ls -ln $* | awk '{ print $1, $3, $4, $NF }' | _filter_id
}
-_get_newid()
+
+_setup_ids()
{
- cat /etc/passwd /etc/group $tmp.ids | gawk -F: '
+ eval `cat /etc/passwd /etc/group | gawk -F: '
{ ids[$3]=1 }
END {
- for(i=1;i<1000000;i++){
+ j=1
+ for(i=1; i<1000000 && j<=3;i++){
if (! (i in ids)) {
- print i;
- exit
+ printf "acl%d=%d;", j, i;
+ j++
}
}
- }'
-}
-
-_setup_ids()
-{
- touch $tmp.ids
- acl1=`_get_newid`; echo "::$acl1" >>$tmp.ids
- acl2=`_get_newid`; echo "::$acl2" >>$tmp.ids
- acl3=`_get_newid`; echo "::$acl3" >>$tmp.ids
+ }'`
}
_filter_id()
-e "s/g:$acl3/g:id3/" \
-e "s/ $acl1 / id1 /" \
-e "s/ $acl2 / id2 /" \
- -e "s/ $acl3 / id3 /" \
+ -e "s/ $acl3 / id3 /"
}
# -----
echo "=== Test minimal ACE ==="
echo "Setup file"
+# Note: as this is a shell script,
+# will need read and execute permission set
+# in order to execute it.
touch file1
cat <<EOF >file1
#!/bin/sh
echo ""
echo "--- Test MASK ---"
-chacl u::---,g::---,o::---,g:$acl2:r-x,m::-wx file1 2>&1
+
+# group
+chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
chacl -l file1 | _filter_id
echo "Expect to FAIL as MASK prohibits execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1
-chacl u::---,g::---,o::---,u:$acl2:r-x,m::-wx file1 2>&1
+
+# user
+chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
echo "Expect to FAIL as MASK prohibits execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1
+# user
chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
echo "Expect to PASS as MASK allows execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1
Expect to PASS
Test was executed
Expect to FAIL
-sh: ./file1: Permission denied
+./file1: Permission denied
--- Test group permissions ---
file1 [u::---,g::r-x,o::---]
Expect to FAIL - acl1 is owner
-sh: ./file1: Permission denied
+./file1: Permission denied
Expect to PASS - acl2 matches group
Test was executed
Expect to PASS - acl2 matches sup group
Test was executed
Expect to FAIL - acl3 is not in group
-sh: ./file1: Permission denied
+./file1: Permission denied
--- Test other permissions ---
file1 [u::---,g::---,o::r-x]
Expect to FAIL - acl1 is owner
-sh: ./file1: Permission denied
+./file1: Permission denied
Expect to FAIL - acl2 is in group
-sh: ./file1: Permission denied
+./file1: Permission denied
Expect to FAIL - acl2 is in sup. group
-sh: ./file1: Permission denied
+./file1: Permission denied
Expect to PASS - acl3 is not owner or in group
Test was executed
file1 [u::---,g::---,o::---,u:id2:r-x,m::rwx]
Test was executed
Expect to FAIL - USER ACE does not match user
-sh: ./file1: Permission denied
+./file1: Permission denied
--- Test adding a GROUP ACE ---
Expect to FAIL as no MASK provided
Expect to PASS - GROUP ACE matches sup group
Test was executed
Expect to FAIL - GROUP ACE does not match group
-sh: ./file1: Permission denied
+./file1: Permission denied
--- Test MASK ---
-file1 [u::---,g::---,o::---,g:id2:r-x,m::-wx]
+file1 [u::---,g::---,o::---,g:id2:r-x,m::-w-]
Expect to FAIL as MASK prohibits execution
-./file1: ./file1: Permission denied
+./file1: Permission denied
Expect to FAIL as MASK prohibits execution
-./file1: ./file1: Permission denied
+./file1: Permission denied
Expect to PASS as MASK allows execution
Test was executed
--- Test ACE priority ---
Expect to FAIL as should match on owner
-sh: ./file1: Permission denied
+./file1: Permission denied
Expect to PASS as should match on user
Test was executed
int c;
uid_t uid = -1;
gid_t gid = -1;
- char *cmd=NULL;
+ int pid;
+ char **cmd;
gid_t sgids[SUP_MAX];
int sup_cnt = 0;
int status;
}
/* build up the cmd */
- for ( ; optind < argc; optind++) {
- cmd = realloc(cmd, (cmd==NULL?0:strlen(cmd)) +
- strlen(argv[optind]) + 4);
- strcat(cmd, " ");
- strcat(cmd, argv[optind]);
- }
-
+ if (optind == argc) {
+ usage();
+ exit(1);
+ }
+ else {
+ char **p;
+ p = cmd = (char **)malloc(sizeof(char *) * (argc - optind + 1));
+ for ( ; optind < argc; optind++, p++) {
+ *p = strdup(argv[optind]);
+ }
+ *p = NULL;
+ }
if (gid != -1) {
if (setegid(gid) == -1) {
}
}
- status = system(cmd);
+ pid = fork();
+ if (pid == -1) {
+ fprintf(stderr, "%s: fork failed: %s\n",
+ prog, strerror(errno));
+ exit(1);
+ }
+ if (pid == 0) {
+ execv(cmd[0], cmd);
+ fprintf(stderr, "%s: %s\n", cmd[0], strerror(errno));
+ exit(errno);
+ }
+ wait(&status);
if (WIFSIGNALED(status)) {
fprintf(stderr, "%s: command terminated with signal %d\n",
prog, WTERMSIG(status));