140a8ac8fSEnji Cooper#!/bin/sh 2*3416500aSEnji Cooper# vim: filetype=sh noexpandtab ts=8 sw=8 340a8ac8fSEnji Cooper# $FreeBSD: head/tools/regression/pjdfstest/tests/granular/02.t 211352 2010-08-15 21:24:17Z pjd $ 440a8ac8fSEnji Cooper 540a8ac8fSEnji Cooperdesc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL" 640a8ac8fSEnji Cooper 740a8ac8fSEnji Cooperdir=`dirname $0` 840a8ac8fSEnji Cooper. ${dir}/../misc.sh 940a8ac8fSEnji Cooper 1040a8ac8fSEnji Cooper[ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit 1140a8ac8fSEnji Cooper 1240a8ac8fSEnji Cooperecho "1..83" 1340a8ac8fSEnji Cooper 1440a8ac8fSEnji Coopern0=`namegen` 1540a8ac8fSEnji Coopern1=`namegen` 1640a8ac8fSEnji Coopern2=`namegen` 1740a8ac8fSEnji Cooper 1840a8ac8fSEnji Cooperexpect 0 mkdir ${n2} 0755 1940a8ac8fSEnji Coopercdir=`pwd` 2040a8ac8fSEnji Coopercd ${n2} 2140a8ac8fSEnji Cooper 2240a8ac8fSEnji Cooper# Check whether user 65534 is permitted to read ACL. 2340a8ac8fSEnji Cooperexpect 0 create ${n0} 0644 2440a8ac8fSEnji Cooperexpect 0 readacl ${n0} 2540a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 readacl ${n0} 2640a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:read_acl::deny 2740a8ac8fSEnji Cooperexpect 0 readacl ${n0} 2840a8ac8fSEnji Cooperexpect EACCES -u 65534 -g 65534 readacl ${n0} 2940a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:read_acl::allow 3040a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 readacl ${n0} 3140a8ac8fSEnji Cooperexpect 0 readacl ${n0} 3240a8ac8fSEnji Cooperexpect 0 unlink ${n0} 3340a8ac8fSEnji Cooper 3440a8ac8fSEnji Cooper# Check whether user 65534 is permitted to write ACL. 3540a8ac8fSEnji Cooperexpect 0 create ${n0} 0644 3640a8ac8fSEnji Cooperexpect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 3740a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 3840a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 3940a8ac8fSEnji Cooperexpect 0 unlink ${n0} 4040a8ac8fSEnji Cooper 4140a8ac8fSEnji Cooper# Check whether user 65534 is permitted to write mode. 4240a8ac8fSEnji Cooperexpect 0 create ${n0} 0755 4340a8ac8fSEnji Cooperexpect EPERM -u 65534 -g 65534 chmod ${n0} 0777 4440a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 4540a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 chmod ${n0} 0777 4640a8ac8fSEnji Cooperexpect 0 unlink ${n0} 4740a8ac8fSEnji Cooper 4840a8ac8fSEnji Cooper# There is an interesting problem with interaction between ACL_WRITE_ACL 4940a8ac8fSEnji Cooper# and SUID/SGID bits. In case user does have ACL_WRITE_ACL, but is not 5040a8ac8fSEnji Cooper# a file owner, Solaris does the following: 5140a8ac8fSEnji Cooper# 1. Setting SUID fails with EPERM. 5240a8ac8fSEnji Cooper# 2. Setting SGID succeeds, but mode is not changed. 5340a8ac8fSEnji Cooper# 3. Modifying ACL does not clear SUID nor SGID bits. 5440a8ac8fSEnji Cooper# 4. Writing the file does clear both SUID and SGID bits. 5540a8ac8fSEnji Cooper# 5640a8ac8fSEnji Cooper# What we are doing is the following: 5740a8ac8fSEnji Cooper# 1. Setting SUID or SGID fails with EPERM. 5840a8ac8fSEnji Cooper# 2. Modifying ACL does not clear SUID nor SGID bits. 5940a8ac8fSEnji Cooper# 3. Writing the file does clear both SUID and SGID bits. 6040a8ac8fSEnji Cooper# 6140a8ac8fSEnji Cooper# Check whether user 65534 is denied to write mode with SUID bit. 6240a8ac8fSEnji Cooperexpect 0 create ${n0} 0755 6340a8ac8fSEnji Cooperexpect EPERM -u 65534 -g 65534 chmod ${n0} 04777 6440a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 6540a8ac8fSEnji Cooperexpect EPERM -u 65534 -g 65534 chmod ${n0} 04777 6640a8ac8fSEnji Cooperexpect 0 unlink ${n0} 6740a8ac8fSEnji Cooper 6840a8ac8fSEnji Cooper# Check whether user 65534 is denied to write mode with SGID bit. 6940a8ac8fSEnji Cooperexpect 0 create ${n0} 0755 7040a8ac8fSEnji Cooperexpect EPERM -u 65534 -g 65534 chmod ${n0} 02777 7140a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 7240a8ac8fSEnji Cooperexpect EPERM -u 65534 -g 65534 chmod ${n0} 02777 7340a8ac8fSEnji Cooperexpect 0 unlink ${n0} 7440a8ac8fSEnji Cooper 7540a8ac8fSEnji