From 620654ee98e1b3a7a7bcad3d88b790bbc760ddc7 Mon Sep 17 00:00:00 2001 From: ngie Date: Mon, 16 Nov 2015 00:37:00 +0000 Subject: [PATCH] MFC r289446: Integrate tools/regression/acltools into the FreeBSD test suite as tests/sys/acl - Make the requirements more complete for the testcases - Detect prerequisites so the tests won't fail (zfs.ko is loaded, zpool(1) is available, ACL support is enabled with UFS, etc). - Work with temporary files/directories/mountpoints that work with atf/kyua - Limit the testcases to work on temporary filesystems to reduce tainting the test host Reviewed by: trasz (earlier version) Differential Revision: https://reviews.freebsd.org/D3810 git-svn-id: svn://svn.freebsd.org/base/stable/10@290894 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- etc/mtree/BSD.tests.dist | 2 + tests/sys/Makefile | 1 + tests/sys/acl/00.sh | 88 +++ tests/sys/acl/01.sh | 87 +++ tests/sys/acl/02.sh | 93 +++ tests/sys/acl/03.sh | 117 ++++ tests/sys/acl/04.sh | 73 +++ tests/sys/acl/Makefile | 29 + tests/sys/acl/aclfuzzer.sh | 225 +++++++ tests/sys/acl/mktrivial.sh | 53 ++ tests/sys/acl/run | 329 ++++++++++ tests/sys/acl/tools-crossfs.test | 323 ++++++++++ tests/sys/acl/tools-nfs4-psarc.test | 562 +++++++++++++++++ tests/sys/acl/tools-nfs4-trivial.test | 82 +++ tests/sys/acl/tools-nfs4.test | 828 ++++++++++++++++++++++++++ tests/sys/acl/tools-posix.test | 453 ++++++++++++++ 16 files changed, 3345 insertions(+) create mode 100644 tests/sys/acl/00.sh create mode 100644 tests/sys/acl/01.sh create mode 100644 tests/sys/acl/02.sh create mode 100644 tests/sys/acl/03.sh create mode 100644 tests/sys/acl/04.sh create mode 100644 tests/sys/acl/Makefile create mode 100755 tests/sys/acl/aclfuzzer.sh create mode 100755 tests/sys/acl/mktrivial.sh create mode 100644 tests/sys/acl/run create mode 100644 tests/sys/acl/tools-crossfs.test create mode 100644 tests/sys/acl/tools-nfs4-psarc.test create mode 100644 tests/sys/acl/tools-nfs4-trivial.test create mode 100644 tests/sys/acl/tools-nfs4.test create mode 100644 tests/sys/acl/tools-posix.test diff --git a/etc/mtree/BSD.tests.dist b/etc/mtree/BSD.tests.dist index 8e0260a9f..a8d85511b 100644 --- a/etc/mtree/BSD.tests.dist +++ b/etc/mtree/BSD.tests.dist @@ -188,6 +188,8 @@ .. .. sys + acl + .. aio .. fifo diff --git a/tests/sys/Makefile b/tests/sys/Makefile index 9d76220e6..5e4257552 100644 --- a/tests/sys/Makefile +++ b/tests/sys/Makefile @@ -4,6 +4,7 @@ TESTSDIR= ${TESTSBASE}/sys +TESTS_SUBDIRS+= acl TESTS_SUBDIRS+= aio TESTS_SUBDIRS+= fifo TESTS_SUBDIRS+= file diff --git a/tests/sys/acl/00.sh b/tests/sys/acl/00.sh new file mode 100644 index 000000000..61e811552 --- /dev/null +++ b/tests/sys/acl/00.sh @@ -0,0 +1,88 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-posix.test on UFS filesystem. +# +# If any of the tests fails, here is how to debug it: go to +# the directory with problematic filesystem mounted on it, +# and do /path/to/test run /path/to/test tools-posix.test, e.g. +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test +# +# Output should be obvious. + +if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then + echo "1..0 # SKIP system does not have UFS ACL support" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..4" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 10m` +MNT=`mktemp -dt acltools` +newfs /dev/$MD > /dev/null +trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT +mount -o acls /dev/$MD $MNT +if [ $? -ne 0 ]; then + echo "not ok 1 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +cd $MNT + +# First, check whether we can crash the kernel by creating too many +# entries. For some reason this won't work in the test file. +touch xxx +i=0; +while :; do i=$(($i+1)); setfacl -m u:$i:rwx xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done +chmod 600 xxx +rm xxx +echo "ok 2" + +perl $TESTDIR/run $TESTDIR/tools-posix.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 3" +else + echo "not ok 3" +fi + +cd / + +echo "ok 4" diff --git a/tests/sys/acl/01.sh b/tests/sys/acl/01.sh new file mode 100644 index 000000000..93487a772 --- /dev/null +++ b/tests/sys/acl/01.sh @@ -0,0 +1,87 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-nfs4.test on ZFS filesystem. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" +# +# If any of the tests fails, here is how to debug it: go to +# the directory with problematic filesystem mounted on it, +# and do /path/to/test run /path/to/test tools-nfs4.test, e.g. +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# Output should be obvious. + +if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then + echo "1..0 # SKIP system doesn't have ZFS loaded" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..4" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 64m` +MNT=`mktemp -dt acltools` +trap "cd /; zpool destroy -f acltools; rmdir $MNT; mdconfig -d -u $MD" EXIT +zpool create -m $MNT acltools /dev/$MD +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +cd $MNT + +# First, check whether we can crash the kernel by creating too many +# entries. For some reason this won't work in the test file. +touch xxx +setfacl -x2 xxx +while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done +chmod 600 xxx +rm xxx +echo "ok 2" + +perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 3" +else + echo "not ok 3" +fi + +echo "ok 4" diff --git a/tests/sys/acl/02.sh b/tests/sys/acl/02.sh new file mode 100644 index 000000000..8fbb39de4 --- /dev/null +++ b/tests/sys/acl/02.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-nfs4.test on UFS filesystem. +# +# If any of the tests fails, here is how to debug it: go to +# the directory with problematic filesystem mounted on it, +# and do /path/to/test run /path/to/test tools-nfs4.test, e.g. +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# Output should be obvious. + +if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then + echo "1..0 # SKIP system does not have UFS ACL support" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..4" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 10m` +MNT=`mktemp -dt acltools` +newfs /dev/$MD > /dev/null +trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT +mount -o nfsv4acls /dev/$MD $MNT +if [ $? -ne 0 ]; then + echo "not ok 1 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +cd $MNT + +# First, check whether we can crash the kernel by creating too many +# entries. For some reason this won't work in the test file. +touch xxx +setfacl -x2 xxx +while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done +chmod 600 xxx +rm xxx +echo "ok 2" + +if [ `sysctl -n vfs.acl_nfs4_old_semantics` = 0 ]; then + perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null +else + perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null +fi + +if [ $? -eq 0 ]; then + echo "ok 3" +else + echo "not ok 3" +fi + +cd / + +echo "ok 4" + diff --git a/tests/sys/acl/03.sh b/tests/sys/acl/03.sh new file mode 100644 index 000000000..2b81b2662 --- /dev/null +++ b/tests/sys/acl/03.sh @@ -0,0 +1,117 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-crossfs.test between UFS without +# ACLs, UFS with POSIX.1e ACLs, and ZFS with NFSv4 ACLs. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" +# +# Output should be obvious. + +if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then + echo "1..0 # SKIP system doesn't have ZFS loaded" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..5" + +TESTDIR=$(dirname $(realpath $0)) +MNTROOT=`mktemp -dt acltools` + +# Set up the test filesystems. +MD1=`mdconfig -at swap -s 64m` +MNT1=$MNTROOT/nfs4 +mkdir $MNT1 +zpool create -m $MNT1 acltools /dev/$MD1 +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +MD2=`mdconfig -at swap -s 10m` +MNT2=$MNTROOT/posix +mkdir $MNT2 +newfs /dev/$MD2 > /dev/null +mount -o acls /dev/$MD2 $MNT2 +if [ $? -ne 0 ]; then + echo "not ok 2 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 2" + +MD3=`mdconfig -at swap -s 10m` +MNT3=$MNTROOT/none +mkdir $MNT3 +newfs /dev/$MD3 > /dev/null +mount /dev/$MD3 $MNT3 +if [ $? -ne 0 ]; then + echo "not ok 3 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 3" + +cd $MNTROOT + +perl $TESTDIR/run $TESTDIR/tools-crossfs.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 4" +else + echo "not ok 4" +fi + +cd / + +umount -f $MNT3 +rmdir $MNT3 +mdconfig -du $MD3 + +umount -f $MNT2 +rmdir $MNT2 +mdconfig -du $MD2 + +zpool destroy -f acltools +rmdir $MNT1 +mdconfig -du $MD1 + +rmdir $MNTROOT + +echo "ok 5" + diff --git a/tests/sys/acl/04.sh b/tests/sys/acl/04.sh new file mode 100644 index 000000000..5669c5a48 --- /dev/null +++ b/tests/sys/acl/04.sh @@ -0,0 +1,73 @@ +#!/bin/sh +# +# Copyright (c) 2011 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-nfs4-trivial.test on ZFS filesystem. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" + +if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then + echo "1..0 # SKIP system doesn't have ZFS loaded" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..3" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 64m` +MNT=`mktemp -dt acltools` +zpool create -m $MNT acltools /dev/$MD +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + exit 1 +fi + +echo "ok 1" + +cd $MNT + +perl $TESTDIR/run $TESTDIR/tools-nfs4-trivial.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 2" +else + echo "not ok 2" +fi + +cd / +zpool destroy -f acltools +rmdir $MNT +mdconfig -du $MD + +echo "ok 3" diff --git a/tests/sys/acl/Makefile b/tests/sys/acl/Makefile new file mode 100644 index 000000000..298b0a27c --- /dev/null +++ b/tests/sys/acl/Makefile @@ -0,0 +1,29 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sys/acl + +BINDIR= ${TESTSDIR} + +FILES+= tools-crossfs.test +FILES+= tools-nfs4.test +FILES+= tools-nfs4-psarc.test +FILES+= tools-nfs4-trivial.test +FILES+= tools-posix.test + +SCRIPTS+= run + +TAP_TESTS_SH+= 00 +TAP_TESTS_SH+= 01 +TAP_TESTS_SH+= 02 +TAP_TESTS_SH+= 03 +TAP_TESTS_SH+= 04 + +.for t in ${TAP_TESTS_SH} +TEST_METADATA.$t+= required_user="root" +.endfor + +.for t in 01 03 04 +TEST_METADATA.$t+= required_programs="/sbin/zpool" +.endfor + +.include diff --git a/tests/sys/acl/aclfuzzer.sh b/tests/sys/acl/aclfuzzer.sh new file mode 100755 index 000000000..dff07d821 --- /dev/null +++ b/tests/sys/acl/aclfuzzer.sh @@ -0,0 +1,225 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is an NFSv4 ACL fuzzer. It expects to be run by non-root in a scratch +# directory on a filesystem with NFSv4 ACLs support. Output it generates +# is expected to be fed to /usr/src/tools/regression/acltools/run script. + +NUMBER_OF_COMMANDS=300 + +run_command() +{ + echo "\$ $1" + eval $1 2>&1 | sed 's/^/> /' +} + +rnd_from_0_to() +{ + max=`expr $1 + 1` + rnd=`jot -r 1` + rnd=`expr $rnd % $max` + + echo $rnd +} + +rnd_path() +{ + rnd=`rnd_from_0_to 3` + case $rnd in + 0) echo "$TMP/aaa" ;; + 1) echo "$TMP/bbb" ;; + 2) echo "$TMP/aaa/ccc" ;; + 3) echo "$TMP/bbb/ddd" ;; + esac +} + +f_prepend_random_acl_on() +{ + rnd=`rnd_from_0_to 4` + case $rnd in + 0) u="owner@" ;; + 1) u="group@" ;; + 2) u="everyone@" ;; + 3) u="u:1138" ;; + 4) u="g:1138" ;; + esac + + p="" + while :; do + rnd=`rnd_from_0_to 30` + if [ -n "$p" -a $rnd -ge 14 ]; then + break; + fi + + case $rnd in + 0) p="${p}r" ;; + 1) p="${p}w" ;; + 2) p="${p}x" ;; + 3) p="${p}p" ;; + 4) p="${p}d" ;; + 5) p="${p}D" ;; + 6) p="${p}a" ;; + 7) p="${p}A" ;; + 8) p="${p}R" ;; + 9) p="${p}W" ;; + 10) p="${p}R" ;; + 11) p="${p}c" ;; + 12) p="${p}C" ;; + 13) p="${p}o" ;; + 14) p="${p}s" ;; + esac + done + + f="" + while :; do + rnd=`rnd_from_0_to 10` + if [ $rnd -ge 6 ]; then + break; + fi + + case $rnd in + 0) f="${f}f" ;; + 1) f="${f}d" ;; + 2) f="${f}n" ;; + 3) f="${f}i" ;; + esac + done + + rnd=`rnd_from_0_to 1` + case $rnd in + 0) x="allow" ;; + 1) x="deny" ;; + esac + + acl="$u:$p:$f:$x" + + file=`rnd_path` + run_command "setfacl -a0 $acl $file" +} + +f_getfacl() +{ + file=`rnd_path` + run_command "getfacl -qn $file" +} + +f_ls_mode() +{ + file=`rnd_path` + run_command "ls -al $file | sed -n '2p' | cut -d' ' -f1" +} + +f_chmod() +{ + b1=`rnd_from_0_to 7` + b2=`rnd_from_0_to 7` + b3=`rnd_from_0_to 7` + b4=`rnd_from_0_to 7` + file=`rnd_path` + + run_command "chmod $b1$b2$b3$b4 $file $2" +} + +f_touch() +{ + file=`rnd_path` + run_command "touch $file" +} + +f_rm() +{ + file=`rnd_path` + run_command "rm -f $file" +} + +f_mkdir() +{ + file=`rnd_path` + run_command "mkdir $file" +} + +f_rmdir() +{ + file=`rnd_path` + run_command "rmdir $file" +} + +f_mv() +{ + from=`rnd_path` + to=`rnd_path` + run_command "mv -f $from $to" +} + +# XXX: To be implemented: chown(8), setting times with touch(1). + +switch_to_random_user() +{ + # XXX: To be implemented. +} + +execute_random_command() +{ + rnd=`rnd_from_0_to 20` + + case $rnd in + 0|10|11|12|13|15) cmd=f_prepend_random_acl_on ;; + 1) cmd=f_getfacl ;; + 2) cmd=f_ls_mode ;; + 3) cmd=f_chmod ;; + 4|18|19) cmd=f_touch ;; + 5) cmd=f_rm ;; + 6|16|17) cmd=f_mkdir ;; + 7) cmd=f_rmdir ;; + 8) cmd=f_mv ;; + esac + + $cmd "XXX" +} + +echo "# Fuzzing; will stop after $NUMBER_OF_COMMANDS commands." +TMP="aclfuzzer_`dd if=/dev/random bs=1k count=1 2>/dev/null | openssl md5`" + +run_command "whoami" +umask 022 +run_command "umask 022" +run_command "mkdir $TMP" + +i=0; +while [ "$i" -lt "$NUMBER_OF_COMMANDS" ]; do + switch_to_random_user + execute_random_command + i=`expr $i + 1` +done + +run_command "find $TMP -exec setfacl -a0 everyone@:rxd:allow {} \;" +run_command "rm -rfv $TMP" + +echo "# Fuzzed, thank you." + diff --git a/tests/sys/acl/mktrivial.sh b/tests/sys/acl/mktrivial.sh new file mode 100755 index 000000000..99e3614cd --- /dev/null +++ b/tests/sys/acl/mktrivial.sh @@ -0,0 +1,53 @@ +#!