1 # Copyright (c) 2008, 2009 Edward Tomasz NapieraĆa <trasz@FreeBSD.org>
4 # Redistribution and use in source and binary forms, with or without
5 # modification, are permitted provided that the following conditions
7 # 1. Redistributions of source code must retain the above copyright
8 # notice, this list of conditions and the following disclaimer.
9 # 2. Redistributions in binary form must reproduce the above copyright
10 # notice, this list of conditions and the following disclaimer in the
11 # documentation and/or other materials provided with the distribution.
13 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 # This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029
29 # semantics. Run it as root using ACL-enabled kernel:
31 # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test
33 # WARNING: Creates files in unsafe way.
39 # Smoke test for getfacl(1).
45 > owner@:rw-p--aARWcCos:-------:allow
46 > group@:r-----a-R-c--s:-------:allow
47 > everyone@:r-----a-R-c--s:-------:allow
50 > owner@:rw-p--aARWcCos:-------:allow
51 > group@:r-----a-R-c--s:-------:allow
52 > everyone@:r-----a-R-c--s:-------:allow
54 # Check verbose mode formatting.
59 > owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow
60 > group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
61 > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
64 $ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
69 > owner@:rw-p--aARWcCos:-------:allow
70 > group@:r-----a-R-c--s:-------:allow
71 > user:0:-----------C--:-------:allow
72 > group:1:----------c---:-------:deny
73 > everyone@:r-----a-R-c--s:-------:allow
75 # Test user and group name resolving.
78 $ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
83 > owner@:rw-p--aARWcCos:-------:allow
84 > group@:r-----a-R-c--s:-------:allow
85 > user:root:-----------C--:-------:allow
86 > group:daemon:----------c---:-------:deny
87 > everyone@:r-----a-R-c--s:-------:allow
89 # Check whether ls correctly marks files with "+".
90 $ ls -l xxx | cut -d' ' -f1
93 # Test removing entries by number.
99 > owner@:rw-p--aARWcCos:-------:allow
100 > user:0:-----------C--:-------:allow
101 > group:1:----------c---:-------:deny
102 > everyone@:r-----a-R-c--s:-------:allow
105 $ setfacl -a0 everyone@:rwx:deny xxx
106 $ setfacl -a0 everyone@:rwx:deny xxx
107 $ setfacl -a0 everyone@:rwx:deny xxx
108 $ setfacl -m everyone@::deny xxx
113 > everyone@:--------------:-------:deny
114 > everyone@:--------------:-------:deny
115 > everyone@:--------------:-------:deny
116 > owner@:rw-p--aARWcCos:-------:allow
117 > user:0:-----------C--:-------:allow
118 > group:1:----------c---:-------:deny
119 > everyone@:r-----a-R-c--s:-------:allow
126 > everyone@:--------------:-------:deny
127 > everyone@:--------------:-------:deny
128 > everyone@:--------------:-------:deny
129 > owner@:rw-p--aARWcCos:-------:allow
130 > user:root:-----------C--:-------:allow:0
131 > group:daemon:----------c---:-------:deny:1
132 > everyone@:r-----a-R-c--s:-------:allow
134 # Make sure cp without any flags does not copy copy the ACL.
136 $ ls -l yyy | cut -d' ' -f1
139 # Make sure it does with the "-p" flag.
146 > everyone@:--------------:-------:deny
147 > everyone@:--------------:-------:deny
148 > everyone@:--------------:-------:deny
149 > owner@:rw-p--aARWcCos:-------:allow
150 > user:0:-----------C--:-------:allow
151 > group:1:----------c---:-------:deny
152 > everyone@:r-----a-R-c--s:-------:allow
156 # Test removing entries by... by example?
