6 #-----------------------------------------------------------------------
7 # Copyright (c) 2000-2002 Silicon Graphics, Inc. All Rights Reserved.
8 #-----------------------------------------------------------------------
18 status=1 # FAILure is the default!
19 trap "_cleanup; exit \$status" 0 1 2 3 15
21 # get standard environment, filters and checks
30 [ -n "$testdir" ] && rm -rf $testdir/$seq.dir1
35 # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
36 # This is set with chacl(1) and can be changed by chmod(1).
38 # Test that this is being set for ACL and for std unix permissions
39 # Test that we can get back the same ACL.
40 # Test std permissions for rwx.
43 # Test out default ACLs and that the ACL is being PASSed
44 # onto the children of the dir.
47 # Test out access check for extended ACLs.
48 # -> 3 extra ACEs: MASK, GROUP, USER
49 # -> the GROUP compares with egid of process _and_ the supplementary
50 # groups (as found in /etc/group)
52 # Test that mask works for USER, GROUP, GROUP_OBJ
53 # Test that the ACE type priority is working
54 # -> this would be done by simultaneously matching on ACEs
55 # -> interesting if it allows user to specify ACEs in any order
58 # real QA test starts here
62 [ -x /usr/bin/chacl ] || _notrun "chacl executable not found"
63 [ -x $runas ] || _notrun "$runas executable not found"
79 echo "QA output created by $seq"
81 echo "=== Test minimal ACE ==="
84 # Note: as this is a shell script,
85 # will need read and execute permission set
86 # in order to execute it.
90 echo "Test was executed"
95 chown $acl1.$acl2 file1
99 echo "--- Test get and set of ACL ---"
100 echo "Note: Old interface gave an empty ACL - now output an ACL"
101 chacl -l file1 | _acl_filter_id
102 echo "Try using single colon separator"
103 echo "Note: Old interface FAILed because of single colon - new one allows it"
104 chacl u::r--,g::rwx,o:rw- file1 2>&1
105 echo "Expect to PASS"
106 chacl u::r--,g::rwx,o::rw- file1 2>&1
107 chacl -l file1 | _acl_filter_id
110 echo "--- Test sync of ACL with std permissions ---"
114 chacl -l file1 | _acl_filter_id
117 echo "--- Test owner permissions ---"
118 chacl u::r-x,g::---,o::--- file1 2>&1
119 chacl -l file1 | _acl_filter_id
121 echo "Expect to PASS"
122 $runas -u $acl1 -g $acl1 ./file1 2>&1
123 echo "Expect to FAIL"
124 $runas -u $acl2 -g $acl2 ./file1 2>&1
127 echo "--- Test group permissions ---"
128 chacl u::---,g::r-x,o::--- file1 2>&1
129 chacl -l file1 | _acl_filter_id
130 echo "Expect to FAIL - acl1 is owner"
131 $runas -u $acl1 -g $acl1 ./file1 2>&1
132 echo "Expect to PASS - acl2 matches group"
133 $runas -u $acl2 -g $acl2 ./file1 2>&1
134 echo "Expect to PASS - acl2 matches sup group"
135 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
136 echo "Expect to FAIL - acl3 is not in group"
137 $runas -u $acl3 -g $acl3 ./file1 2>&1
140 echo "--- Test other permissions ---"
141 chacl u::---,g::---,o::r-x file1 2>&1
142 chacl -l file1 | _acl_filter_id
143 echo "Expect to FAIL - acl1 is owner"
144 $runas -u $acl1 -g $acl1 ./file1 2>&1
145 echo "Expect to FAIL - acl2 is in group"
146 $runas -u $acl2 -g $acl2 ./file1 2>&1
147 echo "Expect to FAIL - acl2 is in sup. group"
148 $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
149 echo "Expect to PASS - acl3 is not owner or in group"
150 $runas -u $acl3 -g $acl3 ./file1 2>&1
152 #-------------------------------------------------------
155 echo "=== Test Extended ACLs ==="
158 echo "--- Test adding a USER ACE ---"
159 echo "Expect to FAIL as no MASK provided"
160 chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id
161 echo "Ensure that ACL has not been changed"
162 chacl -l file1 | _acl_filter_id
163 echo "Expect to PASS - USER ACE matches user"
164 chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
165 chacl -l file1 | _acl_filter_id
166 $runas -u $acl2 -g $acl2 ./file1 2>&1
167 echo "Expect to FAIL - USER ACE does not match user"
168 $runas -u $acl3 -g $acl3 ./file1 2>&1
171 echo "--- Test adding a GROUP ACE ---"
172 echo "Expect to FAIL as no MASK provided"
173 chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id
174 echo "Ensure that ACL has not been changed"
175 chacl -l file1 | _acl_filter_id
176 chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
