1 # Copyright (c) 2008, 2009 Edward Tomasz NapieraĆa <trasz@FreeBSD.org>
4 # Redistribution and use in source and binary forms, with or without
5 # modification, are permitted provided that the following conditions
7 # 1. Redistributions of source code must retain the above copyright
8 # notice, this list of conditions and the following disclaimer.
9 # 2. Redistributions in binary form must reproduce the above copyright
10 # notice, this list of conditions and the following disclaimer in the
11 # documentation and/or other materials provided with the distribution.
13 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 # This is a tools-level test for NFSv4 ACL functionality. Run it as root
29 # using ACL-enabled kernel:
31 # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test
33 # WARNING: Creates files in unsafe way.
39 # Smoke test for getfacl(1).
45 > owner@:--x-----------:-------:deny
46 > owner@:rw-p---A-W-Co-:-------:allow
47 > group@:-wxp----------:-------:deny
48 > group@:r-------------:-------:allow
49 > everyone@:-wxp---A-W-Co-:-------:deny
50 > everyone@:r-----a-R-c--s:-------:allow
53 > owner@:--x-----------:-------:deny
54 > owner@:rw-p---A-W-Co-:-------:allow
55 > group@:-wxp----------:-------:deny
56 > group@:r-------------:-------:allow
57 > everyone@:-wxp---A-W-Co-:-------:deny
58 > everyone@:r-----a-R-c--s:-------:allow
60 # Check verbose mode formatting.
65 > owner@:execute::deny
66 > owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow
67 > group@:write_data/execute/append_data::deny
68 > group@:read_data::allow
69 > everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny
70 > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
73 $ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
78 > owner@:--x-----------:-------:deny
79 > owner@:rw-p---A-W-Co-:-------:allow
80 > user:0:-----------C--:-------:allow
81 > group:1:----------c---:-------:deny
82 > group@:-wxp----------:-------:deny
83 > group@:r-------------:-------:allow
84 > everyone@:-wxp---A-W-Co-:-------:deny
85 > everyone@:r-----a-R-c--s:-------:allow
87 # Test user and group name resolving.
90 $ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
95 > owner@:--x-----------:-------:deny
96 > owner@:rw-p---A-W-Co-:-------:allow
97 > user:root:-----------C--:-------:allow
98 > group:daemon:----------c---:-------:deny
99 > group@:-wxp----------:-------:deny
100 > group@:r-------------:-------:allow
101 > everyone@:-wxp---A-W-Co-:-------:deny
102 > everyone@:r-----a-R-c--s:-------:allow
104 # Check whether ls correctly marks files with "+".
105 $ ls -l xxx | cut -d' ' -f1
108 # Test removing entries by number.
115 > owner@:--x-----------:-------:deny
116 > owner@:rw-p---A-W-Co-:-------:allow
117 > user:0:-----------C--:-------:allow
118 > group:1:----------c---:-------:deny
119 > everyone@:-wxp---A-W-Co-:-------:deny
120 > everyone@:r-----a-R-c--s:-------:allow
123 $ setfacl -a0 everyone@:rwx:deny xxx
124 $ setfacl -a0 everyone@:rwx:deny xxx
125 $ setfacl -a0 everyone@:rwx:deny xxx
126 $ setfacl -m everyone@::deny xxx
131 > everyone@:--------------:-------:deny
132 > everyone@:--------------:-------:deny
133 > everyone@:--------------:-------:deny
134 > owner@:--x-----------:-------:deny
135 > owner@:rw-p---A-W-Co-:-------:allow
136 > user:0:-----------C--:-------:allow
137 > group:1:----------c---:-------:deny
138 > everyone@:--------------:-------:deny
139 > everyone@:r-----a-R-c--s:-------:allow
146 > everyone@:--------------:-------:deny
147 > everyone@:--------------:-------:deny
148 > everyone@:--------------:-------:deny
149 > owner@:--x-----------:-------:deny
150 > owner@:rw-p---A-W-Co-:-------:allow
151 > user:root:-----------C--:-------:allow:0
152 > group:daemon:----------c---:-------:deny:1
153 > everyone@:--------------:-------:deny
154 > everyone@:r-----a-R-c--s:-------:allow
156 # Make sure cp without any flags does not copy copy the ACL.
