1b3af24b4SEnji Cooper# Copyright (c) 2008, 2009 Edward Tomasz Napierała <trasz@FreeBSD.org> 2b3af24b4SEnji Cooper# 3b3af24b4SEnji Cooper# Redistribution and use in source and binary forms, with or without 4b3af24b4SEnji Cooper# modification, are permitted provided that the following conditions 5b3af24b4SEnji Cooper# are met: 6b3af24b4SEnji Cooper# 1. Redistributions of source code must retain the above copyright 7b3af24b4SEnji Cooper# notice, this list of conditions and the following disclaimer. 8b3af24b4SEnji Cooper# 2. Redistributions in binary form must reproduce the above copyright 9b3af24b4SEnji Cooper# notice, this list of conditions and the following disclaimer in the 10b3af24b4SEnji Cooper# documentation and/or other materials provided with the distribution. 11b3af24b4SEnji Cooper# 12b3af24b4SEnji Cooper# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 13b3af24b4SEnji Cooper# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 14b3af24b4SEnji Cooper# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 15b3af24b4SEnji Cooper# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 16b3af24b4SEnji Cooper# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 17b3af24b4SEnji Cooper# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 18b3af24b4SEnji Cooper# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 19b3af24b4SEnji Cooper# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 20b3af24b4SEnji Cooper# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 21b3af24b4SEnji Cooper# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 22b3af24b4SEnji Cooper# SUCH DAMAGE. 23b3af24b4SEnji Cooper# 24b3af24b4SEnji Cooper# 25b3af24b4SEnji Cooper 26b3af24b4SEnji Cooper# This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029 27b3af24b4SEnji Cooper# semantics. Run it as root using ACL-enabled kernel: 28b3af24b4SEnji Cooper# 29b3af24b4SEnji Cooper# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test 30b3af24b4SEnji Cooper# 31b3af24b4SEnji Cooper# WARNING: Creates files in unsafe way. 32b3af24b4SEnji Cooper 33b3af24b4SEnji Cooper$ whoami 34b3af24b4SEnji Cooper> root 35b3af24b4SEnji Cooper$ umask 022 36b3af24b4SEnji Cooper 37b3af24b4SEnji Cooper# Smoke test for getfacl(1). 38b3af24b4SEnji Cooper$ touch xxx 39b3af24b4SEnji Cooper$ getfacl xxx 40b3af24b4SEnji Cooper> # file: xxx 41b3af24b4SEnji Cooper> # owner: root 42b3af24b4SEnji Cooper> # group: wheel 43b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 44b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 45b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 46b3af24b4SEnji Cooper 47b3af24b4SEnji Cooper$ getfacl -q xxx 48b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 49b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 50b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 51b3af24b4SEnji Cooper 52b3af24b4SEnji Cooper# Check verbose mode formatting. 53b3af24b4SEnji Cooper$ getfacl -v xxx 54b3af24b4SEnji Cooper> # file: xxx 55b3af24b4SEnji Cooper> # owner: root 56b3af24b4SEnji Cooper> # group: wheel 57b3af24b4SEnji Cooper> owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow 58b3af24b4SEnji Cooper> group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow 59b3af24b4SEnji Cooper> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow 60b3af24b4SEnji Cooper 61b3af24b4SEnji Cooper# Test setfacl -a. 62b3af24b4SEnji Cooper$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx 63b3af24b4SEnji Cooper$ getfacl -n xxx 64b3af24b4SEnji Cooper> # file: xxx 65b3af24b4SEnji Cooper> # owner: root 66b3af24b4SEnji Cooper> # group: wheel 67b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 68b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 69b3af24b4SEnji Cooper> user:0:-----------C--:-------:allow 70b3af24b4SEnji Cooper> group:1:----------c---:-------:deny 71b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 72b3af24b4SEnji Cooper 73b3af24b4SEnji Cooper# Test user and group name resolving. 