1 # Copyright (c) 2008, 2009 Edward Tomasz NapieraĆa <trasz@FreeBSD.org>
4 # Redistribution and use in source and binary forms, with or without
5 # modification, are permitted provided that the following conditions
7 # 1. Redistributions of source code must retain the above copyright
8 # notice, this list of conditions and the following disclaimer.
9 # 2. Redistributions in binary form must reproduce the above copyright
10 # notice, this list of conditions and the following disclaimer in the
11 # documentation and/or other materials provided with the distribution.
13 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28 # This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029
29 # semantics. Run it as root using ACL-enabled kernel:
31 # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test
33 # WARNING: Creates files in unsafe way.
39 # Smoke test for getfacl(1).
45 > owner@:rw-p--aARWcCos:------:allow
46 > group@:r-----a-R-c--s:------:allow
47 > everyone@:r-----a-R-c--s:------:allow
50 > owner@:rw-p--aARWcCos:------:allow
51 > group@:r-----a-R-c--s:------:allow
52 > everyone@:r-----a-R-c--s:------:allow
54 # Check verbose mode formatting.
59 > owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow
60 > group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
61 > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow
64 $ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx
69 > owner@:rw-p--aARWcCos:------:allow
70 > group@:r-----a-R-c--s:------:allow
71 > user:0:-----------C--:------:allow
72 > group:1:----------c---:------:deny
73 > everyone@:r-----a-R-c--s:------:allow
75 # Test user and group name resolving.
78 $ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx
83 > owner@:rw-p--aARWcCos:------:allow
84 > group@:r-----a-R-c--s:------:allow
85 > user:root:-----------C--:------:allow
86 > group:daemon:----------c---:------:deny
87 > everyone@:r-----a-R-c--s:------:allow
89 # Check whether ls correctly marks files with "+".
90 $ ls -l xxx | cut -d' ' -f1
93 # Test removing entries by number.
99 > owner@:rw-p--aARWcCos:------:allow
100 > user:0:-----------C--:------:allow
101 > group:1:----------c---:------:deny
102 > everyone@:r-----a-R-c--s:------:allow
105 $ setfacl -a0 everyone@:rwx:deny xxx
106 $ setfacl -a0 everyone@:rwx:deny xxx
107 $ setfacl -a0 everyone@:rwx:deny xxx
108 $ setfacl -m everyone@::deny xxx
113 > everyone@:--------------:------:deny
114 > everyone@:--------------:------:deny
115 > everyone@:--------------:------:deny
116 > owner@:rw-p--aARWcCos:------:allow
117 > user:0:-----------C--:------:allow
118 > group:1:----------c---:------:deny
119 > everyone@:r-----a-R-c--s:------:allow
126 > everyone@:--------------:------:deny
127 > everyone@:--------------:------:deny
128 > everyone@:--------------:------:deny
129 > owner@:rw-p--aARWcCos:------:allow
130 > user:root:-----------C--:------:allow:0
131 > group:daemon:----------c---:------:deny:1
132 > everyone@:r-----a-R-c--s:------:allow
134 # Make sure cp without any flags does not copy copy the ACL.
136 $ ls -l yyy | cut -d' ' -f1
139 # Make sure it does with the "-p" flag.
146 > everyone@:--------------:------:deny
147 > everyone@:--------------:------:deny
148 > everyone@:--------------:------:deny
149 > owner@:rw-p--aARWcCos:------:allow
150 > user:0:-----------C--:------:allow
151 > group:1:----------c---:------:deny
152 > everyone@:r-----a-R-c--s:------:allow
156 # Test removing entries by... by example?
157 $ setfacl -x everyone@::deny xxx
162 > owner@:rw-p--aARWcCos:------:allow
163 > user:0:-----------C--:------:allow
164 > group:1:----------c---:------:deny
165 > everyone@:r-----a-R-c--s:------:allow
173 > owner@:rw-p--aARWcCos:------:allow
174 > group@:r-----a-R-c--s:------:allow
175 > everyone@:r-----a-R-c--s:------:allow
177 $ ls -l xxx | cut -d' ' -f1
180 # Check setfacl(1) and getfacl(1) with multiple files.
183 $ ls -l xxx yyy zzz | cut -d' ' -f1
188 $ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz
189 > setfacl: nnn: stat() failed: No such file or directory
191 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
192 > ls: nnn: No such file or directory
197 $ getfacl -nq nnn xxx yyy zzz
198 > getfacl: nnn: stat() failed: No such file or directory
199 > user:42:--x-----------:------:allow
200 > group:43:-w------------:------:allow
201 > owner@:rw-p--aARWcCos:------:allow
202 > group@:r-----a-R-c--s:------:allow
203 > everyone@:r-----a-R-c--s:------:allow
205 > user:42:--x-----------:------:allow
206 > group:43:-w------------:------:allow
207 > owner@:rw-p--aARWcCos:------:allow
208 > group@:r-----a-R-c--s:------:allow
209 > everyone@:r-----a-R-c--s:------:allow
211 > user:42:--x-----------:------:allow
212 > group:43:-w------------:------:allow
213 > owner@:rw-p--aARWcCos:------:allow
214 > group@:r-----a-R-c--s:------:allow
215 > everyone@:r-----a-R-c--s:------:allow
217 $ setfacl -b nnn xxx yyy zzz
218 > setfacl: nnn: stat() failed: No such file or directory
220 $ ls -l nnn xxx yyy zzz | cut -d' ' -f1
221 > ls: nnn: No such file or directory
228 # Test applying mode to an ACL.
