1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
|
#! /bin/sh
# FS QA Test No. 099. Modified from UDFQA test 036.
#
# ACL test
#-----------------------------------------------------------------------
# Copyright (c) 2000-2004 Silicon Graphics, Inc. All Rights Reserved.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
# USA
#
# Contact information: Silicon Graphics, Inc., 1500 Crittenden Lane,
# Mountain View, CA 94043, USA, or: http://www.sgi.com
#-----------------------------------------------------------------------
#_acl_list
# modifier
owner=ajones@sgi.com
seq=`basename $0`
echo "QA output created by $seq"
here=`pwd`
tmp=/tmp/$$
status=1 # failure is the default!
trap "_cleanup; exit \$status" 0 1 2 3 15
# get standard environment, filters and checks
. ./common.rc
. ./common.filter
. ./common.attr
runas=$here/src/runas
TARGET_DIR=$SCRATCH_MNT
[ "$FSTYP" == "xfs" ] && TARGET_DIR=$TEST_DIR
_cleanup()
{
rm -f $tmp.*
cd $TARGET_DIR
rm -rf $seq.dir1
cd /
}
# -----
# minimal access ACL has ACEs: USER_OBJ, GROUP_OBJ, OTHER_OBJ
# This is set with chacl(1) and can be changed by chmod(1).
#
# Test that this is being set for ACL and for std unix permissions
# Test that we can get back the same ACL.
# Test std permissions for rwx.
# -----
#
# Test out default ACLs and that the ACL is being PASSed
# onto the children of the dir.
#
# -----
# Test out access check for extended ACLs.
# -> 3 extra ACEs: MASK, GROUP, USER
# -> the GROUP compares with egid of process _and_ the supplementary
# groups (as found in /etc/group)
#
# Test that mask works for USER, GROUP, GROUP_OBJ
# Test that the ACE type priority is working
# -> this would be done by simultaneously matching on ACEs
# -> interesting if it allows user to specify ACEs in any order
#
rm -f $seq.full
#-------------------------------------------------------
# real QA test starts here
_supported_fs xfs udf
_supported_os IRIX
_acl_setup_ids
_acl_requirements
[ -x $runas ] || _notrun "$runas executable not found"
# get dir
#export FILE_SYS=xfs
_require_scratch
_setup_testdir
cd $TARGET_DIR
rm -rf $seq.dir1 # in case file is left over from previous runs.
mkdir $seq.dir1
cd $seq.dir1
echo ""
echo "=== Test minimal ACE ==="
echo "Setup file"
# Note: as this is a shell script,
# will need read and execute permission set
# in order to execute it.
touch file1
cat <<EOF >file1
#!/bin/sh
echo "Test was executed"
EOF
chmod u=rwx file1
chmod g=rw- file1
chmod o=r-- file1
chown $acl1.$acl2 file1
_acl_ls file1
echo ""
echo "--- Test get and set of ACL ---"
echo "Note: IRIX interface gave an empty ACL - Linux outputs an ACL"
_acl_list file1
echo "Try using single colon separator"
echo "Note: IRIX interface FAILs because of single colon - Linux one allows it"
chacl u::r--,g::rwx,o:rw- file1 2>&1
echo "Expect to PASS"
chacl u::r--,g::rwx,o::rw- file1 2>&1
_acl_list file1
echo ""
echo "--- Test sync of ACL with std permissions ---"
_acl_ls file1
chmod u+w file1
_acl_ls file1
_acl_list file1
echo ""
echo "--- Test owner permissions ---"
chacl u::r-x,g::---,o::--- file1 2>&1
_acl_list file1
# change to owner
echo "Expect to PASS"
$runas -u $acl1 -g $acl1 ./file1 2>&1
echo "Expect to FAIL"
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo ""
echo "--- Test group permissions ---"
chacl u::---,g::r-x,o::--- file1 2>&1
_acl_list file1
echo "Expect to FAIL - acl1 is owner"
$runas -u $acl1 -g $acl1 ./file1 2>&1
echo "Expect to PASS - acl2 matches group"
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to PASS - acl2 matches sup group"
$runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
echo "Expect to FAIL - acl3 is not in group"
$runas -u $acl3 -g $acl3 ./file1 2>&1
echo ""
echo "--- Test other permissions ---"
chacl u::---,g::---,o::r-x file1 2>&1
_acl_list file1
echo "Expect to FAIL - acl1 is owner"
$runas -u $acl1 -g $acl1 ./file1 2>&1
echo "Expect to FAIL - acl2 is in group"
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to FAIL - acl2 is in sup. group"
$runas -u $acl2 -g $acl3 -s $acl2 ./file1 2>&1
echo "Expect to PASS - acl3 is not owner or in group"
$runas -u $acl3 -g $acl3 ./file1 2>&1
#-------------------------------------------------------
echo ""
echo "=== Test Extended ACLs ==="
echo ""
echo "--- Test adding a USER ACE ---"