157 $ setfacl -x everyone@::deny xxx
162 > owner@:rw-p--aARWcCos:-------:allow
163 > user:0:-----------C--:-------:allow
164 > group:1:----------c---:-------:deny
165 > everyone@:r-----a-R-c--s:-------:allow
173 > owner@:rw-p--aARWcCos:-------:allow
174 > group@:r-----a-R-c--s:-------:allow
175 > everyone@:r-----a-R-c--s:-------:allow
177 $ ls -l xxx | cut -d' ' -f1
180 # Check setfacl(1) and getfacl(1) with multiple files.
183 $ ls -l xxx yyy zzz | cut -d' ' -f1
188 $ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
189 > setfacl: nnn: stat() failed: No such file or directory
191 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
192 > ls: nnn: No such file or directory
197 $ getfacl -nq nnn xxx yyy zzz
198 > getfacl: nnn: stat() failed: No such file or directory
199 > user:42:--x-----------:-------:allow
200 > group:43:-w------------:-------:allow
201 > owner@:rw-p--aARWcCos:-------:allow
202 > group@:r-----a-R-c--s:-------:allow
203 > everyone@:r-----a-R-c--s:-------:allow
205 > user:42:--x-----------:-------:allow
206 > group:43:-w------------:-------:allow
207 > owner@:rw-p--aARWcCos:-------:allow
208 > group@:r-----a-R-c--s:-------:allow
209 > everyone@:r-----a-R-c--s:-------:allow
211 > user:42:--x-----------:-------:allow
212 > group:43:-w------------:-------:allow
213 > owner@:rw-p--aARWcCos:-------:allow
214 > group@:r-----a-R-c--s:-------:allow
215 > everyone@:r-----a-R-c--s:-------:allow
217 $ setfacl -b nnn xxx yyy zzz
218 > setfacl: nnn: stat() failed: No such file or directory
220 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
221 > ls: nnn: No such file or directory
228 # Test applying mode to an ACL.
230 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
236 > owner@:rw-p--aARWcCos:-------:allow
237 > group@:------a-R-c--s:-------:allow
238 > everyone@:------a-R-c--s:-------:allow
240 $ ls -l xxx | cut -d' ' -f1
246 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
252 > owner@:rw-p--aARWcCos:-------:allow
253 > group@:------a-R-c--s:-------:allow
254 > everyone@:------a-R-c--s:-------:allow
255 $ ls -l xxx | cut -d' ' -f1
261 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
267 > owner@:rw-p----------:-------:deny
268 > group@:r-------------:-------:deny
269 > owner@:--x---aARWcCos:-------:allow
270 > group@:-w-p--a-R-c--s:-------:allow
271 > everyone@:r-----a-R-c--s:-------:allow
272 $ ls -l xxx | cut -d' ' -f1
278 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
284 > owner@:-wxp----------:-------:deny
285 > group@:-w-p----------:-------:deny
286 > owner@:r-----aARWcCos:-------:allow
287 > group@:--x---a-R-c--s:-------:allow
288 > everyone@:-w-p--a-R-c--s:-------:allow
289 $ ls -l xxx | cut -d' ' -f1
293 $ setfacl -a0 group:44:rwapd:allow ddd
294 $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
295 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
296 $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
301 > user:42:r-x-----------:f-i----:allow
302 > group:42:-w--D---------:-d-----:allow
303 > group:43:-w--D---------:-d-----:deny
304 > group@:-----da-------:-------:allow
305 > group:44:rw-p-da-------:-------:allow
306 > owner@:rwxp--aARWcCos:-------:allow
307 > group@:r-x---a-R-c--s:-------:allow
308 > everyone@:-w-p--a-R-c--s:f-i----:allow
315 > owner@:rwxp--aARWcCos:-------:allow
316 > group@:rwxp--a-R-c--s:-------:allow
317 > everyone@:rwxp--a-R-c--s:-------:allow
319 # Test applying ACL to mode.
