2 # SPDX-License-Identifier: GPL-2.0
3 # Copyright (c) 2000-2002 Silicon Graphics, Inc. All Rights Reserved.
11 seqres=$RESULT_DIR/$seq
15 status=1 # FAILure is the default!
16 trap "_cleanup; exit \$status" 0 1 2 3 15
18 # get standard environment, filters and checks
27 [ -n "$TEST_DIR" ] && rm -rf $TEST_DIR/$seq.dir1
31 # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
32 # This is set with chacl(1) and can be changed by chmod(1).
34 # Test that this is being set for ACL and for std unix permissions
35 # Test that we can get back the same ACL.
36 # Test std permissions for rwx.
39 # Test out default ACLs and that the ACL is being PASSed
40 # onto the children of the dir.
43 # Test out access check for extended ACLs.
44 # -> 3 extra ACEs: MASK, GROUP, USER
45 # -> the GROUP compares with egid of process _and_ the supplementary
46 # groups (as found in /etc/group)
48 # Test that mask works for USER, GROUP, GROUP_OBJ
49 # Test that the ACE type priority is working
50 # -> this would be done by simultaneously matching on ACEs
51 # -> interesting if it allows user to specify ACEs in any order
54 # real QA test starts here
70 echo "QA output created by $seq"
72 echo "=== Test minimal ACE ==="
75 # Note: as this is a shell script,
76 # will need read and execute permission set
77 # in order to execute it.
80 echo "Test was executed"
85 chown $acl1.$acl2 file1
89 echo "--- Test get and set of ACL ---"
90 echo "Note: Old interface gave an empty ACL - now output an ACL"
91 chacl -l file1 | _acl_filter_id
92 echo "Try using single colon separator"
93 echo "Note: Old interface FAILed because of single colon - new one allows it"
94 chacl u::r--,g::rwx,o:rw- file1 2>&1
96 chacl u::r--,g::rwx,o::rw- file1 2>&1
97 chacl -l file1 | _acl_filter_id
100 echo "--- Test sync of ACL with std permissions ---"
104 chacl -l file1 | _acl_filter_id
107 echo "--- Test owner permissions ---"
108 chacl u::r-x,g::---,o::--- file1 2>&1
109 chacl -l file1 | _acl_filter_id
111 echo "Expect to PASS"
112 _runas -u $acl1 -g $acl1 ./file1 2>&1
113 echo "Expect to FAIL"
114 _runas -u $acl2 -g $acl2 ./file1 2>&1
117 echo "--- Test group permissions ---"
118 chacl u::---,g::r-x,o::--- file1 2>&1
119 chacl -l file1 | _acl_filter_id
120 echo "Expect to FAIL - acl1 is owner"
121 _runas -u $acl1 -g $acl1 ./file1 2>&1
122 echo "Expect to PASS - acl2 matches group"
123 _runas -u $acl2 -g $acl2 ./file1 2>&1
124 echo "Expect to PASS - acl2 matches sup group"
125 _runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
126 echo "Expect to FAIL - acl3 is not in group"
127 _runas -u $acl3 -g $acl3 ./file1 2>&1
130 echo "--- Test other permissions ---"
131 chacl u::---,g::---,o::r-x file1 2>&1
132 chacl -l file1 | _acl_filter_id
133 echo "Expect to FAIL - acl1 is owner"
134 _runas -u $acl1 -g $acl1 ./file1 2>&1
135 echo "Expect to FAIL - acl2 is in group"
136 _runas -u $acl2 -g $acl2 ./file1 2>&1
137 echo "Expect to FAIL - acl2 is in sup. group"
138 _runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
139 echo "Expect to PASS - acl3 is not owner or in group"
140 _runas -u $acl3 -g $acl3 ./file1 2>&1
142 #-------------------------------------------------------
145 echo "=== Test Extended ACLs ==="
148 echo "--- Test adding a USER ACE ---"
149 echo "Expect to FAIL as no MASK provided"
150 chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id
151 echo "Ensure that ACL has not been changed"
152 chacl -l file1 | _acl_filter_id
153 echo "Expect to PASS - USER ACE matches user"
154 chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
155 chacl -l file1 | _acl_filter_id
156 _runas -u $acl2 -g $acl2 ./file1 2>&1
157 echo "Expect to FAIL - USER ACE does not match user"
