diff options
Diffstat (limited to '051')
-rwxr-xr-x | 051 | 262 |
1 files changed, 262 insertions, 0 deletions
@@ -0,0 +1,262 @@ +#! /bin/sh +# XFS QA Test No. 051 +# $Id: 1.1 $ +# +# Test out ACLs. +# +#----------------------------------------------------------------------- +# Copyright (c) 2000 Silicon Graphics, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of version 2 of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Further, this software is distributed without any warranty that it is +# free of the rightful claim of any third person regarding infringement +# or the like. Any license provided herein, whether implied or +# otherwise, applies only to this software file. Patent licenses, if +# any, provided herein do not apply to combinations of this program with +# other software, or any other product whatsoever. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write the Free Software Foundation, Inc., 59 +# Temple Place - Suite 330, Boston MA 02111-1307, USA. +# +# Contact information: Silicon Graphics, Inc., 1600 Amphitheatre Pkwy, +# Mountain View, CA 94043, or: +# +# http://www.sgi.com +# +# For further information regarding this notice, see: +# +# http://oss.sgi.com/projects/GenInfo/SGIGPLNoticeExplan/ +#----------------------------------------------------------------------- +# +# creator +owner=tes@sgi.com + +seq=`basename $0` +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +runas=$here/src/runas +status=1 # FAILure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +# get standard environment, filters and checks +. ./common.rc +. ./common.filter + +_cleanup() +{ + rm -f $tmp.* + rm -rf $TEST_DIR/$seq.dir1 +} + +_ls() +{ + ls -ln $* | awk '{ print $1, $3, $4, $NF }' +} + +# ----- +# minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ +# This is set with chacl(1) and can be changed by chmod(1). +# +# Test that this is being set for ACL and for std unix permissions +# Test that we can get back the same ACL. +# Test std permissions for rwx. +# ----- +# +# Test out default ACLs and that the ACL is being PASSed +# onto the children of the dir. +# +# ----- +# Test out access check for extended ACLs. +# -> 3 extra ACEs: MASK, GROUP, USER +# -> the GROUP compares with egid of process _and_ the supplementary +# groups (as found in /etc/group) +# +# Test that mask works for USER, GROUP, GROUP_OBJ +# Test that the ACE type priority is working +# -> this would be done by simultaneously matching on ACEs +# -> interesting if it allows user to specify ACEs in any order +# + +acl1=1001;acl2=1002;acl3=1003 + +[ -x /bin/chacl ] || _notrun "chacl command not found" +[ -x $runas ] || _notrun "$runas executable not found" + +# get dir +cd $TEST_DIR +rm -rf $seq.dir1 +mkdir $seq.dir1 +cd $seq.dir1 + +#------------------------------------------------------- +# real QA test starts here + +echo "" +echo "=== Test minimal ACE ===" + +echo "Setup file" +touch file1 +cat <<EOF >file1 +#!/bin/sh +echo "Test was executed" +EOF +chmod u=rwx file1 +chmod g=rw- file1 +chmod o=r-- file1 +chown $acl1.$acl2 file1 +_ls file1 + +echo "" +echo "--- Test get and set of ACL ---" +chacl -l file1 +echo "Expect to FAIL" +chacl u::r--,g::rwx,o:rw- file1 2>&1 +echo "Expect to PASS" +chacl u::r--,g::rwx,o::rw- file1 2>&1 +chacl -l file1 + +echo "" +echo "--- Test sync of ACL with std permissions ---" +_ls file1 +chmod u+w file1 +_ls file1 +chacl -l file1 + +echo "" +echo "--- Test owner permissions ---" +chacl u::r-x,g::---,o::--- file1 2>&1 +chacl -l file1 +# change to owner +echo "Expect to PASS" +$runas -u $acl1 -g $acl1 ./file1 2>&1 +echo "Expect to FAIL" +$runas -u $acl2 -g $acl2 ./file1 2>&1 + +echo "" +echo "--- Test group permissions ---" +chacl u::---,g::r-x,o::--- file1 2>&1 +chacl -l file1 +echo "Expect to FAIL - acl1 is owner" +$runas -u $acl1 -g $acl1 ./file1 2>&1 +echo "Expect to PASS - acl2 matches group" +$runas -u $acl2 -g $acl2 ./file1 2>&1 +echo "Expect to PASS - acl2 matches sup group" +$runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1 +echo "Expect to FAIL - acl3 is not in group" +$runas -u $acl3 -g $acl3 ./file1 2>&1 + +echo "" +echo "--- Test other permissions ---" +chacl u::---,g::---,o::r-x file1 2>&1 +chacl -l file1 +echo "Expect to FAIL - acl1 is owner" +$runas -u $acl1 -g $acl1 ./file1 2>&1 +echo "Expect to FAIL - acl2 is in group" +$runas -u $acl2 -g $acl2 ./file1 2>&1 +echo "Expect to FAIL - acl2 is in sup. group" +$runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1 +echo "Expect to PASS - acl3 is not owner or in group" +$runas -u $acl3 -g $acl3 ./file1 2>&1 + +#------------------------------------------------------- + +echo "" +echo "=== Test Extended ACLs ===" + +echo "" +echo "--- Test adding a USER ACE ---" +echo "Expect to FAIL as no MASK provided" +chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 +echo "Ensure that ACL has not been changed" +chacl -l file1 +echo "Expect to PASS - USER ACE matches user" +chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1 +chacl -l file1 +$runas -u $acl2 -g $acl2 ./file1 2>&1 +echo "Expect to FAIL - USER ACE does not match user" +$runas -u $acl3 -g $acl3 ./file1 2>&1 + +echo "" +echo "--- Test adding a GROUP ACE ---" +echo "Expect to FAIL as no MASK provided" +chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 +echo "Ensure that ACL has not been changed" +chacl -l file1 +chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1 +chacl -l file1 +echo "Expect to PASS - GROUP ACE matches group" +$runas -u $acl2 -g $acl2 ./file1 2>&1 +echo "Expect to PASS - GROUP ACE matches sup group" +$runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1 +echo "Expect to FAIL - GROUP ACE does not match group" +$runas -u $acl3 -g $acl3 ./file1 2>&1 + +#------------------------------------------------------- + +echo "" +echo "--- Test MASK ---" +chacl u::---,g::---,o::---,g:$acl2:r-x,m::-wx file1 2>&1 +chacl -l file1 +echo "Expect to FAIL as MASK prohibits execution" +$runas -u $acl2 -g $acl2 ./file1 2>&1 +chacl u::---,g::---,o::---,u:$acl2:r-x,m::-wx file1 2>&1 +echo "Expect to FAIL as MASK prohibits execution" +$runas -u $acl2 -g $acl2 ./file1 2>&1 + +chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1 +echo "Expect to PASS as MASK allows execution" +$runas -u $acl2 -g $acl2 ./file1 2>&1 + +#------------------------------------------------------- + +echo "" +echo "--- Test ACE priority ---" + +chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1 +echo "Expect to FAIL as should match on owner" +$runas -u $acl1 -g $acl2 ./file1 2>&1 + +chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1 +echo "Expect to PASS as should match on user" +$runas -u $acl2 -g $acl2 ./file1 2>&1 + + +#------------------------------------------------------- + +echo "" +echo "=== Test can read ACLs without access permissions ===" +# This was a bug in kernel code where syscred wasn't being used +# to override the capabilities +chacl o::---,g::---,u::--- file1 2>&1 +chacl -l ./file1 + + +#------------------------------------------------------- + +echo "" +echo "=== Test Default ACLs ===" +mkdir acldir +chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" ./acldir 2>&1 +chacl -l ./acldir + +cd acldir +touch file2 +_ls file2 +chacl -l ./file2 +cd .. + +#------------------------------------------------------- + +# success, all done +status=0 +exit |