echo "Expect to FAIL as no MASK provided"
chacl u::---,g::---,o::---,u:$acl2:r-x file1 2>&1 | _acl_filter_id
echo "Ensure that ACL has not been changed"
_acl_list file1
echo "Expect to PASS - USER ACE matches user"
chacl u::---,g::---,o::---,u:$acl2:r-x,m::rwx file1 2>&1
_acl_list file1
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to FAIL - USER ACE does not match user"
$runas -u $acl3 -g $acl3 ./file1 2>&1
echo ""
echo "--- Test adding a GROUP ACE ---"
echo "Expect to FAIL as no MASK provided"
chacl u::---,g::---,o::---,g:$acl2:r-x file1 2>&1 | _acl_filter_id
echo "Ensure that ACL has not been changed"
_acl_list file1
chacl u::---,g::---,o::---,g:$acl2:r-x,m::rwx file1 2>&1
_acl_list file1 | _acl_filter_id
echo "Expect to PASS - GROUP ACE matches group"
$runas -u $acl2 -g $acl2 ./file1 2>&1
echo "Expect to PASS - GROUP ACE matches sup group"
$runas -u $acl2 -g $acl1 -s $acl2 ./file1 2>&1
echo "Expect to FAIL - GROUP ACE does not match group"
$runas -u $acl3 -g $acl3 ./file1 2>&1
#-------------------------------------------------------
echo ""
echo "--- Test MASK ---"
# group
chacl u::---,g::---,o::---,g:$acl2:r-x,m::-w- file1 2>&1
_acl_list file1
echo "Expect to FAIL as MASK prohibits execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1
# user
chacl u::---,g::---,o::---,u:$acl2:r-x,m::-w- file1 2>&1
echo "Expect to FAIL as MASK prohibits execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1
# user
chacl u::---,g::---,o::---,u:$acl2:r-x,m::r-x file1 2>&1
echo "Expect to PASS as MASK allows execution"
$runas -u $acl2 -g $acl2 ./file1 2>&1
#-------------------------------------------------------
echo ""
echo "--- Test ACE priority ---"
chacl o::rwx,g::rwx,u:$acl1:rwx,u::---,m::rwx file1 2>&1
echo "Expect to FAIL as should match on owner"
$runas -u $acl1 -g $acl2 ./file1 2>&1
chacl o::---,g::---,u:$acl2:rwx,u::---,m::rwx file1 2>&1
echo "Expect to PASS as should match on user"
$runas -u $acl2 -g $acl2 ./file1 2>&1
#-------------------------------------------------------
echo ""
echo "=== Test can read ACLs without access permissions ==="
# This was a bug in kernel code where syscred wasn't being used
# to override the capabilities
chacl o::---,g::---,u::--- file1 2>&1
_acl_list file1
#-------------------------------------------------------
echo ""
echo "=== Test Default ACLs ==="
# make test clearer by testing with and without umask
umask 0
mkdir acldir
chacl -b "u::rwx,g::rwx,o::rwx" "u::r-x,g::r--,o::---" acldir 2>&1
_acl_list acldir
cd acldir
touch file2
_acl_ls file2
_acl_list file2
#ensure that umask is not having an effect
#so set it and see
umask 722
touch file3
_acl_ls file3
_acl_list file3
cd ..
umask 022
#-------------------------------------------------------
echo ""
echo "=== Removing ACLs ==="
_acl_list file1
_acl_list acldir
_acl_list acldir/file2
echo "Remove ACLs..."
chacl -R file1
chacl -B acldir
chacl -R acldir/file2
echo "Note: IRIX interface would mean empty ACLs - Linux would show mode ACLs"
_acl_list file1
_acl_list acldir
_acl_list acldir/file2
#-------------------------------------------------------
echo ""
echo "=== Test out error messages for ACL text parsing ==="
touch file1
set -x
chacl u file1
chacl u: file1
chacl u:rumpledumpleunknownuser file1
chacl u:rumpledumpleunknownuser: file1
chacl g:rumpledumpleunknowngrp file1
chacl g:rumpledumpleunknowngrp: file1
chacl o:user1:rwx file1
chacl m:user1:rwx file1
chacl a::rwx file1
set +x
#-------------------------------------------------------
echo ""
echo "=== Test out large ACLs ==="
touch largeaclfile
XFS_ACL_MAX_ENTRIES=25
num_aces_pre=`expr $XFS_ACL_MAX_ENTRIES - 1`
num_aces_post=`expr $XFS_ACL_MAX_ENTRIES + 1`
acl1=`_create_n_aces $num_aces_pre`
acl2=`_create_n_aces $XFS_ACL_MAX_ENTRIES`
acl3=`_create_n_aces $num_aces_post`
echo "1 below xfs acl max"
chacl $acl1 largeaclfile
_acl_list largeaclfile | _filter_aces_notypes
echo "xfs acl max"
chacl $acl2 largeaclfile
_acl_list largeaclfile | _filter_aces_notypes
echo "1 above xfs acl max"
chacl $acl3 largeaclfile
_acl_list largeaclfile | _filter_aces_notypes
#-------------------------------------------------------
if [ "$FSTYP" == "udf" ]; then
cd /
umount $TARGET_DIR
# Check the filesystem
_check_scratch_fs
fi
# success, all done
status=0
exit
|