158 $ ls -l yyy | cut -d' ' -f1
161 # Make sure it does with the "-p" flag.
168 > everyone@:--------------:-------:deny
169 > everyone@:--------------:-------:deny
170 > everyone@:--------------:-------:deny
171 > owner@:--x-----------:-------:deny
172 > owner@:rw-p---A-W-Co-:-------:allow
173 > user:0:-----------C--:-------:allow
174 > group:1:----------c---:-------:deny
175 > everyone@:--------------:-------:deny
176 > everyone@:r-----a-R-c--s:-------:allow
180 # Test removing entries by... by example?
181 $ setfacl -x everyone@::deny xxx
186 > owner@:--x-----------:-------:deny
187 > owner@:rw-p---A-W-Co-:-------:allow
188 > user:0:-----------C--:-------:allow
189 > group:1:----------c---:-------:deny
190 > everyone@:r-----a-R-c--s:-------:allow
198 > owner@:--x-----------:-------:deny
199 > owner@:rw-p---A-W-Co-:-------:allow
200 > group@:-wxp----------:-------:deny
201 > group@:r-------------:-------:allow
202 > everyone@:-wxp---A-W-Co-:-------:deny
203 > everyone@:r-----a-R-c--s:-------:allow
205 $ ls -l xxx | cut -d' ' -f1
208 # Check setfacl(1) and getfacl(1) with multiple files.
211 $ ls -l xxx yyy zzz | cut -d' ' -f1
216 $ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
217 > setfacl: nnn: acl_get_file() failed: No such file or directory
219 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
220 > ls: nnn: No such file or directory
225 $ getfacl -nq nnn xxx yyy zzz
226 > getfacl: nnn: stat() failed: No such file or directory
227 > user:42:--x-----------:-------:allow
228 > group:43:-w------------:-------:allow
229 > owner@:--x-----------:-------:deny
230 > owner@:rw-p---A-W-Co-:-------:allow
231 > group@:-wxp----------:-------:deny
232 > group@:r-------------:-------:allow
233 > everyone@:-wxp---A-W-Co-:-------:deny
234 > everyone@:r-----a-R-c--s:-------:allow
236 > user:42:--x-----------:-------:allow
237 > group:43:-w------------:-------:allow
238 > owner@:--x-----------:-------:deny
239 > owner@:rw-p---A-W-Co-:-------:allow
240 > group@:-wxp----------:-------:deny
241 > group@:r-------------:-------:allow
242 > everyone@:-wxp---A-W-Co-:-------:deny
243 > everyone@:r-----a-R-c--s:-------:allow
245 > user:42:--x-----------:-------:allow
246 > group:43:-w------------:-------:allow
247 > owner@:--x-----------:-------:deny
248 > owner@:rw-p---A-W-Co-:-------:allow
249 > group@:-wxp----------:-------:deny
250 > group@:r-------------:-------:allow
251 > everyone@:-wxp---A-W-Co-:-------:deny
252 > everyone@:r-----a-R-c--s:-------:allow
254 $ setfacl -b nnn xxx yyy zzz
255 > setfacl: nnn: acl_get_file() failed: No such file or directory
257 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
258 > ls: nnn: No such file or directory
265 # Test applying mode to an ACL.