74b3af24b4SEnji Cooper$ rm xxx 75b3af24b4SEnji Cooper$ touch xxx 76b3af24b4SEnji Cooper$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx 77b3af24b4SEnji Cooper$ getfacl xxx 78b3af24b4SEnji Cooper> # file: xxx 79b3af24b4SEnji Cooper> # owner: root 80b3af24b4SEnji Cooper> # group: wheel 81b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 82b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 83b3af24b4SEnji Cooper> user:root:-----------C--:-------:allow 84b3af24b4SEnji Cooper> group:daemon:----------c---:-------:deny 85b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 86b3af24b4SEnji Cooper 87b3af24b4SEnji Cooper# Check whether ls correctly marks files with "+". 88b3af24b4SEnji Cooper$ ls -l xxx | cut -d' ' -f1 89b3af24b4SEnji Cooper> -rw-r--r--+ 90b3af24b4SEnji Cooper 91b3af24b4SEnji Cooper# Test removing entries by number. 92b3af24b4SEnji Cooper$ setfacl -x 1 xxx 93b3af24b4SEnji Cooper$ getfacl -n xxx 94b3af24b4SEnji Cooper> # file: xxx 95b3af24b4SEnji Cooper> # owner: root 96b3af24b4SEnji Cooper> # group: wheel 97b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 98b3af24b4SEnji Cooper> user:0:-----------C--:-------:allow 99b3af24b4SEnji Cooper> group:1:----------c---:-------:deny 100b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 101b3af24b4SEnji Cooper 102b3af24b4SEnji Cooper# Test setfacl -m. 103b3af24b4SEnji Cooper$ setfacl -a0 everyone@:rwx:deny xxx 104b3af24b4SEnji Cooper$ setfacl -a0 everyone@:rwx:deny xxx 105b3af24b4SEnji Cooper$ setfacl -a0 everyone@:rwx:deny xxx 106b3af24b4SEnji Cooper$ setfacl -m everyone@::deny xxx 107b3af24b4SEnji Cooper$ getfacl -n xxx 108b3af24b4SEnji Cooper> # file: xxx 109b3af24b4SEnji Cooper> # owner: root 110b3af24b4SEnji Cooper> # group: wheel 111b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 112b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 113b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 114b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 115b3af24b4SEnji Cooper> user:0:-----------C--:-------:allow 116b3af24b4SEnji Cooper> group:1:----------c---:-------:deny 117b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 118b3af24b4SEnji Cooper 119b3af24b4SEnji Cooper# Test getfacl -i. 120b3af24b4SEnji Cooper$ getfacl -i xxx 121b3af24b4SEnji Cooper> # file: xxx 122b3af24b4SEnji Cooper> # owner: root 123b3af24b4SEnji Cooper> # group: wheel 124b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 125b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 126b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 127b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 128b3af24b4SEnji Cooper> user:root:-----------C--:-------:allow:0 129b3af24b4SEnji Cooper> group:daemon:----------c---:-------:deny:1 130b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 131b3af24b4SEnji Cooper 132b3af24b4SEnji Cooper# Make sure cp without any flags does not copy copy the ACL. 133b3af24b4SEnji Cooper$ cp xxx yyy 134b3af24b4SEnji Cooper$ ls -l yyy | cut -d' ' -f1 135b3af24b4SEnji Cooper> -rw-r--r-- 136b3af24b4SEnji Cooper 137b3af24b4SEnji Cooper# Make sure it does with the "-p" flag. 138b3af24b4SEnji Cooper$ rm yyy 139b3af24b4SEnji Cooper$ cp -p xxx yyy 140b3af24b4SEnji Cooper$ getfacl -n yyy 141b3af24b4SEnji Cooper> # file: yyy 142b3af24b4SEnji Cooper> # owner: root 143b3af24b4SEnji Cooper> # group: wheel 144b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 145b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 146b3af24b4SEnji Cooper> everyone@:--------------:-------:deny 147b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 148b3af24b4SEnji Cooper> user:0:-----------C--:-------:allow 149b3af24b4SEnji Cooper> group:1:----------c---:-------:deny 150b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 151b3af24b4SEnji Cooper 152b3af24b4SEnji Cooper$ rm yyy 153b3af24b4SEnji Cooper 154b3af24b4SEnji Cooper# Test removing entries by... by example? 