230 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx
236 > owner@:rw-p--aARWcCos:------:allow
237 > group@:------a-R-c--s:------:allow
238 > everyone@:------a-R-c--s:------:allow
240 $ ls -l xxx | cut -d' ' -f1
246 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
252 > owner@:rw-p--aARWcCos:------:allow
253 > group@:------a-R-c--s:------:allow
254 > everyone@:------a-R-c--s:------:allow
255 $ ls -l xxx | cut -d' ' -f1
261 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
267 > owner@:rw-p----------:------:deny
268 > group@:r-------------:------:deny
269 > owner@:--x---aARWcCos:------:allow
270 > group@:-w-p--a-R-c--s:------:allow
271 > everyone@:r-----a-R-c--s:------:allow
272 $ ls -l xxx | cut -d' ' -f1
278 $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx
284 > owner@:-wxp----------:------:deny
285 > group@:-w-p----------:------:deny
286 > owner@:r-----aARWcCos:------:allow
287 > group@:--x---a-R-c--s:------:allow
288 > everyone@:-w-p--a-R-c--s:------:allow
289 $ ls -l xxx | cut -d' ' -f1
293 $ setfacl -a0 group:44:rwapd:allow ddd
294 $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd
295 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd
296 $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd
301 > user:42:r-x-----------:f-i---:allow
302 > group:42:-w--D---------:-d----:allow
303 > group:43:-w--D---------:-d----:deny
304 > group@:-----da-------:------:allow
305 > group:44:rw-p-da-------:------:allow
306 > owner@:rwxp--aARWcCos:------:allow
307 > group@:r-x---a-R-c--s:------:allow
308 > everyone@:-w-p--a-R-c--s:f-i---:allow
315 > owner@:rwxp--aARWcCos:------:allow
316 > group@:rwxp--a-R-c--s:------:allow
317 > everyone@:rwxp--a-R-c--s:------:allow
319 # Test applying ACL to mode.
322 $ setfacl -a0 u:42:rwx:fi:allow ddd
323 $ ls -ld ddd | cut -d' ' -f1
329 $ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd
330 $ ls -ld ddd | cut -d' ' -f1
336 $ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd
337 $ ls -ld ddd | cut -d' ' -f1
343 $ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd
344 $ ls -ld ddd | cut -d' ' -f1
350 $ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd
351 $ ls -ld ddd | cut -d' ' -f1
357 $ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd
358 $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd
359 $ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd
360 $ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd
361 $ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd
363 > user:41:-w-----A------:f--n--:allow
364 > group:41:r-----a-------:-din--:allow
365 > user:42:-----------Co-:f-i---:allow
366 > user:42:r-x-----------:f-i---:allow
367 > group:42:-w--D---------:-d-n--:deny
368 > group:43:-w---------C--:f-in--:deny
369 > user:43:rwxp----------:------:allow
370 > owner@:rwxp--aARWcCos:------:allow
371 > group@:r-x---a-R-c--s:------:allow
372 > everyone@:r-x---a-R-c--s:------:allow
377 > user:41:--------------:------:allow
378 > user:42:--------------:------:allow
379 > user:42:r-------------:------:allow
380 > group:43:-w---------C--:------:deny
381 > owner@:rw-p--aARWcCos:------:allow
382 > group@:r-----a-R-c--s:------:allow
383 > everyone@:r-----a-R-c--s:------:allow
389 > user:41:--------------:------:allow
390 > user:42:--------------:------:allow
391 > user:42:--------------:------:allow
392 > group:43:-w---------C--:------:deny
393 > owner@:rw-p--aARWcCos:------:allow
394 > group@:------a-R-c--s:------:allow
395 > everyone@:------a-R-c--s:------:allow
401 > owner@:rw-p----------:------:deny
402 > group@:rw-p----------:------:deny
403 > user:41:--------------:------:allow
404 > user:42:--------------:------:allow
405 > user:42:--------------:------:allow
406 > group:43:-w---------C--:------:deny
407 > owner@:------aARWcCos:------:allow
408 > group@:------a-R-c--s:------:allow
409 > everyone@:rw-p--a-R-c--s:------:allow
415 > owner@:rw-p----------:------:deny
416 > user:41:-w------------:------:allow
417 > user:42:--------------:------:allow
418 > user:42:r-------------:------:allow
419 > group:43:-w---------C--:------:deny
420 > owner@:------aARWcCos:------:allow
421 > group@:rw-p--a-R-c--s:------:allow
422 > everyone@:------a-R-c--s:------:allow
427 > group:41:------a-------:------:allow
428 > user:42:-----------Co-:f-i---:allow
429 > user:42:r-x-----------:f-i---:allow
430 > group:42:-w--D---------:------:deny
431 > owner@:rwxp--aARWcCos:------:allow
432 > group@:------a-R-c--s:------:allow
433 > everyone@:------a-R-c--s:------:allow
439 > owner@:rwxp----------:------:deny
440 > group@:rwxp----------:------:deny
441 > group:41:------a-------:------:allow
442 > user:42:-----------Co-:f-i---:allow
443 > user:42:r-x-----------:f-i---:allow
444 > group:42:-w--D---------:------:deny
445 > owner@:------aARWcCos:------:allow
446 > group@:------a-R-c--s:------:allow
447 > everyone@:rwxp--a-R-c--s:------:allow
453 > owner@:rwxp----------:------:deny
454 > group:41:r-----a-------:------:allow
455 > user:42:-----------Co-:f-i---:allow
456 > user:42:r-x-----------:f-i---:allow
457 > group:42:-w--D---------:------:deny
458 > owner@:------aARWcCos:------:allow
459 > group@:rwxp--a-R-c--s:------:allow
460 > everyone@:------a-R-c--s:------:allow
462 # There is some complication regarding how write_acl and write_owner flags
463 # get inherited. Make sure we got it right.