267 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
273 > user:42:r-------------:-------:deny
274 > user:42:r-------------:-------:allow
275 > user:43:-w------------:-------:deny
276 > user:43:-w------------:-------:allow
277 > user:44:--x-----------:-------:deny
278 > user:44:--x-----------:-------:allow
279 > owner@:--------------:-------:deny
280 > owner@:-------A-W-Co-:-------:allow
281 > group@:--------------:-------:deny
282 > group@:--------------:-------:allow
283 > everyone@:-------A-W-Co-:-------:deny
284 > owner@:--x-----------:-------:deny
285 > owner@:rw-p---A-W-Co-:-------:allow
286 > group@:rwxp----------:-------:deny
287 > group@:--------------:-------:allow
288 > everyone@:rwxp---A-W-Co-:-------:deny
289 > everyone@:------a-R-c--s:-------:allow
290 $ ls -l xxx | cut -d' ' -f1
296 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
302 > user:42:--------------:-------:deny
303 > user:42:r-------------:-------:allow
304 > user:43:-w------------:-------:deny
305 > user:43:-w------------:-------:allow
306 > user:44:--x-----------:-------:deny
307 > user:44:--x-----------:-------:allow
308 > owner@:--x-----------:-------:deny
309 > owner@:rw-p---A-W-Co-:-------:allow
310 > group@:rwxp----------:-------:deny
311 > group@:--------------:-------:allow
312 > everyone@:rwxp---A-W-Co-:-------:deny
313 > everyone@:------a-R-c--s:-------:allow
314 $ ls -l xxx | cut -d' ' -f1
320 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
326 > user:42:r-------------:-------:deny
327 > user:42:r-------------:-------:allow
328 > user:43:-w------------:-------:deny
329 > user:43:-w------------:-------:allow
330 > user:44:--x-----------:-------:deny
331 > user:44:--x-----------:-------:allow
332 > owner@:rw-p----------:-------:deny
333 > owner@:--x----A-W-Co-:-------:allow
334 > group@:r-x-----------:-------:deny
335 > group@:-w-p----------:-------:allow
336 > everyone@:-wxp---A-W-Co-:-------:deny
337 > everyone@:r-----a-R-c--s:-------:allow
338 $ ls -l xxx | cut -d' ' -f1
344 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
350 > user:42:r-------------:-------:deny
351 > user:42:r-------------:-------:allow
352 > user:43:-w------------:-------:deny
353 > user:43:-w------------:-------:allow
354 > user:44:--------------:-------:deny
355 > user:44:--x-----------:-------:allow
356 > owner@:-wxp----------:-------:deny
357 > owner@:r------A-W-Co-:-------:allow
358 > group@:rw-p----------:-------:deny
359 > group@:--x-----------:-------:allow
360 > everyone@:r-x----A-W-Co-:-------:deny
361 > everyone@:-w-p--a-R-c--s:-------:allow
362 $ ls -l xxx | cut -d' ' -f1
366 $ setfacl -a0 group:44:rwapd:allow ddd
367 $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
368 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
369 $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
374 > user:42:r-x-----------:f-i----:allow
375 > group:42:-w--D---------:-d-----:allow
376 > group:43:-w--D---------:-d-----:deny
377 > group@:-----da-------:-------:allow
378 > group:44:rw-p-da-------:-------:allow
379 > owner@:--------------:-------:deny
380 > owner@:rwxp---A-W-Co-:-------:allow
381 > group@:-w-p----------:-------:deny
382 > group@:r-x-----------:-------:allow
383 > everyone@:-w-p---A-W-Co-:-------:deny
384 > everyone@:-w-p--a-R-c--s:f-i----:allow
390 > user:42:r-x-----------:f-i----:allow
391 > group:42:-w--D---------:-di----:allow
392 > group:42:--------------:-------:deny
393 > group:42:-w--D---------:-------:allow
394 > group:43:-w--D---------:-di----:deny
395 > group:43:-w--D---------:-------:deny
396 > group@:-----da-------:-------:allow
397 > group:44:--------------:-------:deny
398 > group:44:rw-p-da-------:-------:allow
399 > owner@:--------------:-------:deny
400 > owner@:-------A-W-Co-:-------:allow
401 > group@:--------------:-------:deny
402 > group@:--------------:-------:allow
403 > everyone@:-------A-W-Co-:-------:deny
