diff options
Diffstat (limited to 'contrib/pjdfstest/tests/granular/02.t')
| -rw-r--r-- | contrib/pjdfstest/tests/granular/02.t | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/contrib/pjdfstest/tests/granular/02.t b/contrib/pjdfstest/tests/granular/02.t new file mode 100644 index 0000000..32a318c --- /dev/null +++ b/contrib/pjdfstest/tests/granular/02.t @@ -0,0 +1,144 @@ +#!/bin/sh +# $FreeBSD: head/tools/regression/pjdfstest/tests/granular/02.t 211352 2010-08-15 21:24:17Z pjd $ + +desc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL" + +dir=`dirname $0` +. ${dir}/../misc.sh + +[ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit + +echo "1..83" + +n0=`namegen` +n1=`namegen` +n2=`namegen` + +expect 0 mkdir ${n2} 0755 +cdir=`pwd` +cd ${n2} + +# Check whether user 65534 is permitted to read ACL. +expect 0 create ${n0} 0644 +expect 0 readacl ${n0} +expect 0 -u 65534 -g 65534 readacl ${n0} +expect 0 prependacl ${n0} user:65534:read_acl::deny +expect 0 readacl ${n0} +expect EACCES -u 65534 -g 65534 readacl ${n0} +expect 0 prependacl ${n0} user:65534:read_acl::allow +expect 0 -u 65534 -g 65534 readacl ${n0} +expect 0 readacl ${n0} +expect 0 unlink ${n0} + +# Check whether user 65534 is permitted to write ACL. +expect 0 create ${n0} 0644 +expect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow +expect 0 unlink ${n0} + +# Check whether user 65534 is permitted to write mode. +expect 0 create ${n0} 0755 +expect EPERM -u 65534 -g 65534 chmod ${n0} 0777 +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect 0 -u 65534 -g 65534 chmod ${n0} 0777 +expect 0 unlink ${n0} + +# There is an interesting problem with interaction between ACL_WRITE_ACL +# and SUID/SGID bits. In case user does have ACL_WRITE_ACL, but is not +# a file owner, Solaris does the following: +# 1. Setting SUID fails with EPERM. +# 2. Setting SGID succeeds, but mode is not changed. +# 3. Modifying ACL does not clear SUID nor SGID bits. +# 4. Writing the file does clear both SUID and SGID bits. +# +# What we are doing is the following: +# 1. Setting SUID or SGID fails with EPERM. +# 2. Modifying ACL does not clear SUID nor SGID bits. +# 3. Writing the file does clear both SUID and SGID bits. +# +# Check whether user 65534 is denied to write mode with SUID bit. +expect 0 create ${n0} 0755 +expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 +expect 0 unlink ${n0} + +# Check whether user 65534 is denied to write mode with SGID bit. +expect 0 create ${n0} 0755 +expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 +expect 0 unlink ${n0} + +# Check whether user 65534 is allowed to write mode with sticky bit. +expect 0 mkdir ${n0} 0755 +expect EPERM -u 65534 -g 65534 chmod ${n0} 01777 +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect 0 -u 65534 -g 65534 chmod ${n0} 01777 +expect 0 rmdir ${n0} + +# Check whether modifying the ACL by not-owner preserves the SUID. +expect 0 create ${n0} 04755 +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow +expect 04755 stat ${n0} mode +expect 0 unlink ${n0} + +# Check whether modifying the ACL by not-owner preserves the SGID. +expect 0 create ${n0} 02755 +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow +expect 02755 stat ${n0} mode +expect 0 unlink ${n0} + +# Check whether modifying the ACL by not-owner preserves the sticky bit. +expect 0 mkdir ${n0} 0755 +expect 0 chmod ${n0} 01755 +expect 0 prependacl ${n0} user:65534:write_acl::allow +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow +expect 01755 stat ${n0} mode +expect 0 rmdir ${n0} + +# Clearing the SUID and SGID bits when being written to by non-owner +# is checked in chmod/12.t. + +# Check whether the file owner is always permitted to get and set +# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it. +expect 0 chmod . 0777 +expect 0 -u 65534 -g 65534 create ${n0} 0600 +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny +expect 0 -u 65534 -g 65534 readacl ${n0} +expect 0600 -u 65534 -g 65534 stat ${n0} mode +expect 0 -u 65534 -g 65534 chmod ${n0} 0777 +expect 0 unlink ${n0} + +expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny +expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny +expect 0 -u 65534 -g 65534 readacl ${n0} +expect 0600 -u 65534 -g 65534 stat ${n0} mode +expect 0 -u 65534 -g 65534 chmod ${n0} 0777 +expect 0 rmdir ${n0} + +# Check whether the root is allowed for these as well. +expect 0 -u 65534 -g 65534 create ${n0} 0600 +expect 0 prependacl ${n0} everyone@:write_acl::deny +expect 0 prependacl ${n0} everyone@:read_acl::deny +expect 0 readacl ${n0} +expect 0600 stat ${n0} mode +expect 0 chmod ${n0} 0777 +expect 0 unlink ${n0} + +expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 +expect 0 prependacl ${n0} everyone@:write_acl::deny +expect 0 prependacl ${n0} everyone@:read_acl::deny +expect 0600 stat ${n0} mode +expect 0 readacl ${n0} +expect 0600 stat ${n0} mode +expect 0 chmod ${n0} 0777 +expect 0 rmdir ${n0} + +cd ${cdir} +expect 0 rmdir ${n2} |