177 chacl -l file1 | _acl_filter_id
178 echo "Expect to PASS - GROUP ACE matches group"
179 $runas -u $acl2 -g $acl2 ./file1 2>&1
180 echo "Expect to PASS - GROUP ACE matches sup group"
181 $runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
182 echo "Expect to FAIL - GROUP ACE does not match group"
183 $runas -u $acl3 -g $acl3 ./file1 2>&1
185 #-------------------------------------------------------
188 echo "--- Test MASK ---"
191 chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
192 chacl -l file1 | _acl_filter_id
193 echo "Expect to FAIL as MASK prohibits execution"
194 $runas -u $acl2 -g $acl2 ./file1 2>&1
197 chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
198 echo "Expect to FAIL as MASK prohibits execution"
199 $runas -u $acl2 -g $acl2 ./file1 2>&1
202 chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
203 echo "Expect to PASS as MASK allows execution"
204 $runas -u $acl2 -g $acl2 ./file1 2>&1
206 #-------------------------------------------------------
209 echo "--- Test ACE priority ---"
211 chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
212 echo "Expect to FAIL as should match on owner"
213 $runas -u $acl1 -g $acl2 ./file1 2>&1
215 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
216 echo "Expect to PASS as should match on user"
217 $runas -u $acl2 -g $acl2 ./file1 2>&1
220 #-------------------------------------------------------
223 echo "=== Test can read ACLs without access permissions ==="
224 # This was a bug in kernel code where syscred wasn't being used
225 # to override the capabilities
226 chacl o::---,g::---,u::--- file1 2>&1
227 chacl -l file1 | _acl_filter_id
229 #-------------------------------------------------------
232 echo "=== Test Default ACLs ==="
233 # make test clearer by testing with and without umask
237 chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1
238 chacl -l acldir | _acl_filter_id
243 chacl -l file2 | _acl_filter_id
245 #ensure that umask is not having an effect
250 chacl -l file3 | _acl_filter_id
256 #-------------------------------------------------------
259 echo "=== Removing ACLs ==="
260 chacl -l file1 | _acl_filter_id
261 chacl -l acldir | _acl_filter_id
262 chacl -l acldir/file2 | _acl_filter_id
263 echo "Remove ACLs..."
266 chacl -R acldir/file2
267 echo "Note: Old interface would mean empty ACLs - now we show mode ACLs"
268 chacl -l file1 | _acl_filter_id
269 chacl -l acldir | _acl_filter_id
270 chacl -l acldir/file2 | _acl_filter_id
273 #-------------------------------------------------------
276 echo "=== Recursive change ACL ==="
279 pushd root >/dev/null
280 # create an arbitrary little tree
281 for i in 1 2 3 4 5 6 7 8 9 0
288 chown -R 12345.54321 root
290 $runas -u 12345 -g 54321 -- `which chacl` -r u::rwx,g::-w-,o::--x root
291 find root -print | xargs chacl -l
293 $runas -u 12345 -g 54321 -- `which chacl` -r u::---,g::---,o::--- root
294 find root -print | xargs chacl -l
297 #-------------------------------------------------------
300 echo "=== Test out error messages for ACL text parsing ==="
301 echo "Note: Old interface gave more informative error msgs"
307 chacl u:rumpledumpleunknownuser file1
308 chacl u:rumpledumpleunknownuser: file1
309 chacl g:rumpledumpleunknowngrp file1
310 chacl g:rumpledumpleunknowngrp: file1
311 chacl o:user1:rwx file1
312 chacl m:user1:rwx file1
316 #-------------------------------------------------------
319 echo "=== Test out large ACLs ==="
321 XFS_ACL_MAX_ENTRIES=25
322 num_aces_pre=`expr $XFS_ACL_MAX_ENTRIES - 1`
323 num_aces_post=`expr $XFS_ACL_MAX_ENTRIES + 1`
325 acl1=`_create_n_aces $num_aces_pre`
326 acl2=`_create_n_aces $XFS_ACL_MAX_ENTRIES`
327 acl3=`_create_n_aces $num_aces_post`
328 acl4=`_create_n_aces 16` # Andreas G. libacl size for initial get
329 acl5=`_create_n_aces 17` # 1 over A.G. libacl initial size
331 echo "1 below xfs acl max"
332 chacl $acl1 largeaclfile
333 getfacl largeaclfile | _filter_aces
336 chacl $acl2 largeaclfile
337 getfacl largeaclfile | _filter_aces
339 echo "1 above xfs acl max"
340 chacl $acl3 largeaclfile
341 getfacl largeaclfile | _filter_aces
344 chacl $acl4 largeaclfile
345 getfacl largeaclfile | _filter_aces
348 chacl $acl5 largeaclfile
349 getfacl largeaclfile | _filter_aces
351 #-------------------------------------------------------