/bin/sh +# +# Copyright (c) 2010 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This shell script generates an input file for the "run" script, used +# to verify generation of trivial ACLs. + +echo "$ touch f" +touch f + +for s in `jot 7 0 7`; do + for u in `jot 7 0 7`; do + for g in `jot 7 0 7`; do + for o in `jot 7 0 7`; do + echo "$ chmod 0$s$u$g$o f" + chmod "0$s$u$g$o" f + echo "$ ls -l f | cut -d' ' -f1" + ls -l f | cut -d' ' -f1 | sed 's/^/> /' + echo "$ getfacl -q f" + getfacl -q f | sed 's/^/> /' + done + done + done +done + +echo "$ rm f" +rm f + diff --git a/tests/sys/acl/run b/tests/sys/acl/run new file mode 100644 index 000000000..383f47e62 --- /dev/null +++ b/tests/sys/acl/run @@ -0,0 +1,329 @@ +#!/usr/bin/perl -w -U + +# Copyright (c) 2007, 2008 Andreas Gruenbacher. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions, and the following disclaimer, +# without modification, immediately at the beginning of the file. +# 2. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# Alternatively, this software may be distributed under the terms of the +# GNU Public License ("GPL"). +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# +# Possible improvements: +# +# - distinguish stdout and stderr output +# - add environment variable like assignments +# - run up to a specific line +# - resume at a specific line +# + +use strict; +use FileHandle; +use Getopt::Std; +use POSIX qw(isatty setuid getcwd); +use vars qw($opt_l $opt_v); + +no warnings qw(taint); + +$opt_l = ~0; # a really huge number +getopts('l:v'); + +my ($OK, $FAILED) = ("ok", "failed"); +if (isatty(fileno(STDOUT))) { + $OK = "\033[32m" . $OK . "\033[m"; + $FAILED = "\033[31m\033[1m" . $FAILED . "\033[m"; +} + +sub exec_test($$); +sub process_test($$$$); + +my ($prog, $in, $out) = ([], [], []); +my $prog_line = 0; +my ($tests, $failed) = (0,0); +my $lineno; +my $width = ($ENV{COLUMNS} || 80) >> 1; + +for (;;) { + my $line = <>; $lineno++; + if (defined $line) { + # Substitute %VAR and %{VAR} with environment variables. + $line =~ s[%(\w+)][$ENV{$1}]eg; + $line =~ s[%{(\w+)}][$ENV{$1}]eg; + } + if (defined $line) { + if ($line =~ s/^\s*< ?//) { + push @$in, $line; + } elsif ($line =~ s/^\s*> ?//) { + push @$out, $line; + } else { + process_test($prog, $prog_line, $in, $out); + last if $prog_line >= $opt_l; + + $prog = []; + $prog_line = 0; + } + if ($line =~ s/^\s*\$ ?//) { + $prog = [ map { s/\\(.)/$1/g; $_ } split /(? @$result) ? @$out : @$result; + for (my $n=0; $n < $nmax; $n++) { + my $use_re; + if (defined $out->[$n] && $out->[$n] =~ /^~ /) { + $use_re = 1; + $out->[$n] =~ s/^~ //g; + } + + if (!defined($out->[$n]) || !defined($result->[$n]) || + (!$use_re && $result->[$n] ne $out->[$n]) || + ( $use_re && $result->[$n] !~ /^$out->[$n]/)) { + push @good, ($use_re ? '!~' : '!='); + } + else { + push @good, ($use_re ? '=~' : '=='); + } + } + my $good = !(grep /!/, @good); + $tests++; + $failed++ unless $good; + print $good ? $OK : $FAILED, "\n"; + if (!$good || $opt_v) { + for (my $n=0; $n < $nmax; $n++) { + my $l = defined($out->[$n]) ? $out->[$n] : "~"; + chomp $l; + my $r = defined($result->[$n]) ? $result->[$n] : "~"; + chomp $r; + print sprintf("%-" . ($width-3) . "s %s %s\n", + $r, $good[$n], $l); + } + } +} + + +sub su($) { + my ($user) = @_; + + $user ||= "root"; + + my ($login, $pass, $uid, $gid) = getpwnam($user) + or return [ "su: user $user does not exist\n" ]; + my @groups = (); + my $fh = new FileHandle("/etc/group") + or return [ "opening /etc/group: $!\n" ]; + while (<$fh>) { + chomp; + my ($group, $passwd, $gid, $users) = split /:/; + foreach my $u (split /,/, $users) { + push @groups, $gid + if ($user eq $u); + } + } + $fh->close; + + my $groups = join(" ", ($gid, $gid, @groups)); + #print STDERR "[[$groups]]\n"; + $! = 0; # reset errno + $> = 0; + $( = $gid; + $) = $groups; + if ($!) { + return [ "su: $!\n" ]; + } + if ($uid != 0) { + $> = $uid; + #$< = $uid; + if ($!) { + return [ "su: $prog->[1]: $!\n" ]; + } + } + #print STDERR "[($>,$<)($(,$))]"; + return []; +} + + +sub sg($) { + my ($group) = @_; + + my $gid = getgrnam($group) + or return [ "sg: group $group does not exist\n" ]; + my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $)); + + #print STDERR "<<", join("/", keys %groups), ">>\n"; + my $groups = join(" ", ($gid, $gid, keys %groups)); + #print STDERR "[[$groups]]\n"; + $! = 0; # reset errno + if ($> != 0) { + my $uid = $>; + $> = 0; + $( = $gid; + $) = $groups; + $> = $uid; + } else { + $( = $gid; + $) = $groups; + } + if ($!) { + return [ "sg: $!\n" ]; + } + print STDERR "[($>,$<)($(,$))]"; + return []; +} + + +sub exec_test($$) { + my ($prog, $in) = @_; + local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2); + my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/); + + if ($prog->[0] eq "umask") { + umask oct $prog->[1]; + return []; + } elsif ($prog->[0] eq "cd") { + if (!chdir $prog->[1]) { + return [ "chdir: $prog->[1]: $!\n" ]; + } + $ENV{PWD} = getcwd; + return []; + } elsif ($prog->[0] eq "su") { + return su($prog->[1]); + } elsif ($prog->[0] eq "sg") { + return sg($prog->[1]); + } elsif ($prog->[0] eq "export") { + my ($name, $value) = split /=/, $prog->[1]; + # FIXME: need to evaluate $value, so that things like this will work: + # export dir=$PWD/dir + $ENV{$name} = $value; + return []; + } elsif ($prog->[0] eq "unset") { + delete $ENV{$prog->[1]}; + return []; + } + + pipe *IN2, *OUT + or die "Can't create pipe for reading: $!"; + open *IN_DUP, "<&STDIN" + or *IN_DUP = undef; + open *STDIN, "<&IN2" + or die "Can't duplicate pipe for reading: $!"; + close *IN2; + + open *OUT_DUP, ">&STDOUT" + or die "Can't duplicate STDOUT: $!"; + pipe *IN, *OUT2 + or die "Can't create pipe for writing: $!"; + open *STDOUT, ">&OUT2" + or die "Can't duplicate pipe for writing: $!"; + close *OUT2; + + *STDOUT->autoflush(); + *OUT->autoflush(); + + $SIG{CHLD} = 'IGNORE'; + + if (fork()) { + # Server + if (*IN_DUP) { + open *STDIN, "<&IN_DUP" + or die "Can't duplicate STDIN: $!"; + close *IN_DUP + or die "Can't close STDIN duplicate: $!"; + } + open *STDOUT, ">&OUT_DUP" + or die "Can't duplicate STDOUT: $!"; + close *OUT_DUP + or die "Can't close STDOUT duplicate: $!"; + + foreach my $line (@$in) { + #print "> $line"; + print OUT $line; + } + close *OUT + or die "Can't close pipe for writing: $!"; + + my $result = []; + while () { + #print "< $_"; + if ($needs_shell) { + s#^/bin/sh: line \d+: ##; + } + push @$result, $_; + } + return $result; + } else { + # Client + $< = $>; + close IN + or die "Can't close read end for input pipe: $!"; + close OUT + or die "Can't close write end for output pipe: $!"; + close OUT_DUP + or die "Can't close STDOUT duplicate: $!"; + local *ERR_DUP; + open ERR_DUP, ">&STDERR" + or die "Can't duplicate STDERR: $!"; + open STDERR, ">&STDOUT" + or die "Can't join STDOUT and STDERR: $!"; + + if ($needs_shell) { + exec ('/bin/sh', '-c', join(" ", @$prog)); + } else { + exec @$prog; + } + print STDERR $prog->[0], ": $!