322 $ setfacl -a0 u:42:rwx:fi:allow ddd
323 $ ls -ld ddd | cut -d' ' -f1
329 $ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
330 $ ls -ld ddd | cut -d' ' -f1
336 $ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
337 $ ls -ld ddd | cut -d' ' -f1
343 $ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
344 $ ls -ld ddd | cut -d' ' -f1
350 $ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
351 $ ls -ld ddd | cut -d' ' -f1
357 $ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
358 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
359 $ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
360 $ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
361 $ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
363 > user:41:-w-----A------:f--n---:allow
364 > group:41:r-----a-------:-din---:allow
365 > user:42:-----------Co-:f-i----:allow
366 > user:42:r-x-----------:f-i----:allow
367 > group:42:-w--D---------:-d-n---:deny
368 > group:43:-w---------C--:f-in---:deny
369 > user:43:rwxp----------:-------:allow
370 > owner@:rwxp--aARWcCos:-------:allow
371 > group@:r-x---a-R-c--s:-------:allow
372 > everyone@:r-x---a-R-c--s:-------:allow
377 > user:41:--------------:------I:allow
378 > user:42:--------------:------I:allow
379 > user:42:r-------------:------I:allow
380 > group:43:-w---------C--:------I:deny
381 > owner@:rw-p--aARWcCos:-------:allow
382 > group@:r-----a-R-c--s:-------:allow
383 > everyone@:r-----a-R-c--s:-------:allow
389 > user:41:--------------:------I:allow
390 > user:42:--------------:------I:allow
391 > user:42:--------------:------I:allow
392 > group:43:-w---------C--:------I:deny
393 > owner@:rw-p--aARWcCos:-------:allow
394 > group@:------a-R-c--s:-------:allow
395 > everyone@:------a-R-c--s:-------:allow
401 > owner@:rw-p----------:-------:deny
402 > group@:rw-p----------:-------:deny
403 > user:41:--------------:------I:allow
404 > user:42:--------------:------I:allow
405 > user:42:--------------:------I:allow
406 > group:43:-w---------C--:------I:deny
407 > owner@:------aARWcCos:-------:allow
408 > group@:------a-R-c--s:-------:allow
409 > everyone@:rw-p--a-R-c--s:-------:allow
415 > owner@:rw-p----------:-------:deny
416 > user:41:-w------------:------I:allow
417 > user:42:--------------:------I:allow
418 > user:42:r-------------:------I:allow
419 > group:43:-w---------C--:------I:deny
420 > owner@:------aARWcCos:-------:allow
421 > group@:rw-p--a-R-c--s:-------:allow
422 > everyone@:------a-R-c--s:-------:allow
427 > group:41:------a-------:------I:allow
428 > user:42:-----------Co-:f-i---I:allow
429 > user:42:r-x-----------:f-i---I:allow
430 > group:42:-w--D---------:------I:deny
431 > owner@:rwxp--aARWcCos:-------:allow
432 > group@:------a-R-c--s:-------:allow
433 > everyone@:------a-R-c--s:-------:allow
439 > owner@:rwxp----------:-------:deny
440 > group@:rwxp----------:-------:deny
441 > group:41:------a-------:------I:allow
442 > user:42:-----------Co-:f-i---I:allow
443 > user:42:r-x-----------:f-i---I:allow
444 > group:42:-w--D---------:------I:deny
445 > owner@:------aARWcCos:-------:allow
446 > group@:------a-R-c--s:-------:allow
447 > everyone@:rwxp--a-R-c--s:-------:allow
453 > owner@:rwxp----------:-------:deny
454 > group:41:r-----a-------:------I:allow
455 > user:42:-----------Co-:f-i---I:allow
456 > user:42:r-x-----------:f-i---I:allow
457 > group:42:-w--D---------:------I:deny
458 > owner@:------aARWcCos:-------:allow
459 > group@:rwxp--a-R-c--s:-------:allow
460 > everyone@:------a-R-c--s:-------:allow
462 # There is some complication regarding how write_acl and write_owner flags
463 # get inherited. Make sure we got it right.
465 $ setfacl -a0 u:42:Co:f:allow .
466 $ setfacl -a0 u:43:Co:d:allow .
