1 # Copyright (c) 2008, 2009 Edward Tomasz NapieraĆa <trasz@FreeBSD.org>
3 # Redistribution and use in source and binary forms, with or without
4 # modification, are permitted provided that the following conditions
6 # 1. Redistributions of source code must retain the above copyright
7 # notice, this list of conditions and the following disclaimer.
8 # 2. Redistributions in binary form must reproduce the above copyright
9 # notice, this list of conditions and the following disclaimer in the
10 # documentation and/or other materials provided with the distribution.
12 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
13 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
14 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
15 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
16 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
17 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
18 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
19 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
21 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 # This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029
27 # semantics. Run it as root using ACL-enabled kernel:
29 # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test
31 # WARNING: Creates files in unsafe way.
37 # Smoke test for getfacl(1).
43 > owner@:rw-p--aARWcCos:-------:allow
44 > group@:r-----a-R-c--s:-------:allow
45 > everyone@:r-----a-R-c--s:-------:allow
48 > owner@:rw-p--aARWcCos:-------:allow
49 > group@:r-----a-R-c--s:-------:allow
50 > everyone@:r-----a-R-c--s:-------:allow
52 # Check verbose mode formatting.
57 > owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow
58 > group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
59 > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
62 $ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
67 > owner@:rw-p--aARWcCos:-------:allow
68 > group@:r-----a-R-c--s:-------:allow
69 > user:0:-----------C--:-------:allow
70 > group:1:----------c---:-------:deny
71 > everyone@:r-----a-R-c--s:-------:allow
73 # Test user and group name resolving.
76 $ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
81 > owner@:rw-p--aARWcCos:-------:allow
82 > group@:r-----a-R-c--s:-------:allow
83 > user:root:-----------C--:-------:allow
84 > group:daemon:----------c---:-------:deny
85 > everyone@:r-----a-R-c--s:-------:allow
87 # Check whether ls correctly marks files with "+".
88 $ ls -l xxx | cut -d' ' -f1
91 # Test removing entries by number.
97 > owner@:rw-p--aARWcCos:-------:allow
98 > user:0:-----------C--:-------:allow
99 > group:1:----------c---:-------:deny
100 > everyone@:r-----a-R-c--s:-------:allow
103 $ setfacl -a0 everyone@:rwx:deny xxx
104 $ setfacl -a0 everyone@:rwx:deny xxx
105 $ setfacl -a0 everyone@:rwx:deny xxx
106 $ setfacl -m everyone@::deny xxx
111 > everyone@:--------------:-------:deny
112 > everyone@:--------------:-------:deny
113 > everyone@:--------------:-------:deny
114 > owner@:rw-p--aARWcCos:-------:allow
115 > user:0:-----------C--:-------:allow
116 > group:1:----------c---:-------:deny
117 > everyone@:r-----a-R-c--s:-------:allow
124 > everyone@:--------------:-------:deny
125 > everyone@:--------------:-------:deny
126 > everyone@:--------------:-------:deny
127 > owner@:rw-p--aARWcCos:-------:allow
128 > user:root:-----------C--:-------:allow:0
129 > group:daemon:----------c---:-------:deny:1
130 > everyone@:r-----a-R-c--s:-------:allow
132 # Make sure cp without any flags does not copy copy the ACL.
134 $ ls -l yyy | cut -d' ' -f1
137 # Make sure it does with the "-p" flag.
144 > everyone@:--------------:-------:deny
145 > everyone@:--------------:-------:deny
146 > everyone@:--------------:-------:deny
147 > owner@:rw-p--aARWcCos:-------:allow
148 > user:0:-----------C--:-------:allow
149 > group:1:----------c---:-------:deny
150 > everyone@:r-----a-R-c--s:-------:allow
154 # Test removing entries by... by example?
155 $ setfacl -x everyone@::deny xxx
160 > owner@:rw-p--aARWcCos:-------:allow
161 > user:0:-----------C--:-------:allow
162 > group:1:----------c---:-------:deny
163 > everyone@:r-----a-R-c--s:-------:allow
171 > owner@:rw-p--aARWcCos:-------:allow
172 > group@:r-----a-R-c--s:-------:allow
173 > everyone@:r-----a-R-c--s:-------:allow
175 $ ls -l xxx | cut -d' ' -f1
178 # Check setfacl(1) and getfacl(1) with multiple files.