\n"; + exit; + } +} + diff --git a/tests/sys/acl/tools-crossfs.test b/tests/sys/acl/tools-crossfs.test new file mode 100644 index 000000000..1f5963763 --- /dev/null +++ b/tests/sys/acl/tools-crossfs.test @@ -0,0 +1,323 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test intended to verify that cp(1) and mv(1) +# do the right thing with respect to ACLs. Run it as root using +# ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# You need to have three subdirectories, named nfs4, posix and none, +# with filesystems with NFSv4 ACLs, POSIX.1e ACLs and no ACLs enabled, +# respectively, mounted on them, in your current directory. +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +$ touch nfs4/xxx +$ getfacl -nq nfs4/xxx +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ touch posix/xxx +$ getfacl -nq posix/xxx +> user::rw- +> group::r-- +> other::r-- + +# mv with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ chmod 456 posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--r-xrw- +$ setfacl -m u:42:x,g:43:w posix/xxx +$ mv posix/xxx posix/yyy +$ getfacl -nq posix/yyy +> user::r-- +> user:42:--x +> group::r-x +> group:43:-w- +> mask::rwx +> other::rw- +$ ls -l posix/yyy | cut -d' ' -f1 +> -r--rwxrw-+ + +# mv from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ chmod 345 posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> --wxrwxr-x+ +$ mv posix/xxx none/xxx +> mv: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> --wxrwxr-x + +# mv from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ chmod 456 posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--rwxrw-+ +$ mv posix/yyy nfs4/xxx +> mv: failed to set acl entries for nfs4/xxx: Invalid argument +$ getfacl -nq nfs4/xxx +> owner@:-wxp----------:-------:deny +> owner@:r-----aARWcCos:-------:allow +> group@:rwxp--a-R-c--s:-------:allow +> everyone@:rw-p--a-R-c--s:-------:allow +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r--rwxrw- + +# mv with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ mv nfs4/xxx nfs4/yyy +$ getfacl -nq nfs4/yyy +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -rw-r--r--+ + +# mv from NFSv4 to POSIX.1e without any ACLs. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 456 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r--r-xrw- +$ mv nfs4/xxx posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--r-xrw- + +# mv from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 345 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x+ +$ mv nfs4/xxx none/xxx +> mv: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> --wxr--r-x + +# mv from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 345 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x+ +$ mv nfs4/xxx posix/xxx +> mv: failed to set acl entries for posix/xxx: Invalid argument +$ ls -l posix/xxx | cut -d' ' -f1 +> --wxr--r-x + +# cp with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx posix/yyy +$ ls -l posix/yyy | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ getfacl -nq posix/xxx +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx posix/yyy +$ getfacl -nq posix/yyy +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +$ ls -l posix/yyy | cut -d' ' -f1 +> -rw-rwxr--+ + +# cp from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx none/xxx +$ ls -l none/xxx | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx none/xxx +> cp: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> -rw-rwxr-- + +# cp from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx nfs4/xxx +> cp: failed to set acl entries for nfs4/xxx: Invalid argument +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -rw-rwxr-- + +# cp with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx nfs4/yyy +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -r-xr----x + +# cp -p with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ cp -p nfs4/xxx nfs4/yyy +$ getfacl -nq nfs4/yyy +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:allow +> owner@:-w-p----------:-------:deny +> group@:-wxp----------:-------:deny +> owner@:r-x---aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:-wxp--a-R-c--s:-------:allow +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -r-xr---wx+ + +# cp from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx none/xxx +$ ls -l none/xxx | cut -d' ' -f1 +> -r-xr----x + +# cp -p from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp -p nfs4/xxx none/xxx +> cp: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> -r-xr---wx + +# cp from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r-xr----x + +# cp -p from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp -p nfs4/xxx posix/xxx +> cp: failed to set acl entries for posix/xxx: Invalid argument +$ ls -l posix/xxx | cut -d' ' -f1 +> -r-xr---wx diff --git a/tests/sys/acl/tools-nfs4-psarc.test b/tests/sys/acl/tools-nfs4-psarc.test new file mode 100644 index 000000000..9ab0b51ee --- /dev/null +++ b/tests/sys/acl/tools-nfs4-psarc.test @@ -0,0 +1,562 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029 +# semantics. Run it as root using ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Smoke test for getfacl(1). +$ touch xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ getfacl -q xxx +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +# Check verbose mode formatting. +$ getfacl -v xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow +> group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow +> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow + +# Test setfacl -a. +$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test user and group name resolving. +$ rm xxx +$ touch xxx +$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> user:root:-----------C--:-------:allow +> group:daemon:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Check whether ls correctly marks files with "+". +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +# Test removing entries by number. +$ setfacl -x 1 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -m. +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -m everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test getfacl -i. +$ getfacl -i xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:rw-p--aARWcCos:-------:allow +> user:root:-----------C--:-------:allow:0 +> group:daemon:----------c---:-------:deny:1 +> everyone@:r-----a-R-c--s:-------:allow + +# Make sure cp without any flags does not copy copy the ACL. +$ cp xxx yyy +$ ls -l yyy | cut -d' ' -f1 +> -rw-r--r-- + +# Make sure it does with the "-p" flag. +$ rm yyy +$ cp -p xxx yyy +$ getfacl -n yyy +> # file: yyy +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm yyy + +# Test removing entries by... by example? +$ setfacl -x everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -b. +$ setfacl -b xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +# Check setfacl(1) and getfacl(1) with multiple files. +$ touch xxx yyy zzz + +$ ls -l xxx yyy zzz | cut -d' ' -f1 +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r--+ +> -rw-r--r--+ +> -rw-r--r--+ + +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ setfacl -b nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ rm xxx yyy zzz + +# Test applying mode to an ACL. +$ touch xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ ls -l xxx | cut -d' ' -f1 +> -rw------- + +$ rm xxx +$ touch xxx +$ chown 42 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 42 +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw------- + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 124 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> owner@:rw-p----------:-------:deny +> group@:r-------------:-------:deny +> owner@:--x---aARWcCos:-------:allow +> group@:-w-p--a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> ---x-w-r-- + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 412 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> owner@:-wxp----------:-------:deny +> group@:-w-p----------:-------:deny +> owner@:r-----aARWcCos:-------:allow +> group@:--x---a-R-c--s:-------:allow +> everyone@:-w-p--a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -r----x-w- + +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-----:allow +> group:43:-w--D---------:-d-----:deny +> group@:-----da-------:-------:allow +> group:44:rw-p-da-------:-------:allow +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:-w-p--a-R-c--s:f-i----:allow + +$ chmod 777 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> owner@:rwxp--aARWcCos:-------:allow +> group@:rwxp--a-R-c--s:-------:allow +> everyone@:rwxp--a-R-c--s:-------:allow + +# Test applying ACL to mode. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 u:42:rwx:fi:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> drwxr-xr-x+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr----x---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr---wx---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +# Test inheritance. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd +$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd +$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd +$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd +$ getfacl -qn ddd +> user:41:-w-----A------:f--n---:allow +> group:41:r-----a-------:-din---:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-n---:deny +> group:43:-w---------C--:f-in---:deny +> user:43:rwxp----------:-------:allow +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:r-x---a-R-c--s:-------:allow + +$ cd ddd +$ touch xxx +$ getfacl -qn xxx +> user:41:--------------:------I:allow +> user:42:--------------:------I:allow +> user:42:r-------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ rm xxx +$ umask 077 +$ touch xxx +$ getfacl -qn xxx +> user:41:--------------:------I:allow +> user:42:--------------:------I:allow +> user:42:--------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:rw-p--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ rm xxx +$ umask 770 +$ touch xxx +$ getfacl -qn xxx +> owner@:rw-p----------:-------:deny +> group@:rw-p----------:-------:deny +> user:41:--------------:------I:allow +> user:42:--------------:------I:allow +> user:42:--------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:rw-p--a-R-c--s:-------:allow + +$ rm xxx +$ umask 707 +$ touch xxx +$ getfacl -qn xxx +> owner@:rw-p----------:-------:deny +> user:41:-w------------:------I:allow +> user:42:--------------:------I:allow +> user:42:r-------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:rw-p--a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ umask 077 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:------a-------:------I:allow +> user:42:-----------Co-:f-i---I:allow +> user:42:r-x-----------:f-i---I:allow +> group:42:-w--D---------:------I:deny +> owner@:rwxp--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 770 +$ mkdir yyy +$ getfacl -qn yyy +> owner@:rwxp----------:-------:deny +> group@:rwxp----------:-------:deny +> group:41:------a-------:------I:allow +> user:42:-----------Co-:f-i---I:allow +> user:42:r-x-----------:f-i---I:allow +> group:42:-w--D---------:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:rwxp--a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 707 +$ mkdir yyy +$ getfacl -qn yyy +> owner@:rwxp----------:-------:deny +> group:41:r-----a-------:------I:allow +> user:42:-----------Co-:f-i---I:allow +> user:42:r-x-----------:f-i---I:allow +> group:42:-w--D---------:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:rwxp--a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +# There is some complication regarding how write_acl and write_owner flags +# get inherited. Make sure we got it right. +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:allow . +$ setfacl -a0 u:43:Co:d:allow . +$ setfacl -a0 u:44:Co:fd:allow . +$ setfacl -a0 u:45:Co:fi:allow . +$ setfacl -a0 u:46:Co:di:allow . +$ setfacl -a0 u:47:Co:fdi:allow . +$ setfacl -a0 u:48:Co:fn:allow . +$ setfacl -a0 u:49:Co:dn:allow . +$ setfacl -a0 u:50:Co:fdn:allow . +$ setfacl -a0 u:51:Co:fni:allow . +$ setfacl -a0 u:52:Co:dni:allow . +$ setfacl -a0 u:53:Co:fdni:allow . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:--------------:------I:allow +> user:51:--------------:------I:allow +> user:50:--------------:------I:allow +> user:48:--------------:------I:allow +> user:47:--------------:------I:allow +> user:45:--------------:------I:allow +> user:44:--------------:------I:allow +> user:42:--------------:------I:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:--------------:------I:allow +> user:52:--------------:------I:allow +> user:50:--------------:------I:allow +> user:49:--------------:------I:allow +> user:47:--------------:fd----I:allow +> user:46:--------------:-d----I:allow +> user:45:-----------Co-:f-i---I:allow +> user:44:--------------:fd----I:allow +> user:43:--------------:-d----I:allow +> user:42:-----------Co-:f-i---I:allow +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:r-x---a-R-c--s:-------:allow + +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:deny . +$ setfacl -a0 u:43:Co:d:deny . +$ setfacl -a0 u:44:Co:fd:deny . +$ setfacl -a0 u:45:Co:fi:deny . +$ setfacl -a0 u:46:Co:di:deny . +$ setfacl -a0 u:47:Co:fdi:deny . +$ setfacl -a0 u:48:Co:fn:deny . +$ setfacl -a0 u:49:Co:dn:deny . +$ setfacl -a0 u:50:Co:fdn:deny . +$ setfacl -a0 u:51:Co:fni:deny . +$ setfacl -a0 u:52:Co:dni:deny . +$ setfacl -a0 u:53:Co:fdni:deny . