xref: /freebsd/contrib/pjdfstest/tests/granular/02.t (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1#!/bin/sh
2# vim: filetype=sh noexpandtab ts=8 sw=8
3# $FreeBSD: head/tools/regression/pjdfstest/tests/granular/02.t 211352 2010-08-15 21:24:17Z pjd $
4
5desc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL"
6
7dir=`dirname $0`
8. ${dir}/../misc.sh
9
10[ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit
11
12echo "1..83"
13
14n0=`namegen`
15n1=`namegen`
16n2=`namegen`
17
18expect 0 mkdir ${n2} 0755
19cdir=`pwd`
20cd ${n2}
21
22# Check whether user 65534 is permitted to read ACL.
23expect 0 create ${n0} 0644
24expect 0 readacl ${n0}
25expect 0 -u 65534 -g 65534 readacl ${n0}
26expect 0 prependacl ${n0} user:65534:read_acl::deny
27expect 0 readacl ${n0}
28expect EACCES -u 65534 -g 65534 readacl ${n0}
29expect 0 prependacl ${n0} user:65534:read_acl::allow
30expect 0 -u 65534 -g 65534 readacl ${n0}
31expect 0 readacl ${n0}
32expect 0 unlink ${n0}
33
34# Check whether user 65534 is permitted to write ACL.
35expect 0 create ${n0} 0644
36expect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow
37expect 0 prependacl ${n0} user:65534:write_acl::allow
38expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow
39expect 0 unlink ${n0}
40
41# Check whether user 65534 is permitted to write mode.
42expect 0 create ${n0} 0755
43expect EPERM -u 65534 -g 65534 chmod ${n0} 0777
44expect 0 prependacl ${n0} user:65534:write_acl::allow
45expect 0 -u 65534 -g 65534 chmod ${n0} 0777
46expect 0 unlink ${n0}
47
48# There is an interesting problem with interaction between ACL_WRITE_ACL
49# and SUID/SGID bits.  In case user does have ACL_WRITE_ACL, but is not
50# a file owner, Solaris does the following:
51# 1. Setting SUID fails with EPERM.
52# 2. Setting SGID succeeds, but mode is not changed.
53# 3. Modifying ACL does not clear SUID nor SGID bits.
54# 4. Writing the file does clear both SUID and SGID bits.
55#
56# What we are doing is the following:
57# 1. Setting SUID or SGID fails with EPERM.
58# 2. Modifying ACL does not clear SUID nor SGID bits.
59# 3. Writing the file does clear both SUID and SGID bits.
60#
61# Check whether user 65534 is denied to write mode with SUID bit.
62expect 0 create ${n0} 0755
63expect EPERM -u 65534 -g 65534 chmod ${n0} 04777
64expect 0 prependacl ${n0} user:65534:write_acl::allow
65expect EPERM -u 65534 -g 65534 chmod ${n0} 04777
66expect 0 unlink ${n0}
67
68# Check whether user 65534 is denied to write mode with SGID bit.
69expect 0 create ${n0} 0755
70expect EPERM -u 65534 -g 65534 chmod ${n0} 02777
71expect 0 prependacl ${n0} user:65534:write_acl::allow
72expect EPERM -u 65534 -g 65534 chmod ${n0} 02777
73expect 0 unlink ${n0}
74
75# Check whether user 65534 is allowed to write mode with sticky bit.
76expect 0 mkdir ${n0} 0755
77expect EPERM -u 65534 -g 65534 chmod ${n0} 01777
78expect 0 prependacl ${n0} user:65534:write_acl::allow
79expect 0 -u 65534 -g 65534 chmod ${n0} 01777
80expect 0 rmdir ${n0}
81
82# Check whether modifying the ACL by not-owner preserves the SUID.
83expect 0 create ${n0} 04755
84expect 0 prependacl ${n0} user:65534:write_acl::allow
85expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
86expect 04755 stat ${n0} mode
87expect 0 unlink ${n0}
88
89# Check whether modifying the ACL by not-owner preserves the SGID.
90expect 0 create ${n0} 02755
91expect 0 prependacl ${n0} user:65534:write_acl::allow
92expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
93expect 02755 stat ${n0} mode
94expect 0 unlink ${n0}
95
96# Check whether modifying the ACL by not-owner preserves the sticky bit.
97expect 0 mkdir ${n0} 0755
98expect 0 chmod ${n0} 01755
99expect 0 prependacl ${n0} user:65534:write_acl::allow
100expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
101expect 01755 stat ${n0} mode
102expect 0 rmdir ${n0}
103
104# Clearing the SUID and SGID bits when being written to by non-owner
105# is checked in chmod/12.t.
106
107# Check whether the file owner is always permitted to get and set
108# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it.
109expect 0 chmod . 0777
110expect 0 -u 65534 -g 65534 create ${n0} 0600
111expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny
112expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny
113expect 0 -u 65534 -g 65534 readacl ${n0}
114expect 0600 -u 65534 -g 65534 stat ${n0} mode
115expect 0 -u 65534 -g 65534 chmod ${n0} 0777
116expect 0 unlink ${n0}
117
118expect 0 -u 65534 -g 65534 mkdir ${n0} 0600
119expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny
120expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny
121expect 0 -u 65534 -g 65534 readacl ${n0}
122expect 0600 -u 65534 -g 65534 stat ${n0} mode
123expect 0 -u 65534 -g 65534 chmod ${n0} 0777
124expect 0 rmdir ${n0}
125
126# Check whether the root is allowed for these as well.
127expect 0 -u 65534 -g 65534 create ${n0} 0600
128expect 0 prependacl ${n0} everyone@:write_acl::deny
129expect 0 prependacl ${n0} everyone@:read_acl::deny
130expect 0 readacl ${n0}
131expect 0600 stat ${n0} mode
132expect 0 chmod ${n0} 0777
133expect 0 unlink ${n0}
134
135expect 0 -u 65534 -g 65534 mkdir ${n0} 0600
136expect 0 prependacl ${n0} everyone@:write_acl::deny
137expect 0 prependacl ${n0} everyone@:read_acl::deny
138expect 0600 stat ${n0} mode
139expect 0 readacl ${n0}
140expect 0600 stat ${n0} mode
141expect 0 chmod ${n0} 0777
142expect 0 rmdir ${n0}
143
144cd ${cdir}
145expect 0 rmdir ${n2}
146