#! /bin/sh # XFS QA Test No. 051 # $Id: 1.1 $ # # Test out ACLs. # #----------------------------------------------------------------------- # Copyright (c) 2000 Silicon Graphics, Inc. All Rights Reserved. # # This program is free software; you can redistribute it and/or modify it # under the terms of version 2 of the GNU General Public License as # published by the Free Software Foundation. # # This program is distributed in the hope that it would be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Further, this software is distributed without any warranty that it is # free of the rightful claim of any third person regarding infringement # or the like. Any license provided herein, whether implied or # otherwise, applies only to this software file. Patent licenses, if # any, provided herein do not apply to combinations of this program with # other software, or any other product whatsoever. # # You should have received a copy of the GNU General Public License along # with this program; if not, write the Free Software Foundation, Inc., 59 # Temple Place - Suite 330, Boston MA 02111-1307, USA. # # Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy, # Mountain View, CA 94043, or: # # http://www.sgi.com # # For further information regarding this notice, see: # # http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/ #----------------------------------------------------------------------- # # creator owner=tes@sgi.com seq=`basename $0` here=`pwd` tmp=/tmp/$$ runas=$here/src/runas status=1 # FAILure is the default! trap "_cleanup; exit \$status" 0 1 2 3 15 # get standard environment, filters and checks . ./common.rc . ./common.filter _cleanup() { rm -f $tmp.* rm -rf $TEST_DIR/$seq.dir1 } _ls() { ls -ln $* | awk '{ print $1, $3, $4, $NF }' | _filter_id } _setup_ids() { eval `cat /etc/passwd /etc/group | gawk -F: ' { ids[$3]=1 } END { j=1 for(i=1; i<1000000 && j<=3;i++){ if (! (i in ids)) { printf "acl%d=%d;", j, i; j++ } } }'` } _filter_id() { sed \ -e "s/u:$acl1/u:id1/" \ -e "s/u:$acl2/u:id2/" \ -e "s/u:$acl3/u:id3/" \ -e "s/g:$acl1/g:id1/" \ -e "s/g:$acl2/g:id2/" \ -e "s/g:$acl3/g:id3/" \ -e "s/ $acl1 / id1 /" \ -e "s/ $acl2 / id2 /" \ -e "s/ $acl3 / id3 /" } # ----- # minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ # This is set with chacl(1) and can be changed by chmod(1). # # Test that this is being set for ACL and for std unix permissions # Test that we can get back the same ACL. # Test std permissions for rwx. # ----- # # Test out default ACLs and that the ACL is being PASSed # onto the children of the dir. # # ----- # Test out access check for extended ACLs. # -> 3 extra ACEs: MASK, GROUP, USER # -> the GROUP compares with egid of process _and_ the supplementary # groups (as found in /etc/group) # # Test that mask works for USER, GROUP, GROUP_OBJ # Test that the ACE type priority is working # -> this would be done by simultaneously matching on ACEs # -> interesting if it allows user to specify ACEs in any order # rm -f $seq.full _need_to_be_root _setup_ids [ -x /bin/chacl ] || _notrun "chacl command not found" [ -x $runas ] || _notrun "$runas executable not found" # get dir cd $TEST_DIR rm -rf $seq.dir1 mkdir $seq.dir1 cd $seq.dir1 # test if acl_get syscall is operational # and hence the ACL config has been turned on touch syscalltest if chacl -l syscalltest 2>&1 | tee -a $here/$seq.full | grep 'Function not implemented' >/dev/null then cd $here _notrun "requires kernel ACL support" fi #------------------------------------------------------- # real QA test starts here echo "QA output created by $seq" echo "" echo "=== Test minimal ACE ===" echo "Setup file" # Note: as this is a shell script, # will need read and execute permission set # in order to execute it. touch file1 cat <file1 #!/bin/sh echo "Test was executed" EOF chmod u=rwx file1 chmod g=rw- file1 chmod o=r-- file1 chown $acl1.