467 $ setfacl -a0 u:44:Co:fd:allow .
468 $ setfacl -a0 u:45:Co:fi:allow .
469 $ setfacl -a0 u:46:Co:di:allow .
470 $ setfacl -a0 u:47:Co:fdi:allow .
471 $ setfacl -a0 u:48:Co:fn:allow .
472 $ setfacl -a0 u:49:Co:dn:allow .
473 $ setfacl -a0 u:50:Co:fdn:allow .
474 $ setfacl -a0 u:51:Co:fni:allow .
475 $ setfacl -a0 u:52:Co:dni:allow .
476 $ setfacl -a0 u:53:Co:fdni:allow .
481 > user:53:--------------:------I:allow
482 > user:51:--------------:------I:allow
483 > user:50:--------------:------I:allow
484 > user:48:--------------:------I:allow
485 > user:47:--------------:------I:allow
486 > user:45:--------------:------I:allow
487 > user:44:--------------:------I:allow
488 > user:42:--------------:------I:allow
489 > owner@:rw-p--aARWcCos:-------:allow
490 > group@:r-----a-R-c--s:-------:allow
491 > everyone@:r-----a-R-c--s:-------:allow
496 > user:53:--------------:------I:allow
497 > user:52:--------------:------I:allow
498 > user:50:--------------:------I:allow
499 > user:49:--------------:------I:allow
500 > user:47:--------------:fd----I:allow
501 > user:46:--------------:-d----I:allow
502 > user:45:-----------Co-:f-i---I:allow
503 > user:44:--------------:fd----I:allow
504 > user:43:--------------:-d----I:allow
505 > user:42:-----------Co-:f-i---I:allow
506 > owner@:rwxp--aARWcCos:-------:allow
507 > group@:r-x---a-R-c--s:-------:allow
508 > everyone@:r-x---a-R-c--s:-------:allow
511 $ setfacl -a0 u:42:Co:f:deny .
512 $ setfacl -a0 u:43:Co:d:deny .
513 $ setfacl -a0 u:44:Co:fd:deny .
514 $ setfacl -a0 u:45:Co:fi:deny .
515 $ setfacl -a0 u:46:Co:di:deny .
516 $ setfacl -a0 u:47:Co:fdi:deny .
517 $ setfacl -a0 u:48:Co:fn:deny .
518 $ setfacl -a0 u:49:Co:dn:deny .
519 $ setfacl -a0 u:50:Co:fdn:deny .
520 $ setfacl -a0 u:51:Co:fni:deny .
521 $ setfacl -a0 u:52:Co:dni:deny .
522 $ setfacl -a0 u:53:Co:fdni:deny .
527 > user:53:-----------Co-:------I:deny
528 > user:51:-----------Co-:------I:deny
529 > user:50:-----------Co-:------I:deny
530 > user:48:-----------Co-:------I:deny
531 > user:47:-----------Co-:------I:deny
532 > user:45:-----------Co-:------I:deny
533 > user:44:-----------Co-:------I:deny
534 > user:42:-----------Co-:------I:deny
535 > owner@:rw-p--aARWcCos:-------:allow
536 > group@:r-----a-R-c--s:-------:allow
537 > everyone@:r-----a-R-c--s:-------:allow
542 > user:53:-----------Co-:------I:deny
543 > user:52:-----------Co-:------I:deny
544 > user:50:-----------Co-:------I:deny
545 > user:49:-----------Co-:------I:deny
546 > user:47:-----------Co-:fd----I:deny
547 > user:46:-----------Co-:-d----I:deny
548 > user:45:-----------Co-:f-i---I:deny
549 > user:44:-----------Co-:fd----I:deny
550 > user:43:-----------Co-:-d----I:deny
551 > user:42:-----------Co-:f-i---I:deny
552 > owner@:rwxp--aARWcCos:-------:allow
553 > group@:r-x---a-R-c--s:-------:allow
554 > everyone@:r-x---a-R-c--s:-------:allow