155b3af24b4SEnji Cooper$ setfacl -x everyone@::deny xxx 156b3af24b4SEnji Cooper$ getfacl -n xxx 157b3af24b4SEnji Cooper> # file: xxx 158b3af24b4SEnji Cooper> # owner: root 159b3af24b4SEnji Cooper> # group: wheel 160b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 161b3af24b4SEnji Cooper> user:0:-----------C--:-------:allow 162b3af24b4SEnji Cooper> group:1:----------c---:-------:deny 163b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 164b3af24b4SEnji Cooper 165b3af24b4SEnji Cooper# Test setfacl -b. 166b3af24b4SEnji Cooper$ setfacl -b xxx 167b3af24b4SEnji Cooper$ getfacl -n xxx 168b3af24b4SEnji Cooper> # file: xxx 169b3af24b4SEnji Cooper> # owner: root 170b3af24b4SEnji Cooper> # group: wheel 171b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 172b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 173b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 174b3af24b4SEnji Cooper 175b3af24b4SEnji Cooper$ ls -l xxx | cut -d' ' -f1 176b3af24b4SEnji Cooper> -rw-r--r-- 177b3af24b4SEnji Cooper 178b3af24b4SEnji Cooper# Check setfacl(1) and getfacl(1) with multiple files. 179b3af24b4SEnji Cooper$ touch xxx yyy zzz 180b3af24b4SEnji Cooper 181b3af24b4SEnji Cooper$ ls -l xxx yyy zzz | cut -d' ' -f1 182b3af24b4SEnji Cooper> -rw-r--r-- 183b3af24b4SEnji Cooper> -rw-r--r-- 184b3af24b4SEnji Cooper> -rw-r--r-- 185b3af24b4SEnji Cooper 186b3af24b4SEnji Cooper$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz 1876951c4eeSMark Johnston> setfacl: nnn: acl_get_file() failed: No such file or directory 188b3af24b4SEnji Cooper 189b3af24b4SEnji Cooper$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 190b3af24b4SEnji Cooper> ls: nnn: No such file or directory 191b3af24b4SEnji Cooper> -rw-r--r--+ 192b3af24b4SEnji Cooper> -rw-r--r--+ 193b3af24b4SEnji Cooper> -rw-r--r--+ 194b3af24b4SEnji Cooper 195b3af24b4SEnji Cooper$ getfacl -nq nnn xxx yyy zzz 196b3af24b4SEnji Cooper> getfacl: nnn: stat() failed: No such file or directory 197b3af24b4SEnji Cooper> user:42:--x-----------:-------:allow 198b3af24b4SEnji Cooper> group:43:-w------------:-------:allow 199b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 200b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 201b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 202b3af24b4SEnji Cooper> 203b3af24b4SEnji Cooper> user:42:--x-----------:-------:allow 204b3af24b4SEnji Cooper> group:43:-w------------:-------:allow 205b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 206b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 207b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 208b3af24b4SEnji Cooper> 209b3af24b4SEnji Cooper> user:42:--x-----------:-------:allow 210b3af24b4SEnji Cooper> group:43:-w------------:-------:allow 211b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 212b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 213b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 214b3af24b4SEnji Cooper 215b3af24b4SEnji Cooper$ setfacl -b nnn xxx yyy zzz 2166951c4eeSMark Johnston> setfacl: nnn: acl_get_file() failed: No such file or directory 217b3af24b4SEnji Cooper 218b3af24b4SEnji Cooper$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 219b3af24b4SEnji Cooper> ls: nnn: No such file or directory 220b3af24b4SEnji Cooper> -rw-r--r-- 221b3af24b4SEnji Cooper> -rw-r--r-- 222b3af24b4SEnji Cooper> -rw-r--r-- 223b3af24b4SEnji Cooper 224b3af24b4SEnji Cooper$ rm xxx yyy zzz 225b3af24b4SEnji Cooper 226b3af24b4SEnji Cooper# Test applying mode to an ACL. 227b3af24b4SEnji Cooper$ touch xxx 228b3af24b4SEnji Cooper$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx 229b3af24b4SEnji Cooper$ chmod 600 xxx 230b3af24b4SEnji Cooper$ getfacl -n xxx 231b3af24b4SEnji Cooper> # file: xxx 232b3af24b4SEnji Cooper> # owner: root 233b3af24b4SEnji Cooper> # group: wheel 234b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 235b3af24b4SEnji Cooper> group@:------a-R-c--s:-------:allow 236b3af24b4SEnji Cooper> everyone@:------a-R-c--s:-------:allow 