181 $ ls -l xxx yyy zzz | cut -d' ' -f1
186 $ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
187 > setfacl: nnn: acl_get_file() failed: No such file or directory
189 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
190 > ls: nnn: No such file or directory
195 $ getfacl -nq nnn xxx yyy zzz
196 > getfacl: nnn: stat() failed: No such file or directory
197 > user:42:--x-----------:-------:allow
198 > group:43:-w------------:-------:allow
199 > owner@:rw-p--aARWcCos:-------:allow
200 > group@:r-----a-R-c--s:-------:allow
201 > everyone@:r-----a-R-c--s:-------:allow
203 > user:42:--x-----------:-------:allow
204 > group:43:-w------------:-------:allow
205 > owner@:rw-p--aARWcCos:-------:allow
206 > group@:r-----a-R-c--s:-------:allow
207 > everyone@:r-----a-R-c--s:-------:allow
209 > user:42:--x-----------:-------:allow
210 > group:43:-w------------:-------:allow
211 > owner@:rw-p--aARWcCos:-------:allow
212 > group@:r-----a-R-c--s:-------:allow
213 > everyone@:r-----a-R-c--s:-------:allow
215 $ setfacl -b nnn xxx yyy zzz
216 > setfacl: nnn: acl_get_file() failed: No such file or directory
218 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
219 > ls: nnn: No such file or directory
226 # Test applying mode to an ACL.
228 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
234 > owner@:rw-p--aARWcCos:-------:allow
235 > group@:------a-R-c--s:-------:allow
236 > everyone@:------a-R-c--s:-------:allow
238 $ ls -l xxx | cut -d' ' -f1
244 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
250 > owner@:rw-p--aARWcCos:-------:allow
251 > group@:------a-R-c--s:-------:allow
252 > everyone@:------a-R-c--s:-------:allow
253 $ ls -l xxx | cut -d' ' -f1
259 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
265 > owner@:rw-p----------:-------:deny
266 > group@:r-------------:-------:deny
267 > owner@:--x---aARWcCos:-------:allow
268 > group@:-w-p--a-R-c--s:-------:allow
269 > everyone@:r-----a-R-c--s:-------:allow
270 $ ls -l xxx | cut -d' ' -f1
276 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
282 > owner@:-wxp----------:-------:deny
283 > group@:-w-p----------:-------:deny
284 > owner@:r-----aARWcCos:-------:allow
285 > group@:--x---a-R-c--s:-------:allow
286 > everyone@:-w-p--a-R-c--s:-------:allow
287 $ ls -l xxx | cut -d' ' -f1
291 $ setfacl -a0 group:44:rwapd:allow ddd
292 $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
293 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
294 $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
299 > user:42:r-x-----------:f-i----:allow
300 > group:42:-w--D---------:-d-----:allow
301 > group:43:-w--D---------:-d-----:deny
302 > group@:-----da-------:-------:allow
303 > group:44:rw-p-da-------:-------:allow
304 > owner@:rwxp--aARWcCos:-------:allow
305 > group@:r-x---a-R-c--s:-------:allow
306 > everyone@:-w-p--a-R-c--s:f-i----:allow
313 > owner@:rwxp--aARWcCos:-------:allow
314 > group@:rwxp--a-R-c--s:-------:allow
315 > everyone@:rwxp--a-R-c--s:-------:allow
317 # Test applying ACL to mode.
