for USER, GROUP, GROUP_OBJ
80 # Test that the ACE type priority is working
81 # -> this would be done by simultaneously matching on ACEs
82 # -> interesting if it allows user to specify ACEs in any order
89 [ ! -x /bin/chacl -a ! -x /usr/bin/chacl ] && _notrun "chacl command not found"
90 [ -x $runas ] || _notrun "$runas executable not found"
98 # test if acl_get syscall is operational
99 # and hence the ACL config has been turned on
101 if chacl -l syscalltest 2>&1 | tee -a $here/$seq.full | grep 'Function not implemented' >/dev/null
104 _notrun "requires kernel ACL support"
107 #-------------------------------------------------------
108 # real QA test starts here
109 echo "QA output created by $seq"
112 echo "=== Test minimal ACE ==="
115 # Note: as this is a shell script,
116 # will need read and execute permission set
117 # in order to execute it.
121 echo "Test was executed"
126 chown $acl1.$acl2 file1
130 echo "--- Test get and set of ACL ---"
131 echo "Note: Old interface gave an empty ACL - now output an ACL"
132 chacl -l file1 | _acl_filter_id
133 echo "Try using single colon separator"
134 echo "Note: Old interface FAILed because of single colon - new one allows it"
135 chacl u::r--,g::rwx,o:rw- file1 2>&1
136 echo "Expect to PASS"
137 chacl u::r--,g::rwx,o::rw- file1 2>&1
138 chacl -l file1 | _acl_filter_id
141 echo "--- Test sync of ACL with std permissions ---"
145 chacl -l file1 | _acl_filter_id
148 echo "--- Test owner permissions ---"
149 chacl u::r-x,g::---,o::--- file1 2>&1
150 chacl -l file1 | _acl_filter_id
152 echo "Expect to PASS"
153 $runas -u $acl1 -g $acl1 ./file1 2>&1
154 echo "Expect to FAIL"
155 $runas -u $acl2 -g $acl2 ./file1 2>&1
158 echo "--- Test group permissions ---"
159 chacl u::---,g::r-x,o::--- file1 2>&1
160 chacl -l file1 | _acl_filter_id
161 echo "Expect to FAIL - acl1 is owner"
162 $runas -u $acl1 -g $acl1 ./file1 2>&1
163 echo "Expect to PASS - acl2 matches group"
164 $runas -u $acl2 -g $acl2 ./file1 2>&1
165 echo "Expect to PASS - acl2 matches sup group"
166 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
167 echo "Expect to FAIL - acl3 is not in group"
168 $runas -u $acl3 -g $acl3 ./file1 2>&1
171 echo "--- Test other permissions ---"
172 chacl u::---,g::---,o::r-x file1 2>&1
173 chacl -l file1 | _acl_filter_id
174 echo "Expect to FAIL - acl1 is owner"
175 $runas -u $acl1 -g $acl1 ./file1 2>&1
176 echo "Expect to FAIL - acl2 is in group"
177 $runas -u $acl2 -g $acl2 ./file1 2>&1
178 echo "Expect to FAIL - acl2 is in sup. group"
179 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
180 echo "Expect to PASS - acl3 is not owner or in group"
181 $runas -u $acl3 -g $acl3 ./file1 2>&1
183 #-------------------------------------------------------
186 echo "=== Test Extended ACLs ==="
189 echo "--- Test adding a USER ACE ---"
190 echo "Expect to FAIL as no MASK provided"
191 chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id
192 echo "Ensure that ACL has not been changed"
193 chacl -l file1 | _acl_filter_id
194 echo "Expect to PASS - USER ACE matches user"
195 chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
196 chacl -l file1 | _acl_filter_id
197 $runas -u $acl2 -g $acl2 ./file1 2>&1
198 echo "Expect to FAIL - USER ACE does not match user"
199 $runas -u $acl3 -g $acl3 ./file1 2>&1
202 echo "--- Test adding a GROUP ACE ---"
203 echo "Expect to FAIL as no MASK provided"
204 chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id
205 echo "Ensure that ACL has not been changed"
206 chacl -l file1 | _acl_filter_id
207 chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
208 chacl -l file1 | _acl_filter_id
209 echo "Expect to PASS - GROUP ACE matches group"
210 $runas -u $acl2 -g $acl2 ./file1 2>&1
211 echo "Expect to PASS - GROUP ACE matches sup group"
212 $runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
213 echo "Expect to FAIL - GROUP ACE does not match group"
214 $runas -u $acl3 -g $acl3 ./file1 2>&1
216 #-------------------------------------------------------
219 echo "--- Test MASK ---"
222 chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
223 chacl -l file1 | _acl_filter_id
224 echo "Expect to FAIL as MASK prohibits execution"
225 $runas -u $acl2 -g $acl2 ./file1 2>&1
228 chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
229 echo "Expect to FAIL as MASK prohibits execution"
230 $runas -u $acl2 -g $acl2 ./file1 2>&1
233 chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
234 echo "Expect to PASS as MASK allows execution"
235 $runas -u $acl2 -g $acl2 ./file1 2>&1
237 #-------------------------------------------------------
240 echo "--- Test ACE priority ---"
242 chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
243 echo "Expect to FAIL as should match on owner"
244 $runas -u $acl1 -g $acl2 ./file1 2>&1
246 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
247 echo "Expect to PASS as should match on user"
248 $runas -u $acl2 -g $acl2 ./file1 2>&1
251 #-------------------------------------------------------
254 echo "=== Test can read ACLs without access permissions ==="
255 # This was a bug in kernel code where syscred wasn't being used
256 # to override the capabilities
257 chacl o::---,g::---,u::--- file1 2>&1
258 chacl -l file1 | _acl_filter_id
260 #-------------------------------------------------------
263 echo "=== Test Default ACLs ==="
264 # make test clearer by testing with and without umask
268 chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1
269 chacl -l acldir | _acl_filter_id
274 chacl -l file2 | _acl_filter_id
276 #ensure that umask is not having an effect
281 chacl -l file3 | _acl_filter_id
287 #-------------------------------------------------------
290 echo "=== Removing ACLs ==="
291 chacl -l file1 | _acl_filter_id
292 chacl -l acldir | _acl_filter_id
293 chacl -l acldir/file2 | _acl_filter_id
294 echo "Remove ACLs..."
297 chacl -R acldir/file2
298 echo "Note: Old interface would mean empty ACLs - now we show mode ACLs"
299 chacl -l file1 | _acl_filter_id
300 chacl -l acldir | _acl_filter_id
301 chacl -l acldir/file2 | _acl_filter_id
304 #-------------------------------------------------------
307 echo "=== Recursive change ACL ==="
310 pushd root >/dev/null
311 # create an arbitrary little tree
312 for i in 1 2 3 4 5 6 7 8 9 0
319 chown -R 12345.54321 root
321 $runas -u 12345 -g 54321 -- `which chacl` -r u::rwx,g::-w-,o::--x root
322 find root -print | xargs chacl -l
324 $runas -u 12345 -g 54321 -- `which chacl` -r u::---,g::---,o::--- root
325 find root -print | xargs chacl -l
328 #-------------------------------------------------------
331 echo "=== Test out error messages for ACL text parsing ==="
332 echo "Note: Old interface gave more informative error msgs"
338 chacl u:rumpledumpleunknownuser file1
339 chacl u:rumpledumpleunknownuser: file1
340 chacl g:rumpledumpleunknowngrp file1
341 chacl g:rumpledumpleunknowngrp: file1
342 chacl o:user1:rwx file1
343 chacl m:user1:rwx file1
350 #-------------------------------------------------------