$acl2 file1 _ls file1 echo "" echo "--- Test get and set of ACL ---" chacl -l file1 | _filter_id echo "Expect to FAIL" chacl u::r--,g::rwx,o:rw- file1 2>&1 echo "Expect to PASS" chacl u::r--,g::rwx,o::rw- file1 2>&1 chacl -l file1 | _filter_id echo "" echo "--- Test sync of ACL with std permissions ---" _ls file1 chmod u+w file1 _ls file1 chacl -l file1 | _filter_id echo "" echo "--- Test owner permissions ---" chacl u::r-x,g::---,o::--- file1 2>&1 chacl -l file1 | _filter_id # change to owner echo "Expect to PASS" $runas -u $acl1 -g $acl1 ./file1 2>&1 echo "Expect to FAIL" $runas -u $acl2 -g $acl2 ./file1 2>&1 echo "" echo "--- Test group permissions ---" chacl u::---,g::r-x,o::--- file1 2>&1 chacl -l file1 | _filter_id echo "Expect to FAIL - acl1 is owner" $runas -u $acl1 -g $acl1 ./file1 2>&1 echo "Expect to PASS - acl2 matches group" $runas -u $acl2 -g $acl2 ./file1 2>&1 echo "Expect to PASS - acl2 matches sup group" $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1 echo "Expect to FAIL - acl3 is not in group" $runas -u $acl3 -g $acl3 ./file1 2>&1 echo "" echo "--- Test other permissions ---" chacl u::---,g::---,o::r-x file1 2>&1 chacl -l file1 | _filter_id echo "Expect to FAIL - acl1 is owner" $runas -u $acl1 -g $acl1 ./file1 2>&1 echo "Expect to FAIL - acl2 is in group" $runas -u $acl2 -g $acl2 ./file1 2>&1 echo "Expect to FAIL - acl2 is in sup. group" $runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1 echo "Expect to PASS - acl3 is not owner or in group" $runas -u $acl3 -g $acl3 ./file1 2>&1 #------------------------------------------------------- echo "" echo "=== Test Extended ACLs ===" echo "" echo "--- Test adding a USER ACE ---" echo "Expect to FAIL as no MASK provided" chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 echo "Ensure that ACL has not been changed" chacl -l file1 | _filter_id echo "Expect to PASS - USER ACE matches user" chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1 chacl -l file1 | _filter_id $runas -u $acl2 -g $acl2 ./file1 2>&1 echo "Expect to FAIL - USER ACE does not match user" $runas -u $acl3 -g $acl3 ./file1 2>&1 echo "" echo "--- Test adding a GROUP ACE ---" echo "Expect to FAIL as no MASK provided" chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 echo "Ensure that ACL has not been changed" chacl -l file1 | _filter_id chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1 chacl -l file1 | _filter_id echo "Expect to PASS - GROUP ACE matches group" $runas -u $acl2 -g $acl2 ./file1 2>&1 echo "Expect to PASS - GROUP ACE matches sup group" $runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1 echo "Expect to FAIL - GROUP ACE does not match group" $runas -u $acl3 -g $acl3 ./file1 2>&1 #------------------------------------------------------- echo "" echo "--- Test MASK ---" # group chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1 chacl -l file1 | _filter_id echo "Expect to FAIL as MASK prohibits execution" $runas -u $acl2 -g $acl2 ./file1 2>&1 # user chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1 echo "Expect to FAIL as MASK prohibits execution" $runas -u $acl2 -g $acl2 ./file1 2>&1 # user chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1 echo "Expect to PASS as MASK allows execution" $runas -u $acl2 -g $acl2 ./file1 2>&1 #------------------------------------------------------- echo "" echo "--- Test ACE priority ---" chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1 echo "Expect to FAIL as should match on owner" $runas -u $acl1 -g $acl2 ./file1 2>&1 chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1 echo "Expect to PASS as should match on user" $runas -u $acl2 -g $acl2 ./file1 2>&1 #------------------------------------------------------- echo "" echo "=== Test can read ACLs without access permissions ===" # This was a bug in kernel code where syscred wasn't being used # to override the capabilities chacl o::---,g::---,u::--- file1 2>&1 chacl -l file1 | _filter_id #------------------------------------------------------- echo "" echo "=== Test Default ACLs ===" mkdir acldir chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" ./acldir 2>&1 chacl -l acldir | _filter_id cd acldir touch file2 _ls file2 chacl -l file2 | _filter_id cd .. #------------------------------------------------------- # success, all done status=0 exit