404 > everyone@:-w-p--a-R-c--s:f-i----:allow
405 > owner@:--------------:-------:deny
406 > owner@:rwxp---A-W-Co-:-------:allow
407 > group@:--------------:-------:deny
408 > group@:rwxp----------:-------:allow
409 > everyone@:-------A-W-Co-:-------:deny
410 > everyone@:rwxp--a-R-c--s:-------:allow
414 $ setfacl -a0 group:44:rwapd:allow ddd
415 $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
416 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
417 $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
423 > user:42:r-x-----------:f-i----:allow
424 > group:42:-w--D---------:-di----:allow
425 > group:42:--------------:-------:deny
426 > group:42:----D---------:-------:allow
427 > group:43:-w--D---------:-di----:deny
428 > group:43:-w--D---------:-------:deny
429 > group@:-----da-------:-------:allow
430 > group:44:r-------------:-------:deny
431 > group:44:r----da-------:-------:allow
432 > owner@:--------------:-------:deny
433 > owner@:-------A-W-Co-:-------:allow
434 > group@:--------------:-------:deny
435 > group@:--------------:-------:allow
436 > everyone@:-------A-W-Co-:-------:deny
437 > everyone@:-w-p--a-R-c--s:f-i----:allow
438 > owner@:rw-p----------:-------:deny
439 > owner@:--x----A-W-Co-:-------:allow
440 > group@:r-x-----------:-------:deny
441 > group@:-w-p----------:-------:allow
442 > everyone@:-wxp---A-W-Co-:-------:deny
443 > everyone@:r-----a-R-c--s:-------:allow
447 $ setfacl -a0 group:44:rwapd:allow ddd
448 $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
449 $ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
450 $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
456 > user:42:r-------------:-------:deny
457 > user:42:r-x-----------:-------:allow
458 > user:42:r-x-----------:f-i----:allow
459 > group:42:-w--D---------:-di----:allow
460 > group:42:-w------------:-------:deny
461 > group:42:-w--D---------:-------:allow
462 > group:43:-w--D---------:-di----:deny
463 > group:43:-w--D---------:-------:deny
464 > group@:-----da-------:-------:allow
465 > group:44:rw-p----------:-------:deny
466 > group:44:rw-p-da-------:-------:allow
467 > owner@:--------------:-------:deny
468 > owner@:-------A-W-Co-:-------:allow
469 > group@:--------------:-------:deny
470 > group@:--------------:-------:allow
471 > everyone@:-------A-W-Co-:-------:deny
472 > everyone@:-w-p--a-R-c--s:f-i----:allow
473 > owner@:-wxp----------:-------:deny
474 > owner@:r------A-W-Co-:-------:allow
475 > group@:rw-p----------:-------:deny
476 > group@:--x-----------:-------:allow
477 > everyone@:r-x----A-W-Co-:-------:deny
478 > everyone@:-w-p--a-R-c--s:-------:allow
482 $ setfacl -a0 group:44:rwapd:allow ddd
483 $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
484 $ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
485 $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
492 > user:42:--x-----------:-------:deny
493 > user:42:r-x-----------:-------:allow
494 > user:42:r-x-----------:f-i----:allow
495 > group:42:-w--D---------:-di----:allow
496 > group:42:-w------------:-------:deny
497 > group:42:-w--D---------:-------:allow
498 > group:43:-w--D---------:-di----:deny
499 > group:43:-w--D---------:-------:deny
500 > group@:-----da-------:-------:allow
501 > group:44:rw-p----------:-------:deny
502 > group:44:rw-p-da-------:-------:allow
503 > owner@:--------------:-------:deny
504 > owner@:-------A-W-Co-:-------:allow
505 > group@:--------------:-------:deny
506 > group@:--------------:-------:allow
507 > everyone@:-------A-W-Co-:-------:deny
508 > everyone@:-w-p--a-R-c--s:f-i----:allow
509 > owner@:-wxp----------:-------:deny
510 > owner@:r------A-W-Co-:-------:allow
511 > group@:rw-p----------:-------:deny
512 > group@:--x-----------:-------:allow
513 > everyone@:r-x----A-W-Co-:-------:deny
514 > everyone@:-w-p--a-R-c--s:-------:allow
516 # Test applying ACL to mode.