320 $ setfacl -a0 u:42:rwx:fi:allow ddd
321 $ ls -ld ddd | cut -d' ' -f1
327 $ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
328 $ ls -ld ddd | cut -d' ' -f1
334 $ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
335 $ ls -ld ddd | cut -d' ' -f1
341 $ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
342 $ ls -ld ddd | cut -d' ' -f1
348 $ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
349 $ ls -ld ddd | cut -d' ' -f1
355 $ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
356 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
357 $ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
358 $ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
359 $ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
361 > user:41:-w-----A------:f--n---:allow
362 > group:41:r-----a-------:-din---:allow
363 > user:42:-----------Co-:f-i----:allow
364 > user:42:r-x-----------:f-i----:allow
365 > group:42:-w--D---------:-d-n---:deny
366 > group:43:-w---------C--:f-in---:deny
367 > user:43:rwxp----------:-------:allow
368 > owner@:rwxp--aARWcCos:-------:allow
369 > group@:r-x---a-R-c--s:-------:allow
370 > everyone@:r-x---a-R-c--s:-------:allow
375 > user:41:--------------:------I:allow
376 > user:42:--------------:------I:allow
377 > user:42:r-------------:------I:allow
378 > group:43:-w---------C--:------I:deny
379 > owner@:rw-p--aARWcCos:-------:allow
380 > group@:r-----a-R-c--s:-------:allow
381 > everyone@:r-----a-R-c--s:-------:allow
387 > user:41:--------------:------I:allow
388 > user:42:--------------:------I:allow
389 > user:42:--------------:------I:allow
390 > group:43:-w---------C--:------I:deny
391 > owner@:rw-p--aARWcCos:-------:allow
392 > group@:------a-R-c--s:-------:allow
393 > everyone@:------a-R-c--s:-------:allow
399 > owner@:rw-p----------:-------:deny
400 > group@:rw-p----------:-------:deny
401 > user:41:--------------:------I:allow
402 > user:42:--------------:------I:allow
403 > user:42:--------------:------I:allow
404 > group:43:-w---------C--:------I:deny
405 > owner@:------aARWcCos:-------:allow
406 > group@:------a-R-c--s:-------:allow
407 > everyone@:rw-p--a-R-c--s:-------:allow
413 > owner@:rw-p----------:-------:deny
414 > user:41:-w------------:------I:allow
415 > user:42:--------------:------I:allow
416 > user:42:r-------------:------I:allow
417 > group:43:-w---------C--:------I:deny
418 > owner@:------aARWcCos:-------:allow
419 > group@:rw-p--a-R-c--s:-------:allow
420 > everyone@:------a-R-c--s:-------:allow
425 > group:41:------a-------:------I:allow
426 > user:42:-----------Co-:f-i---I:allow
427 > user:42:r-x-----------:f-i---I:allow
428 > group:42:-w--D---------:------I:deny
429 > owner@:rwxp--aARWcCos:-------:allow
430 > group@:------a-R-c--s:-------:allow
431 > everyone@:------a-R-c--s:-------:allow
437 > owner@:rwxp----------:-------:deny
438 > group@:rwxp----------:-------:deny
439 > group:41:------a-------:------I:allow
440 > user:42:-----------Co-:f-i---I:allow
441 > user:42:r-x-----------:f-i---I:allow
442 > group:42:-w--D---------:------I:deny
443 > owner@:------aARWcCos:-------:allow
444 > group@:------a-R-c--s:-------:allow
445 > everyone@:rwxp--a-R-c--s:-------:allow
451 > owner@:rwxp----------:-------:deny
452 > group:41:r-----a-------:------I:allow
453 > user:42:-----------Co-:f-i---I:allow
454 > user:42:r-x-----------:f-i---I:allow
455 > group:42:-w--D---------:------I:deny
456 > owner@:------aARWcCos:-------:allow
457 > group@:rwxp--a-R-c--s:-------:allow
458 > everyone@:------a-R-c--s:-------:allow
460 # There is some complication regarding how write_acl and write_owner flags
461 # get inherited. Make sure we got it right.
463 $ setfacl -a0 u:42:Co:f:allow .
464 $ setfacl -a0 u:43:Co:d:allow .
465 $ setfacl -a0 u:44:Co:fd:allow .
466 $ setfacl -a0 u:45:Co:fi:allow .
467 $ setfacl -a0 u:46:Co:di:allow .
468 $ setfacl -a0 u:47:Co:fdi:allow .
469 $ setfacl -a0 u:48:Co:fn:allow .
470 $ setfacl -a0 u:49:Co:dn:allow .
471 $ setfacl -a0 u:50:Co:fdn:allow .
472 $ setfacl -a0 u:51:Co:fni:allow .
473 $ setfacl -a0 u:52:Co:dni:allow .
474 $ setfacl -a0 u:53:Co:fdni:allow .