Cooper# Check whether user 65534 is allowed to write mode with sticky bit. 7640a8ac8fSEnji Cooperexpect 0 mkdir ${n0} 0755 7740a8ac8fSEnji Cooperexpect EPERM -u 65534 -g 65534 chmod ${n0} 01777 7840a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 7940a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 chmod ${n0} 01777 8040a8ac8fSEnji Cooperexpect 0 rmdir ${n0} 8140a8ac8fSEnji Cooper 8240a8ac8fSEnji Cooper# Check whether modifying the ACL by not-owner preserves the SUID. 8340a8ac8fSEnji Cooperexpect 0 create ${n0} 04755 8440a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 8540a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 8640a8ac8fSEnji Cooperexpect 04755 stat ${n0} mode 8740a8ac8fSEnji Cooperexpect 0 unlink ${n0} 8840a8ac8fSEnji Cooper 8940a8ac8fSEnji Cooper# Check whether modifying the ACL by not-owner preserves the SGID. 9040a8ac8fSEnji Cooperexpect 0 create ${n0} 02755 9140a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 9240a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 9340a8ac8fSEnji Cooperexpect 02755 stat ${n0} mode 9440a8ac8fSEnji Cooperexpect 0 unlink ${n0} 9540a8ac8fSEnji Cooper 9640a8ac8fSEnji Cooper# Check whether modifying the ACL by not-owner preserves the sticky bit. 9740a8ac8fSEnji Cooperexpect 0 mkdir ${n0} 0755 9840a8ac8fSEnji Cooperexpect 0 chmod ${n0} 01755 9940a8ac8fSEnji Cooperexpect 0 prependacl ${n0} user:65534:write_acl::allow 10040a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 10140a8ac8fSEnji Cooperexpect 01755 stat ${n0} mode 10240a8ac8fSEnji Cooperexpect 0 rmdir ${n0} 10340a8ac8fSEnji Cooper 10440a8ac8fSEnji Cooper# Clearing the SUID and SGID bits when being written to by non-owner 10540a8ac8fSEnji Cooper# is checked in chmod/12.t. 10640a8ac8fSEnji Cooper 10740a8ac8fSEnji Cooper# Check whether the file owner is always permitted to get and set 10840a8ac8fSEnji Cooper# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it. 10940a8ac8fSEnji Cooperexpect 0 chmod . 0777 11040a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 create ${n0} 0600 11140a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 11240a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 11340a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 readacl ${n0} 11440a8ac8fSEnji Cooperexpect 0600 -u 65534 -g 65534 stat ${n0} mode 11540a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 chmod ${n0} 0777 11640a8ac8fSEnji Cooperexpect 0 unlink ${n0} 11740a8ac8fSEnji Cooper 11840a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 mkdir ${n0} 0600 11940a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 12040a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 12140a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 readacl ${n0} 12240a8ac8fSEnji Cooperexpect 0600 -u 65534 -g 65534 stat ${n0} mode 12340a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 chmod ${n0} 0777 12440a8ac8fSEnji Cooperexpect 0 rmdir ${n0} 12540a8ac8fSEnji Cooper 12640a8ac8fSEnji Cooper# Check whether the root is allowed for these as well. 12740a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 create ${n0} 0600 12840a8ac8fSEnji Cooperexpect 0 prependacl ${n0} everyone@:write_acl::deny 12940a8ac8fSEnji Cooperexpect 0 prependacl ${n0} everyone@:read_acl::deny 13040a8ac8fSEnji Cooperexpect 0 readacl ${n0} 13140a8ac8fSEnji Cooperexpect 0600 stat ${n0} mode 13240a8ac8fSEnji Cooperexpect 0 chmod ${n0} 0777 13340a8ac8fSEnji Cooperexpect 0 unlink ${n0} 13440a8ac8fSEnji Cooper 13540a8ac8fSEnji Cooperexpect 0 -u 65534 -g 65534 mkdir ${n0} 0600 13640a8ac8fSEnji Cooperexpect 0 prependacl ${n0} everyone@:write_acl::deny 13740a8ac8fSEnji Cooperexpect 0 prependacl ${n0} everyone@:read_acl::deny 13840a8ac8fSEnji Cooperexpect 0600 stat ${n0} mode 13940a8ac8fSEnji Cooperexpect 0 readacl ${n0} 14040a8ac8fSEnji Cooperexpect 0600 stat ${n0} mode 14140a8ac8fSEnji Cooperexpect 0 chmod ${n0} 0777 14240a8ac8fSEnji Cooperexpect 0 rmdir ${n0} 14340a8ac8fSEnji Cooper 14440a8ac8fSEnji Coopercd ${cdir} 14540a8ac8fSEnji Cooperexpect 0 rmdir ${n2} 146