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:-----------Co-:------I:deny +> user:51:-----------Co-:------I:deny +> user:50:-----------Co-:------I:deny +> user:48:-----------Co-:------I:deny +> user:47:-----------Co-:------I:deny +> user:45:-----------Co-:------I:deny +> user:44:-----------Co-:------I:deny +> user:42:-----------Co-:------I:deny +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:-----------Co-:------I:deny +> user:52:-----------Co-:------I:deny +> user:50:-----------Co-:------I:deny +> user:49:-----------Co-:------I:deny +> user:47:-----------Co-:fd----I:deny +> user:46:-----------Co-:-d----I:deny +> user:45:-----------Co-:f-i---I:deny +> user:44:-----------Co-:fd----I:deny +> user:43:-----------Co-:-d----I:deny +> user:42:-----------Co-:f-i---I:deny +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:r-x---a-R-c--s:-------:allow + +$ rmdir yyy +$ rm xxx +$ cd .. +$ rmdir ddd + +$ rm xxx + diff --git a/tests/sys/acl/tools-nfs4-trivial.test b/tests/sys/acl/tools-nfs4-trivial.test new file mode 100644 index 000000000..366b099d8 --- /dev/null +++ b/tests/sys/acl/tools-nfs4-trivial.test @@ -0,0 +1,82 @@ +# Copyright (c) 2011 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for acl_is_trivial_np(3). Run it as root on ZFS. +# Note that this does not work on UFS with NFSv4 ACLs enabled - UFS recognizes +# both kind of trivial ACLs and replaces it by the default one. +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Check whether ls(1) correctly recognizes PSARC/2010/029-style trivial ACLs. +$ touch xxx + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +$ getfacl -q xxx +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +# Check whether ls(1) correctly recognizes draft-style trivial ACLs. +$ rm xxx +$ touch xxx +$ setfacl -a0 owner@:x:deny,owner@:rwpAWCo:allow,group@:wxp:deny,group@:r:allow,everyone@:wxpAWCo:deny,everyone@:raRcs:allow xxx +$ setfacl -x5 xxx +$ setfacl -x5 xxx +$ setfacl -x5 xxx + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +$ getfacl -q xxx +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Make sure ls(1) actually can recognize something as non-trivial. +$ setfacl -x0 xxx + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +$ getfacl -q xxx +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm xxx + diff --git a/tests/sys/acl/tools-nfs4.test b/tests/sys/acl/tools-nfs4.test new file mode 100644 index 000000000..e2ddc2bb2 --- /dev/null +++ b/tests/sys/acl/tools-nfs4.test @@ -0,0 +1,828 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for NFSv4 ACL functionality. Run it as root +# using ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Smoke test for getfacl(1). +$ touch xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ getfacl -q xxx +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Check verbose mode formatting. +$ getfacl -v xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:execute::deny +> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow +> group@:write_data/execute/append_data::deny +> group@:read_data::allow +> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny +> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow + +# Test setfacl -a. +$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test user and group name resolving. +$ rm xxx +$ touch xxx +$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:root:-----------C--:-------:allow +> group:daemon:----------c---:-------:deny +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Check whether ls correctly marks files with "+". +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +# Test removing entries by number. +$ setfacl -x 4 xxx +$ setfacl -x 4 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -m. +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -m everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:--------------:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test getfacl -i. +$ getfacl -i xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:root:-----------C--:-------:allow:0 +> group:daemon:----------c---:-------:deny:1 +> everyone@:--------------:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Make sure cp without any flags does not copy copy the ACL. +$ cp xxx yyy +$ ls -l yyy | cut -d' ' -f1 +> -rw-r--r-- + +# Make sure it does with the "-p" flag. +$ rm yyy +$ cp -p xxx yyy +$ getfacl -n yyy +> # file: yyy +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:--------------:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm yyy + +# Test removing entries by... by example? +$ setfacl -x everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -b. +$ setfacl -b xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +# Check setfacl(1) and getfacl(1) with multiple files. +$ touch xxx yyy zzz + +$ ls -l xxx yyy zzz | cut -d' ' -f1 +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r--+ +> -rw-r--r--+ +> -rw-r--r--+ + +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ setfacl -b nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ rm xxx yyy zzz + +# Test applying mode to an ACL. +$ touch xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--x-----------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw-------+ + +$ rm xxx +$ touch xxx +$ chown 42 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 42 +> # group: wheel +> user:42:--------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--x-----------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw-------+ + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 124 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--x-----------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:rw-p----------:-------:deny +> owner@:--x----A-W-Co-:-------:allow +> group@:r-x-----------:-------:deny +> group@:-w-p----------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> ---x-w-r--+ + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 412 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--------------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:-wxp----------:-------:deny +> owner@:r------A-W-Co-:-------:allow +> group@:rw-p----------:-------:deny +> group@:--x-----------:-------:allow +> everyone@:r-x----A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -r----x-w-+ + +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-----:allow +> group:43:-w--D---------:-d-----:deny +> group@:-----da-------:-------:allow +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +$ chmod 777 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:--------------:-------:deny +> group:42:-w--D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:--------------:-------:deny +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:rwxp----------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:rwxp--a-R-c--s:-------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chmod 124 