479 > user:53:--------------:------I:allow
480 > user:51:--------------:------I:allow
481 > user:50:--------------:------I:allow
482 > user:48:--------------:------I:allow
483 > user:47:--------------:------I:allow
484 > user:45:--------------:------I:allow
485 > user:44:--------------:------I:allow
486 > user:42:--------------:------I:allow
487 > owner@:rw-p--aARWcCos:-------:allow
488 > group@:r-----a-R-c--s:-------:allow
489 > everyone@:r-----a-R-c--s:-------:allow
494 > user:53:--------------:------I:allow
495 > user:52:--------------:------I:allow
496 > user:50:--------------:------I:allow
497 > user:49:--------------:------I:allow
498 > user:47:--------------:fd----I:allow
499 > user:46:--------------:-d----I:allow
500 > user:45:-----------Co-:f-i---I:allow
501 > user:44:--------------:fd----I:allow
502 > user:43:--------------:-d----I:allow
503 > user:42:-----------Co-:f-i---I:allow
504 > owner@:rwxp--aARWcCos:-------:allow
505 > group@:r-x---a-R-c--s:-------:allow
506 > everyone@:r-x---a-R-c--s:-------:allow
509 $ setfacl -a0 u:42:Co:f:deny .
510 $ setfacl -a0 u:43:Co:d:deny .
511 $ setfacl -a0 u:44:Co:fd:deny .
512 $ setfacl -a0 u:45:Co:fi:deny .
513 $ setfacl -a0 u:46:Co:di:deny .
514 $ setfacl -a0 u:47:Co:fdi:deny .
515 $ setfacl -a0 u:48:Co:fn:deny .
516 $ setfacl -a0 u:49:Co:dn:deny .
517 $ setfacl -a0 u:50:Co:fdn:deny .
518 $ setfacl -a0 u:51:Co:fni:deny .
519 $ setfacl -a0 u:52:Co:dni:deny .
520 $ setfacl -a0 u:53:Co:fdni:deny .
525 > user:53:-----------Co-:------I:deny
526 > user:51:-----------Co-:------I:deny
527 > user:50:-----------Co-:------I:deny
528 > user:48:-----------Co-:------I:deny
529 > user:47:-----------Co-:------I:deny
530 > user:45:-----------Co-:------I:deny
531 > user:44:-----------Co-:------I:deny
532 > user:42:-----------Co-:------I:deny
533 > owner@:rw-p--aARWcCos:-------:allow
534 > group@:r-----a-R-c--s:-------:allow
535 > everyone@:r-----a-R-c--s:-------:allow
540 > user:53:-----------Co-:------I:deny
541 > user:52:-----------Co-:------I:deny
542 > user:50:-----------Co-:------I:deny
543 > user:49:-----------Co-:------I:deny
544 > user:47:-----------Co-:fd----I:deny
545 > user:46:-----------Co-:-d----I:deny
546 > user:45:-----------Co-:f-i---I:deny
547 > user:44:-----------Co-:fd----I:deny
548 > user:43:-----------Co-:-d----I:deny
549 > user:42:-----------Co-:f-i---I:deny
550 > owner@:rwxp--aARWcCos:-------:allow
551 > group@:r-x---a-R-c--s:-------:allow
552 > everyone@:r-x---a-R-c--s:-------:allow
560 # Test basic recursive setting of ACLs.
565 $ setfacl -R -m owner@:full_set:f:allow,group@:full_set::allow,everyone@:full_set::allow ddd
567 > owner@:rwxpDdaARWcCos:f------:allow
568 > group@:rwxpDdaARWcCos:-------:allow
569 > everyone@:rwxpDdaARWcCos:-------:allow
571 > owner@:rwxpDdaARWcCos:-------:allow
572 > group@:rwxpDdaARWcCos:-------:allow
573 > everyone@:rwxpDdaARWcCos:-------:allow
575 > owner@:rwxpDdaARWcCos:f------:allow
576 > group@:rwxpDdaARWcCos:-------:allow
577 > everyone@:rwxpDdaARWcCos:-------:allow
578 $ getfacl -q ddd/eee/yyy
579 > owner@:rwxpDdaARWcCos:-------:allow
580 > group@:rwxpDdaARWcCos:-------:allow
581 > everyone@:rwxpDdaARWcCos:-------:allow