2 # vim: filetype=sh noexpandtab ts=8 sw=8
3 # $FreeBSD: head/tools/regression/pjdfstest/tests/granular/02.t 211352 2010-08-15 21:24:17Z pjd $
5 desc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL"
10 [ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit
18 expect 0 mkdir ${n2} 0755
22 # Check whether user 65534 is permitted to read ACL.
23 expect 0 create ${n0} 0644
24 expect 0 readacl ${n0}
25 expect 0 -u 65534 -g 65534 readacl ${n0}
26 expect 0 prependacl ${n0} user:65534:read_acl::deny
27 expect 0 readacl ${n0}
28 expect EACCES -u 65534 -g 65534 readacl ${n0}
29 expect 0 prependacl ${n0} user:65534:read_acl::allow
30 expect 0 -u 65534 -g 65534 readacl ${n0}
31 expect 0 readacl ${n0}
34 # Check whether user 65534 is permitted to write ACL.
35 expect 0 create ${n0} 0644
36 expect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow
37 expect 0 prependacl ${n0} user:65534:write_acl::allow
38 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow
41 # Check whether user 65534 is permitted to write mode.
42 expect 0 create ${n0} 0755
43 expect EPERM -u 65534 -g 65534 chmod ${n0} 0777
44 expect 0 prependacl ${n0} user:65534:write_acl::allow
45 expect 0 -u 65534 -g 65534 chmod ${n0} 0777
48 # There is an interesting problem with interaction between ACL_WRITE_ACL
49 # and SUID/SGID bits. In case user does have ACL_WRITE_ACL, but is not
50 # a file owner, Solaris does the following:
51 # 1. Setting SUID fails with EPERM.
52 # 2. Setting SGID succeeds, but mode is not changed.
53 # 3. Modifying ACL does not clear SUID nor SGID bits.
54 # 4. Writing the file does clear both SUID and SGID bits.
56 # What we are doing is the following:
57 # 1. Setting SUID or SGID fails with EPERM.
58 # 2. Modifying ACL does not clear SUID nor SGID bits.
59 # 3. Writing the file does clear both SUID and SGID bits.
61 # Check whether user 65534 is denied to write mode with SUID bit.
62 expect 0 create ${n0} 0755
63 expect EPERM -u 65534 -g 65534 chmod ${n0} 04777
64 expect 0 prependacl ${n0} user:65534:write_acl::allow
65 expect EPERM -u 65534 -g 65534 chmod ${n0} 04777
68 # Check whether user 65534 is denied to write mode with SGID bit.
69 expect 0 create ${n0} 0755
70 expect EPERM -u 65534 -g 65534 chmod ${n0} 02777
71 expect 0 prependacl ${n0} user:65534:write_acl::allow
72 expect EPERM -u 65534 -g 65534 chmod ${n0} 02777
75 # Check whether user 65534 is allowed to write mode with sticky bit.
76 expect 0 mkdir ${n0} 0755
77 expect EPERM -u 65534 -g 65534 chmod ${n0} 01777
78 expect 0 prependacl ${n0} user:65534:write_acl::allow
79 expect 0 -u 65534 -g 65534 chmod ${n0} 01777
82 # Check whether modifying the ACL by not-owner preserves the SUID.
83 expect 0 create ${n0} 04755
84 expect 0 prependacl ${n0} user:65534:write_acl::allow
85 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
86 expect 04755 stat ${n0} mode
89 # Check whether modifying the ACL by not-owner preserves the SGID.
90 expect 0 create ${n0} 02755
91 expect 0 prependacl ${n0} user:65534:write_acl::allow
92 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
93 expect 02755 stat ${n0} mode
96 # Check whether modifying the ACL by not-owner preserves the sticky bit.
97 expect 0 mkdir ${n0} 0755
98 expect 0 chmod ${n0} 01755
99 expect 0 prependacl ${n0} user:65534:write_acl::allow
100 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
101 expect 01755 stat ${n0} mode
104 # Clearing the SUID and SGID bits when being written to by non-owner
105 # is checked in chmod/12.t.
107 # Check whether the file owner is always permitted to get and set
108 # ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it.
109 expect 0 chmod . 0777
110 expect 0 -u 65534 -g 65534 create ${n0} 0600
111 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny
112 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny
113 expect 0 -u 65534 -g 65534 readacl ${n0}
114 expect 0600 -u 65534 -g 65534 stat ${n0} mode
115 expect 0 -u 65534 -g 65534 chmod ${n0} 0777
116 expect 0 unlink ${n0}
118 expect 0 -u 65534 -g 65534 mkdir ${n0} 0600
119 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny
120 expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny
121 expect 0 -u 65534 -g 65534 readacl ${n0}
122 expect 0600 -u 65534 -g 65534 stat ${n0} mode
123 expect 0 -u 65534 -g 65534 chmod ${n0} 0777
126 # Check whether the root is allowed for these as well.
127 expect 0 -u 65534 -g 65534 create ${n0} 0600
128 expect 0 prependacl ${n0} everyone@:write_acl::deny
129 expect 0 prependacl ${n0} everyone@:read_acl::deny
130 expect 0 readacl ${n0}
131 expect 0600 stat ${n0} mode
132 expect 0 chmod ${n0} 0777
133 expect 0 unlink ${n0}
135 expect 0 -u 65534 -g 65534 mkdir ${n0} 0600
136 expect 0 prependacl ${n0} everyone@:write_acl::deny
137 expect 0 prependacl ${n0} everyone@:read_acl::deny
138 expect 0600 stat ${n0} mode
139 expect 0 readacl ${n0}
140 expect 0600 stat ${n0} mode
141 expect 0 chmod ${n0} 0777