519 $ setfacl -a0 u:42:rwx:fi:allow ddd
520 $ ls -ld ddd | cut -d' ' -f1
526 $ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
527 $ ls -ld ddd | cut -d' ' -f1
533 $ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
534 $ ls -ld ddd | cut -d' ' -f1
540 $ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
541 $ ls -ld ddd | cut -d' ' -f1
547 $ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
548 $ ls -ld ddd | cut -d' ' -f1
554 $ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
555 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
556 $ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
557 $ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
558 $ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
560 > user:41:-w-----A------:f--n---:allow
561 > group:41:r-----a-------:-din---:allow
562 > user:42:-----------Co-:f-i----:allow
563 > user:42:r-x-----------:f-i----:allow
564 > group:42:-w--D---------:-d-n---:deny
565 > group:43:-w---------C--:f-in---:deny
566 > user:43:rwxp----------:-------:allow
567 > owner@:--------------:-------:deny
568 > owner@:rwxp---A-W-Co-:-------:allow
569 > group@:-w-p----------:-------:deny
570 > group@:r-x-----------:-------:allow
571 > everyone@:-w-p---A-W-Co-:-------:deny
572 > everyone@:r-x---a-R-c--s:-------:allow
577 > user:41:-w------------:-------:deny
578 > user:41:-w-----A------:-------:allow
579 > user:42:--------------:-------:deny
580 > user:42:--------------:-------:allow
581 > user:42:--x-----------:-------:deny
582 > user:42:r-x-----------:-------:allow
583 > group:43:-w---------C--:-------:deny
584 > owner@:--x-----------:-------:deny
585 > owner@:rw-p---A-W-Co-:-------:allow
586 > group@:-wxp----------:-------:deny
587 > group@:r-------------:-------:allow
588 > everyone@:-wxp---A-W-Co-:-------:deny
589 > everyone@:r-----a-R-c--s:-------:allow
595 > user:41:-w------------:-------:deny
596 > user:41:-w-----A------:-------:allow
597 > user:42:--------------:-------:deny
598 > user:42:--------------:-------:allow
599 > user:42:r-x-----------:-------:deny
600 > user:42:r-x-----------:-------:allow
601 > group:43:-w---------C--:-------:deny
602 > owner@:--x-----------:-------:deny
603 > owner@:rw-p---A-W-Co-:-------:allow
604 > group@:rwxp----------:-------:deny
605 > group@:--------------:-------:allow
606 > everyone@:rwxp---A-W-Co-:-------:deny
607 > everyone@:------a-R-c--s:-------:allow
613 > user:41:-w------------:-------:deny
614 > user:41:-w-----A------:-------:allow
615 > user:42:--------------:-------:deny
616 > user:42:--------------:-------:allow
617 > user:42:r-x-----------:-------:deny
618 > user:42:r-x-----------:-------:allow
619 > group:43:-w---------C--:-------:deny
620 > owner@:rwxp----------:-------:deny
621 > owner@:-------A-W-Co-:-------:allow
622 > group@:rwxp----------:-------:deny
623 > group@:--------------:-------:allow
624 > everyone@:--x----A-W-Co-:-------:deny
625 > everyone@:rw-p--a-R-c--s:-------:allow
631 > user:41:--------------:-------:deny
632 > user:41:-w-----A------:-------:allow
633 > user:42:--------------:-------:deny
634 > user:42:--------------:-------:allow
635 > user:42:--x-----------:-------:deny
636 > user:42:r-x-----------:-------:allow
637 > group:43:-w---------C--:-------:deny
638 > owner@:rwxp----------:-------:deny
639 > owner@:-------A-W-Co-:-------:allow
640 > group@:--x-----------:-------:deny
641 > group@:rw-p----------:-------:allow
642 > everyone@:rwxp---A-W-Co-:-------:deny
643 > everyone@:------a-R-c--s:-------:allow
648 > group:41:r-------------:-------:deny
649 > group:41:r-----a-------:-------:allow
650 > user:42:-----------Co-:f-i----:allow
651 > user:42:r-x-----------:f-i----:allow
652 > group:42:-w--D---------:-------:deny
653 > owner@:--------------:-------:deny
654 > owner@:rwxp---A-W-Co-:-------:allow
655 > group@:rwxp----------:-------:deny
656 > group@:--------------:-------:allow
657 > everyone@:rwxp---A-W-Co-:-------:deny
658 > everyone@:------a-R-c--s:-------:allow
664 > group:41:r-------------:-------:deny
665 > group:41:r-----a-------:-------:allow
666 > user:42:-----------Co-:f-i----:allow
667 > user:42:r-x-----------:f-i----:allow
668 > group:42:-w--D---------:-------:deny
669 > owner@:rwxp----------:-------:deny
670 > owner@:-------A-W-Co-:-------:allow
671 > group@:rwxp----------:-------:deny
672 > group@:--------------:-------:allow
673 > everyone@:-------A-W-Co-:-------:deny
674 > everyone@:rwxp--a-R-c--s:-------:allow
680 > group:41:--------------:-------:deny
681 > group:41:------a-------:-------:allow
682 > user:42:-----------Co-:f-i----:allow
683 > user:42:r-x-----------:f-i----:allow
684 > group:42:-w--D---------:-------:deny
685 > owner@:rwxp----------:-------:deny
686 > owner@:-------A-W-Co-:-------:allow
687 > group@:--------------:-------:deny
688 > group@:rwxp----------:-------:allow
689 > everyone@:rwxp---A-W-Co-:-------:deny
690 > everyone@:------a-R-c--s:-------:allow
692 # There is some complication regarding how write_acl and write_owner flags
693 # get inherited. Make sure we got it right.