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:--------------:-------:deny +> group:42:----D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:r-------------:-------:deny +> group:44:r----da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:rw-p----------:-------:deny +> owner@:--x----A-W-Co-:-------:allow +> group@:r-x-----------:-------:deny +> group@:-w-p----------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chmod 412 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-x-----------:-------:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:-w------------:-------:deny +> group:42:-w--D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:rw-p----------:-------:deny +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:-wxp----------:-------:deny +> owner@:r------A-W-Co-:-------:allow +> group@:rw-p----------:-------:deny +> group@:--x-----------:-------:allow +> everyone@:r-x----A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:-------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chown 42 ddd +$ chmod 412 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: 42 +> # group: wheel +> user:42:--x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:-w------------:-------:deny +> group:42:-w--D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:rw-p----------:-------:deny +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:-wxp----------:-------:deny +> owner@:r------A-W-Co-:-------:allow +> group@:rw-p----------:-------:deny +> group@:--x-----------:-------:allow +> everyone@:r-x----A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:-------:allow + +# Test applying ACL to mode. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 u:42:rwx:fi:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> drwxr-xr-x+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr----x---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr---wx---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +# Test inheritance. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd +$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd +$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd +$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd +$ getfacl -qn ddd +> user:41:-w-----A------:f--n---:allow +> group:41:r-----a-------:-din---:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-n---:deny +> group:43:-w---------C--:f-in---:deny +> user:43:rwxp----------:-------:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:r-x---a-R-c--s:-------:allow + +$ cd ddd +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:--x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm xxx +$ umask 077 +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:r-x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +$ rm xxx +$ umask 770 +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:r-x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:--x----A-W-Co-:-------:deny +> everyone@:rw-p--a-R-c--s:-------:allow + +$ rm xxx +$ umask 707 +$ touch xxx +$ getfacl -qn xxx +> user:41:--------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:--x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--x-----------:-------:deny +> group@:rw-p----------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +$ umask 077 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:r-------------:-------:deny +> group:41:r-----a-------:-------:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-------:deny +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 770 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:r-------------:-------:deny +> group:41:r-----a-------:-------:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:rwxp--a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 707 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:--------------:-------:deny +> group:41:------a-------:-------:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:rwxp----------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +# There is some complication regarding how write_acl and write_owner flags +# get inherited. Make sure we got it right. +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:allow . +$ setfacl -a0 u:43:Co:d:allow . +$ setfacl -a0 u:44:Co:fd:allow . +$ setfacl -a0 u:45:Co:fi:allow . +$ setfacl -a0 u:46:Co:di:allow . +$ setfacl -a0 u:47:Co:fdi:allow . +$ setfacl -a0 u:48:Co:fn:allow . +$ setfacl -a0 u:49:Co:dn:allow . +$ setfacl -a0 u:50:Co:fdn:allow . +$ setfacl -a0 u:51:Co:fni:allow . +$ setfacl -a0 u:52:Co:dni:allow . +$ setfacl -a0 u:53:Co:fdni:allow . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:--------------:-------:deny +> user:53:--------------:-------:allow +> user:51:--------------:-------:deny +> user:51:--------------:-------:allow +> user:50:--------------:-------:deny +> user:50:--------------:-------:allow +> user:48:--------------:-------:deny +> user:48:--------------:-------:allow +> user:47:--------------:-------:deny +> user:47:--------------:-------:allow +> user:45:--------------:-------:deny +> user:45:--------------:-------:allow +> user:44:--------------:-------:deny +> user:44:--------------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:--------------:-------:deny +> user:53:--------------:-------:allow +> user:52:--------------:-------:deny +> user:52:--------------:-------:allow +> user:50:--------------:-------:deny +> user:50:--------------:-------:allow +> user:49:--------------:-------:deny +> user:49:--------------:-------:allow +> user:47:-----------Co-:fdi----:allow +> user:47:--------------:-------:deny +> user:47:--------------:-------:allow +> user:46:-----------Co-:-di----:allow +> user:46:--------------:-------:deny +> user:46:--------------:-------:allow +> user:45:-----------Co-:f-i----:allow +> user:44:-----------Co-:fdi----:allow +> user:44:--------------:-------:deny +> user:44:--------------:-------:allow +> user:43:-----------Co-:-di----:allow +> user:43:--------------:-------:deny +> user:43:--------------:-------:allow +> user:42:-----------Co-:f-i----:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:r-x---a-R-c--s:-------:allow + +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:deny . +$ setfacl -a0 u:43:Co:d:deny . +$ setfacl -a0 u:44:Co:fd:deny . +$ setfacl -a0 u:45:Co:fi:deny . +$ setfacl -a0 u:46:Co:di:deny . +$ setfacl -a0 u:47:Co:fdi:deny . +$ setfacl -a0 u:48:Co:fn:deny . +$ setfacl -a0 u:49:Co:dn:deny . +$ setfacl -a0 u:50:Co:fdn:deny . +$ setfacl -a0 u:51:Co:fni:deny . +$ setfacl -a0 u:52:Co:dni:deny . +$ setfacl -a0 u:53:Co:fdni:deny . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:-----------Co-:-------:deny +> user:51:-----------Co-:-------:deny +> user:50:-----------Co-:-------:deny +> user:48:-----------Co-:-------:deny +> user:47:-----------Co-:-------:deny +> user:45:-----------Co-:-------:deny +> user:44:-----------Co-:-------:deny +> user:42:-----------Co-:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:-----------Co-:-------:deny +> user:52:-----------Co-:-------:deny +> user:50:-----------Co-:-------:deny +> user:49:-----------Co-:-------:deny +> user:47:-----------Co-:fdi----:deny +> user:47:-----------Co-:-------:deny +> user:46:-----------Co-:-di----:deny +> user:46:-----------Co-:-------:deny +> user:45:-----------Co-:f-i----:deny +> user:44:-----------Co-:fdi----:deny +> user:44:-----------Co-:-------:deny +> user:43:-----------Co-:-di----:deny +> user:43:-----------Co-:-------:deny +> user:42:-----------Co-:f-i----:deny +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:r-x---a-R-c--s:-------:allow + +$ rmdir yyy +$ rm xxx +$ cd .. +$ rmdir ddd + +$ rm xxx + diff --git a/tests/sys/acl/tools-posix.test b/tests/sys/acl/tools-posix.test new file mode 100644 index 000000000..4741db383 --- /dev/null +++ b/tests/sys/acl/tools-posix.test @@ -0,0 +1,453 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for POSIX.1e ACL functionality. Run it as root +# using ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Smoke test for getfacl(1). +$ touch xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> other::r-- + +$ getfacl -q xxx +> user::rw- +> group::r-- +> other::r-- + +$ setfacl -m u:42:r,g:43:w xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +# Check whether ls correctly marks files with "+". +$ ls -l xxx | cut -d' ' -f1 +> -rw-rw-r--+ + +# Same as above, but for symlinks. +$ ln -s xxx lll +$ getfacl -h lll +> # file: lll +> # owner: root +> # group: wheel +> user::rwx +> group::r-x +> other::r-x + +$ getfacl -qh lll +> user::rwx +> group::r-x +> other::r-x + +$ getfacl -q lll +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ setfacl -hm u:44:x,g:45:w lll +$ getfacl -h lll +> # file: lll +> # owner: root +> # group: wheel +> user::rwx +> user:44:--x +> group::r-x +> group:45:-w- +> mask::rwx +> other::r-x + +$ ls -l lll | cut -d' ' -f1 +> lrwxrwxr-x+ + +# Check whether the original file is left untouched. +$ ls -l xxx | cut -d' ' -f1 +> -rw-rw-r--+ + +$ rm lll + +# Test removing entries. +$ setfacl -x user:42: xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ setfacl -m u:42:r xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +# Test removing entries by number. +$ setfacl -x 1 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ setfacl -m g:43:r xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:r-- +> mask::r-- +> other::r-- + +# Make sure cp without any flags does not copy the ACL. +$ cp xxx yyy +$ ls -l yyy | cut -d' ' -f1 +> -rw-r--r-- + +# Make sure it does with the "-p" flag. +$ rm yyy +$ cp -p xxx yyy +$ getfacl -n yyy +> # file: yyy +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:r-- +> mask::r-- +> other::r-- + +$ rm yyy + +# Test removing entries by... by example? +$ setfacl -m u:42:r,g:43:w xxx +$ setfacl -x u:42: xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +# Test setfacl -b. +$ setfacl -b xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> mask::r-- +> other::r-- + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +$ setfacl -nb xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> other::r-- + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +# Check setfacl(1) and getfacl(1) with multiple files. +$ touch xxx yyy zzz + +$ ls -l xxx yyy zzz | cut -d' ' -f1 +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ setfacl -m u:42:x,g:43:w nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-rwxr--+ +> -rw-rwxr--+ +> -rw-rwxr--+ + +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +> +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +> +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- + +$ setfacl -b nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r--+ +> -rw-r--r--+ +> -rw-r--r--+ + +$ setfacl -bn nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ rm xxx yyy zzz + +# Check whether chmod actually does what it should do. +$ touch xxx +$ setfacl -m u:42:rwx,g:43:rwx xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> user:42:rwx # effective: --- +> group::r-- # effective: --- +> group:43:rwx # effective: --- +> mask::--- +> other::--- + +$ chmod 060 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::--- +> user:42:rwx # effective: rw- +> group::r-- +> group:43:rwx # effective: rw- +> mask::rw- +> other::--- + +# Test default ACLs. +$ umask 022 +$ mkdir ddd +$ getfacl -qn ddd +> user::rwx +> group::r-x +> other::r-x + +$ ls -l | grep ddd | cut -d' ' -f1 +> drwxr-xr-x + +$ getfacl -dq ddd +$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd +$ getfacl -dqn ddd +> user::rwx +> group::r-x +> mask::rwx +> other::r-x + +# No change - ls(1) output doesn't take into account default ACLs. +$ ls -l | grep ddd | cut -d' ' -f1 +> drwxr-xr-x + +$ setfacl -dm g:42:rwx,u:42:r ddd +$ setfacl -dm g::w ddd +$ getfacl -dqn ddd +> user::rwx +> user:42:r-- +> group::-w- +> group:42:rwx +> mask::rwx +> other::r-x + +$ setfacl -dx group:42: ddd +$ getfacl -dqn ddd +> user::rwx +> user:42:r-- +> group::-w- +> mask::rw- +> other::r-x + +$ ls -l | grep ddd | cut -d' ' -f1 +> drwxr-xr-x + +$ rmdir ddd +$ rm xxx + +# Test inheritance. +$ mkdir ddd + +$ touch ddd/xxx +$ getfacl -q ddd/xxx +> user::rw- +> group::r-- +> other::r-- + +$ mkdir ddd/ddd +$ getfacl -q ddd/ddd +> user::rwx +> group::r-x +> other::r-x + +$ rmdir ddd/ddd +$ rm ddd/xxx + +$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd +$ setfacl -dm g:42:rwx,u:43:r ddd +$ getfacl -dq ddd +> user::rwx +> user:43:r-- +> group::r-x +> group:42:rwx +> mask::rwx +> other::r-x + +$ touch ddd/xxx +$ getfacl -q ddd/xxx +> user::rw- +> user:43:r-- +> group::r-x # effective: r-- +> group:42:rwx # effective: r-- +> mask::r-- +> other::r-- + +$ mkdir ddd/ddd +$ getfacl -q ddd/ddd +> user::rwx +> user:43:r-- +> group::r-x +> group:42:rwx # effective: r-x +> mask::r-x +> other::r-x + +$ rmdir ddd/ddd +$ rm ddd/xxx +$ rmdir ddd + +# Test if we deal properly with fifos. +$ mkfifo fff +$ ls -l fff | cut -d' ' -f1 +> prw-r--r-- + +$ setfacl -m u:42:r,g:43:w fff +$ getfacl fff +> # file: fff +> # owner: root +> # group: wheel +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ ls -l fff | cut -d' ' -f1 +> prw-rw-r--+ + +$ setfacl -bn fff +$ getfacl fff +> # file: fff +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> other::r-- + +$ ls -l fff | cut -d' ' -f1 +> prw-r--r-- + +$ rm fff + +# Test if we deal properly with device files. +$ mknod bbb b 1 1 +$ setfacl -m u:42:r,g:43:w bbb +> setfacl: bbb: acl_get_file() failed: Operation not supported +$ ls -l bbb | cut -d' ' -f1 +> brw-r--r-- + +$ rm bbb + +$ mknod ccc c 1 1 +$ setfacl -m u:42:r,g:43:w ccc +> setfacl: ccc: acl_get_file() failed: Operation not supported +$ ls -l ccc | cut -d' ' -f1 +> crw-r--r-- + +$ rm ccc -- 2.45.0