158 _runas -u $acl3 -g $acl3 ./file1 2>&1
161 echo "--- Test adding a GROUP ACE ---"
162 echo "Expect to FAIL as no MASK provided"
163 chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id
164 echo "Ensure that ACL has not been changed"
165 chacl -l file1 | _acl_filter_id
166 chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
167 chacl -l file1 | _acl_filter_id
168 echo "Expect to PASS - GROUP ACE matches group"
169 _runas -u $acl2 -g $acl2 ./file1 2>&1
170 echo "Expect to PASS - GROUP ACE matches sup group"
171 _runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
172 echo "Expect to FAIL - GROUP ACE does not match group"
173 _runas -u $acl3 -g $acl3 ./file1 2>&1
175 #-------------------------------------------------------
178 echo "--- Test MASK ---"
181 chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
182 chacl -l file1 | _acl_filter_id
183 echo "Expect to FAIL as MASK prohibits execution"
184 _runas -u $acl2 -g $acl2 ./file1 2>&1
187 chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
188 echo "Expect to FAIL as MASK prohibits execution"
189 _runas -u $acl2 -g $acl2 ./file1 2>&1
192 chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
193 echo "Expect to PASS as MASK allows execution"
194 _runas -u $acl2 -g $acl2 ./file1 2>&1
196 #-------------------------------------------------------
199 echo "--- Test ACE priority ---"
201 chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
202 echo "Expect to FAIL as should match on owner"
203 _runas -u $acl1 -g $acl2 ./file1 2>&1
205 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
206 echo "Expect to PASS as should match on user"
207 _runas -u $acl2 -g $acl2 ./file1 2>&1
209 #-------------------------------------------------------
212 echo "=== Test can read ACLs without access permissions ==="
213 # This was a bug in kernel code where syscred wasn't being used
214 # to override the capabilities
215 chacl o::---,g::---,u::--- file1 2>&1
216 chacl -l file1 | _acl_filter_id
218 #-------------------------------------------------------
221 echo "=== Test Default ACLs ==="
222 # make test clearer by testing with and without umask
226 chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1
227 chacl -l acldir | _acl_filter_id
232 chacl -l file2 | _acl_filter_id
234 #ensure that umask is not having an effect
239 chacl -l file3 | _acl_filter_id
244 #-------------------------------------------------------
247 echo "=== Removing ACLs ==="
248 chacl -l file1 | _acl_filter_id
249 chacl -l acldir | _acl_filter_id
250 chacl -l acldir/file2 | _acl_filter_id
251 echo "Remove ACLs..."
254 chacl -R acldir/file2
255 echo "Note: Old interface would mean empty ACLs - now we show mode ACLs"
256 chacl -l file1 | _acl_filter_id
257 chacl -l acldir | _acl_filter_id
258 chacl -l acldir/file2 | _acl_filter_id
260 #-------------------------------------------------------
263 echo "=== Recursive change ACL ==="
266 pushd root >/dev/null
267 # create an arbitrary little tree
268 for i in 1 2 3 4 5 6 7 8 9 0
275 chown -R 12345.54321 root
277 _runas -u 12345 -g 54321 -- chacl -r u::rwx,g::-w-,o::--x root
278 find root -print | sort | xargs chacl -l
280 _runas -u 12345 -g 54321 -- chacl -r u::---,g::---,o::--- root
281 find root -print | sort | xargs chacl -l
283 #-------------------------------------------------------
286 echo "=== Test out error messages for ACL text parsing ==="
287 echo "Note: Old interface gave more informative error msgs"
293 chacl u:rumpledumpleunknownuser file1
294 chacl u:rumpledumpleunknownuser: file1
295 chacl g:rumpledumpleunknowngrp file1
296 chacl g:rumpledumpleunknowngrp: file1
297 chacl o:user1:rwx file1
298 chacl m:user1:rwx file1