695 $ setfacl -a0 u:42:Co:f:allow .
696 $ setfacl -a0 u:43:Co:d:allow .
697 $ setfacl -a0 u:44:Co:fd:allow .
698 $ setfacl -a0 u:45:Co:fi:allow .
699 $ setfacl -a0 u:46:Co:di:allow .
700 $ setfacl -a0 u:47:Co:fdi:allow .
701 $ setfacl -a0 u:48:Co:fn:allow .
702 $ setfacl -a0 u:49:Co:dn:allow .
703 $ setfacl -a0 u:50:Co:fdn:allow .
704 $ setfacl -a0 u:51:Co:fni:allow .
705 $ setfacl -a0 u:52:Co:dni:allow .
706 $ setfacl -a0 u:53:Co:fdni:allow .
711 > user:53:--------------:-------:deny
712 > user:53:--------------:-------:allow
713 > user:51:--------------:-------:deny
714 > user:51:--------------:-------:allow
715 > user:50:--------------:-------:deny
716 > user:50:--------------:-------:allow
717 > user:48:--------------:-------:deny
718 > user:48:--------------:-------:allow
719 > user:47:--------------:-------:deny
720 > user:47:--------------:-------:allow
721 > user:45:--------------:-------:deny
722 > user:45:--------------:-------:allow
723 > user:44:--------------:-------:deny
724 > user:44:--------------:-------:allow
725 > user:42:--------------:-------:deny
726 > user:42:--------------:-------:allow
727 > owner@:--x-----------:-------:deny
728 > owner@:rw-p---A-W-Co-:-------:allow
729 > group@:-wxp----------:-------:deny
730 > group@:r-------------:-------:allow
731 > everyone@:-wxp---A-W-Co-:-------:deny
732 > everyone@:r-----a-R-c--s:-------:allow
737 > user:53:--------------:-------:deny
738 > user:53:--------------:-------:allow
739 > user:52:--------------:-------:deny
740 > user:52:--------------:-------:allow
741 > user:50:--------------:-------:deny
742 > user:50:--------------:-------:allow
743 > user:49:--------------:-------:deny
744 > user:49:--------------:-------:allow
745 > user:47:-----------Co-:fdi----:allow
746 > user:47:--------------:-------:deny
747 > user:47:--------------:-------:allow
748 > user:46:-----------Co-:-di----:allow
749 > user:46:--------------:-------:deny
750 > user:46:--------------:-------:allow
751 > user:45:-----------Co-:f-i----:allow
752 > user:44:-----------Co-:fdi----:allow
753 > user:44:--------------:-------:deny
754 > user:44:--------------:-------:allow
755 > user:43:-----------Co-:-di----:allow
756 > user:43:--------------:-------:deny
757 > user:43:--------------:-------:allow
758 > user:42:-----------Co-:f-i----:allow
759 > owner@:--------------:-------:deny
760 > owner@:rwxp---A-W-Co-:-------:allow
761 > group@:-w-p----------:-------:deny
762 > group@:r-x-----------:-------:allow
763 > everyone@:-w-p---A-W-Co-:-------:deny
764 > everyone@:r-x---a-R-c--s:-------:allow
767 $ setfacl -a0 u:42:Co:f:deny .