465 $ setfacl -a0 u:42:Co:f:allow .
466 $ setfacl -a0 u:43:Co:d:allow .
467 $ setfacl -a0 u:44:Co:fd:allow .
468 $ setfacl -a0 u:45:Co:fi:allow .
469 $ setfacl -a0 u:46:Co:di:allow .
470 $ setfacl -a0 u:47:Co:fdi:allow .
471 $ setfacl -a0 u:48:Co:fn:allow .
472 $ setfacl -a0 u:49:Co:dn:allow .
473 $ setfacl -a0 u:50:Co:fdn:allow .
474 $ setfacl -a0 u:51:Co:fni:allow .
475 $ setfacl -a0 u:52:Co:dni:allow .
476 $ setfacl -a0 u:53:Co:fdni:allow .
481 > user:53:--------------:------:allow
482 > user:51:--------------:------:allow
483 > user:50:--------------:------:allow
484 > user:48:--------------:------:allow
485 > user:47:--------------:------:allow
486 > user:45:--------------:------:allow
487 > user:44:--------------:------:allow
488 > user:42:--------------:------:allow
489 > owner@:rw-p--aARWcCos:------:allow
490 > group@:r-----a-R-c--s:------:allow
491 > everyone@:r-----a-R-c--s:------:allow
496 > user:53:--------------:------:allow
497 > user:52:--------------:------:allow
498 > user:50:--------------:------:allow
499 > user:49:--------------:------:allow
500 > user:47:--------------:fd----:allow
501 > user:46:--------------:-d----:allow
502 > user:45:-----------Co-:f-i---:allow
503 > user:44:--------------:fd----:allow
504 > user:43:--------------:-d----:allow
505 > user:42:-----------Co-:f-i---:allow
506 > owner@:rwxp--aARWcCos:------:allow
507 > group@:r-x---a-R-c--s:------:allow
508 > everyone@:r-x---a-R-c--s:------:allow
511 $ setfacl -a0 u:42:Co:f:deny .
512 $ setfacl -a0 u:43:Co:d:deny .
513 $ setfacl -a0 u:44:Co:fd:deny .
514 $ setfacl -a0 u:45:Co:fi:deny .
515 $ setfacl -a0 u:46:Co:di:deny .
516 $ setfacl -a0 u:47:Co:fdi:deny .
517 $ setfacl -a0 u:48:Co:fn:deny .
518 $ setfacl -a0 u:49:Co:dn:deny .
519 $ setfacl -a0 u:50:Co:fdn:deny .
520 $ setfacl -a0 u:51:Co:fni:deny .
521 $ setfacl -a0 u:52:Co:dni:deny .
522 $ setfacl -a0 u:53:Co:fdni:deny .
527 > user:53:-----------Co-:------:deny
528 > user:51:-----------Co-:------:deny
529 > user:50:-----------Co-:------:deny
530 > user:48:-----------Co-:------:deny
531 > user:47:-----------Co-:------:deny
532 > user:45:-----------Co-:------:deny
533 > user:44:-----------Co-:------:deny
534 > user:42:-----------Co-:------:deny
535 > owner@:rw-p--aARWcCos:------:allow
536 > group@:r-----a-R-c--s:------:allow
537 > everyone@:r-----a-R-c--s:------:allow
542 > user:53:-----------Co-:------:deny
543 > user:52:-----------Co-:------:deny
544 > user:50:-----------Co-:------:deny
545 > user:49:-----------Co-:------:deny
546 > user:47:-----------Co-:fd----:deny
547 > user:46:-----------Co-:-d----:deny
548 > user:45:-----------Co-:f-i---:deny
549 > user:44:-----------Co-:fd----:deny
550 > user:43:-----------Co-:-d----:deny
551 > user:42:-----------Co-:f-i---:deny
552 > owner@:rwxp--aARWcCos:------:allow
553 > group@:r-x---a-R-c--s:------:allow
554 > everyone@:r-x---a-R-c--s:------:allow