xref: /freebsd/contrib/pjdfstest/tests/granular/02.t (revision a0ee8cc636cd5c2374ec44ca71226564ea0bca95)
1#!/bin/sh
2# $FreeBSD: head/tools/regression/pjdfstest/tests/granular/02.t 211352 2010-08-15 21:24:17Z pjd $
3
4desc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL"
5
6dir=`dirname $0`
7. ${dir}/../misc.sh
8
9[ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit
10
11echo "1..83"
12
13n0=`namegen`
14n1=`namegen`
15n2=`namegen`
16
17expect 0 mkdir ${n2} 0755
18cdir=`pwd`
19cd ${n2}
20
21# Check whether user 65534 is permitted to read ACL.
22expect 0 create ${n0} 0644
23expect 0 readacl ${n0}
24expect 0 -u 65534 -g 65534 readacl ${n0}
25expect 0 prependacl ${n0} user:65534:read_acl::deny
26expect 0 readacl ${n0}
27expect EACCES -u 65534 -g 65534 readacl ${n0}
28expect 0 prependacl ${n0} user:65534:read_acl::allow
29expect 0 -u 65534 -g 65534 readacl ${n0}
30expect 0 readacl ${n0}
31expect 0 unlink ${n0}
32
33# Check whether user 65534 is permitted to write ACL.
34expect 0 create ${n0} 0644
35expect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow
36expect 0 prependacl ${n0} user:65534:write_acl::allow
37expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow
38expect 0 unlink ${n0}
39
40# Check whether user 65534 is permitted to write mode.
41expect 0 create ${n0} 0755
42expect EPERM -u 65534 -g 65534 chmod ${n0} 0777
43expect 0 prependacl ${n0} user:65534:write_acl::allow
44expect 0 -u 65534 -g 65534 chmod ${n0} 0777
45expect 0 unlink ${n0}
46
47# There is an interesting problem with interaction between ACL_WRITE_ACL
48# and SUID/SGID bits.  In case user does have ACL_WRITE_ACL, but is not
49# a file owner, Solaris does the following:
50# 1. Setting SUID fails with EPERM.
51# 2. Setting SGID succeeds, but mode is not changed.
52# 3. Modifying ACL does not clear SUID nor SGID bits.
53# 4. Writing the file does clear both SUID and SGID bits.
54#
55# What we are doing is the following:
56# 1. Setting SUID or SGID fails with EPERM.
57# 2. Modifying ACL does not clear SUID nor SGID bits.
58# 3. Writing the file does clear both SUID and SGID bits.
59#
60# Check whether user 65534 is denied to write mode with SUID bit.
61expect 0 create ${n0} 0755
62expect EPERM -u 65534 -g 65534 chmod ${n0} 04777
63expect 0 prependacl ${n0} user:65534:write_acl::allow
64expect EPERM -u 65534 -g 65534 chmod ${n0} 04777
65expect 0 unlink ${n0}
66
67# Check whether user 65534 is denied to write mode with SGID bit.
68expect 0 create ${n0} 0755
69expect EPERM -u 65534 -g 65534 chmod ${n0} 02777
70expect 0 prependacl ${n0} user:65534:write_acl::allow
71expect EPERM -u 65534 -g 65534 chmod ${n0} 02777
72expect 0 unlink ${n0}
73
74# Check whether user 65534 is allowed to write mode with sticky bit.
75expect 0 mkdir ${n0} 0755
76expect EPERM -u 65534 -g 65534 chmod ${n0} 01777
77expect 0 prependacl ${n0} user:65534:write_acl::allow
78expect 0 -u 65534 -g 65534 chmod ${n0} 01777
79expect 0 rmdir ${n0}
80
81# Check whether modifying the ACL by not-owner preserves the SUID.
82expect 0 create ${n0} 04755
83expect 0 prependacl ${n0} user:65534:write_acl::allow
84expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
85expect 04755 stat ${n0} mode
86expect 0 unlink ${n0}
87
88# Check whether modifying the ACL by not-owner preserves the SGID.
89expect 0 create ${n0} 02755
90expect 0 prependacl ${n0} user:65534:write_acl::allow
91expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
92expect 02755 stat ${n0} mode
93expect 0 unlink ${n0}
94
95# Check whether modifying the ACL by not-owner preserves the sticky bit.
96expect 0 mkdir ${n0} 0755
97expect 0 chmod ${n0} 01755
98expect 0 prependacl ${n0} user:65534:write_acl::allow
99expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow
100expect 01755 stat ${n0} mode
101expect 0 rmdir ${n0}
102
103# Clearing the SUID and SGID bits when being written to by non-owner
104# is checked in chmod/12.t.
105
106# Check whether the file owner is always permitted to get and set
107# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it.
108expect 0 chmod . 0777
109expect 0 -u 65534 -g 65534 create ${n0} 0600
110expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny
111expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny
112expect 0 -u 65534 -g 65534 readacl ${n0}
113expect 0600 -u 65534 -g 65534 stat ${n0} mode
114expect 0 -u 65534 -g 65534 chmod ${n0} 0777
115expect 0 unlink ${n0}
116
117expect 0 -u 65534 -g 65534 mkdir ${n0} 0600
118expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny
119expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny
120expect 0 -u 65534 -g 65534 readacl ${n0}
121expect 0600 -u 65534 -g 65534 stat ${n0} mode
122expect 0 -u 65534 -g 65534 chmod ${n0} 0777
123expect 0 rmdir ${n0}
124
125# Check whether the root is allowed for these as well.
126expect 0 -u 65534 -g 65534 create ${n0} 0600
127expect 0 prependacl ${n0} everyone@:write_acl::deny
128expect 0 prependacl ${n0} everyone@:read_acl::deny
129expect 0 readacl ${n0}
130expect 0600 stat ${n0} mode
131expect 0 chmod ${n0} 0777
132expect 0 unlink ${n0}
133
134expect 0 -u 65534 -g 65534 mkdir ${n0} 0600
135expect 0 prependacl ${n0} everyone@:write_acl::deny
136expect 0 prependacl ${n0} everyone@:read_acl::deny
137expect 0600 stat ${n0} mode
138expect 0 readacl ${n0}
139expect 0600 stat ${n0} mode
140expect 0 chmod ${n0} 0777
141expect 0 rmdir ${n0}
142
143cd ${cdir}
144expect 0 rmdir ${n2}
145