768 $ setfacl -a0 u:43:Co:d:deny .
769 $ setfacl -a0 u:44:Co:fd:deny .
770 $ setfacl -a0 u:45:Co:fi:deny .
771 $ setfacl -a0 u:46:Co:di:deny .
772 $ setfacl -a0 u:47:Co:fdi:deny .
773 $ setfacl -a0 u:48:Co:fn:deny .
774 $ setfacl -a0 u:49:Co:dn:deny .
775 $ setfacl -a0 u:50:Co:fdn:deny .
776 $ setfacl -a0 u:51:Co:fni:deny .
777 $ setfacl -a0 u:52:Co:dni:deny .
778 $ setfacl -a0 u:53:Co:fdni:deny .
783 > user:53:-----------Co-:-------:deny
784 > user:51:-----------Co-:-------:deny
785 > user:50:-----------Co-:-------:deny
786 > user:48:-----------Co-:-------:deny
787 > user:47:-----------Co-:-------:deny
788 > user:45:-----------Co-:-------:deny
789 > user:44:-----------Co-:-------:deny
790 > user:42:-----------Co-:-------:deny
791 > owner@:--x-----------:-------:deny
792 > owner@:rw-p---A-W-Co-:-------:allow
793 > group@:-wxp----------:-------:deny
794 > group@:r-------------:-------:allow
795 > everyone@:-wxp---A-W-Co-:-------:deny
796 > everyone@:r-----a-R-c--s:-------:allow
801 > user:53:-----------Co-:-------:deny
802 > user:52:-----------Co-:-------:deny
803 > user:50:-----------Co-:-------:deny
804 > user:49:-----------Co-:-------:deny
805 > user:47:-----------Co-:fdi----:deny
806 > user:47:-----------Co-:-------:deny
807 > user:46:-----------Co-:-di----:deny
808 > user:46:-----------Co-:-------:deny
809 > user:45:-----------Co-:f-i----:deny
810 > user:44:-----------Co-:fdi----:deny
811 > user:44:-----------Co-:-------:deny
812 > user:43:-----------Co-:-di----:deny
813 > user:43:-----------Co-:-------:deny
814 > user:42:-----------Co-:f-i----:deny
815 > owner@:--------------:-------:deny
816 > owner@:rwxp---A-W-Co-:-------:allow
817 > group@:-w-p----------:-------:deny
818 > group@:r-x-----------:-------:allow
819 > everyone@:-w-p---A-W-Co-:-------:deny
820 > everyone@:r-x---a-R-c--s:-------:allow
828 # Test basic recursive setting of ACLs.
833 $ setfacl -R -m owner@:full_set:f:allow,group@:full_set::allow,everyone@:full_set::allow ddd
835 > owner@:--------------:-------:deny
836 > owner@:rwxpDdaARWcCos:f------:allow
837 > group@:-w-p----------:-------:deny
838 > group@:rwxpDdaARWcCos:-------:allow
839 > everyone@:-w-p---A-W-Co-:-------:deny
840 > everyone@:rwxpDdaARWcCos:-------:allow
842 > owner@:--x-----------:-------:deny
843 > owner@:rwxpDdaARWcCos:-------:allow
844 > group@:-wxp----------:-------:deny
845 > group@:rwxpDdaARWcCos:-------:allow
846 > everyone@:-wxp---A-W-Co-:-------:deny
847 > everyone@:rwxpDdaARWcCos:-------:allow
849 > owner@:--------------:-------:deny
850 > owner@:rwxpDdaARWcCos:f------:allow
851 > group@:-w-p----------:-------:deny
852 > group@:rwxpDdaARWcCos:-------:allow
853 > everyone@:-w-p---A-W-Co-:-------:deny
854 > everyone@:rwxpDdaARWcCos:-------:allow
855 $ getfacl -q ddd/eee/yyy
856 > owner@:--x-----------:-------:deny
857 > owner@:rwxpDdaARWcCos:-------:allow
858 > group@:-wxp----------:-------:deny
859 > group@:rwxpDdaARWcCos:-------:allow
860 > everyone@:-wxp---A-W-Co-:-------:deny
861 > everyone@:rwxpDdaARWcCos:-------:allow