237b3af24b4SEnji Cooper 238b3af24b4SEnji Cooper$ ls -l xxx | cut -d' ' -f1 239b3af24b4SEnji Cooper> -rw------- 240b3af24b4SEnji Cooper 241b3af24b4SEnji Cooper$ rm xxx 242b3af24b4SEnji Cooper$ touch xxx 243b3af24b4SEnji Cooper$ chown 42 xxx 244b3af24b4SEnji Cooper$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx 245b3af24b4SEnji Cooper$ chmod 600 xxx 246b3af24b4SEnji Cooper$ getfacl -n xxx 247b3af24b4SEnji Cooper> # file: xxx 248b3af24b4SEnji Cooper> # owner: 42 249b3af24b4SEnji Cooper> # group: wheel 250b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 251b3af24b4SEnji Cooper> group@:------a-R-c--s:-------:allow 252b3af24b4SEnji Cooper> everyone@:------a-R-c--s:-------:allow 253b3af24b4SEnji Cooper$ ls -l xxx | cut -d' ' -f1 254b3af24b4SEnji Cooper> -rw------- 255b3af24b4SEnji Cooper 256b3af24b4SEnji Cooper$ rm xxx 257b3af24b4SEnji Cooper$ touch xxx 258b3af24b4SEnji Cooper$ chown 43 xxx 259b3af24b4SEnji Cooper$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx 260b3af24b4SEnji Cooper$ chmod 124 xxx 261b3af24b4SEnji Cooper$ getfacl -n xxx 262b3af24b4SEnji Cooper> # file: xxx 263b3af24b4SEnji Cooper> # owner: 43 264b3af24b4SEnji Cooper> # group: wheel 265b3af24b4SEnji Cooper> owner@:rw-p----------:-------:deny 266b3af24b4SEnji Cooper> group@:r-------------:-------:deny 267b3af24b4SEnji Cooper> owner@:--x---aARWcCos:-------:allow 268b3af24b4SEnji Cooper> group@:-w-p--a-R-c--s:-------:allow 269b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 270b3af24b4SEnji Cooper$ ls -l xxx | cut -d' ' -f1 271b3af24b4SEnji Cooper> ---x-w-r-- 272b3af24b4SEnji Cooper 273b3af24b4SEnji Cooper$ rm xxx 274b3af24b4SEnji Cooper$ touch xxx 275b3af24b4SEnji Cooper$ chown 43 xxx 276b3af24b4SEnji Cooper$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx 277b3af24b4SEnji Cooper$ chmod 412 xxx 278b3af24b4SEnji Cooper$ getfacl -n xxx 279b3af24b4SEnji Cooper> # file: xxx 280b3af24b4SEnji Cooper> # owner: 43 281b3af24b4SEnji Cooper> # group: wheel 282b3af24b4SEnji Cooper> owner@:-wxp----------:-------:deny 283b3af24b4SEnji Cooper> group@:-w-p----------:-------:deny 284b3af24b4SEnji Cooper> owner@:r-----aARWcCos:-------:allow 285b3af24b4SEnji Cooper> group@:--x---a-R-c--s:-------:allow 286b3af24b4SEnji Cooper> everyone@:-w-p--a-R-c--s:-------:allow 287b3af24b4SEnji Cooper$ ls -l xxx | cut -d' ' -f1 288b3af24b4SEnji Cooper> -r----x-w- 289b3af24b4SEnji Cooper 290b3af24b4SEnji Cooper$ mkdir ddd 291b3af24b4SEnji Cooper$ setfacl -a0 group:44:rwapd:allow ddd 292b3af24b4SEnji Cooper$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd 293b3af24b4SEnji Cooper$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd 294b3af24b4SEnji Cooper$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd 295b3af24b4SEnji Cooper$ getfacl -n ddd 296b3af24b4SEnji Cooper> # file: ddd 297b3af24b4SEnji Cooper> # owner: root 298b3af24b4SEnji Cooper> # group: wheel 299b3af24b4SEnji Cooper> user:42:r-x-----------:f-i----:allow 300b3af24b4SEnji Cooper> group:42:-w--D---------:-d-----:allow 301b3af24b4SEnji Cooper> group:43:-w--D---------:-d-----:deny 302b3af24b4SEnji Cooper> group@:-----da-------:-------:allow 303b3af24b4SEnji Cooper> group:44:rw-p-da-------:-------:allow 304b3af24b4SEnji Cooper> owner@:rwxp--aARWcCos:-------:allow 305b3af24b4SEnji Cooper> group@:r-x---a-R-c--s:-------:allow 306b3af24b4SEnji Cooper> everyone@:-w-p--a-R-c--s:f-i----:allow 307b3af24b4SEnji Cooper 308b3af24b4SEnji Cooper$ chmod 777 ddd 309b3af24b4SEnji Cooper$ getfacl -n ddd 310b3af24b4SEnji Cooper> # file: ddd 311b3af24b4SEnji Cooper> # owner: root 312b3af24b4SEnji Cooper> # group: wheel 313b3af24b4SEnji Cooper> owner@:rwxp--aARWcCos:-------:allow 314b3af24b4SEnji Cooper> group@:rwxp--a-R-c--s:-------:allow 315b3af24b4SEnji Cooper> everyone@:rwxp--a-R-c--s:-------:allow 316b3af24b4SEnji Cooper 317b3af24b4SEnji Cooper# Test applying ACL to mode. 318b3af24b4SEnji Cooper$ rmdir ddd 319b3af24b4SEnji Cooper$ mkdir ddd 320b3af24b4SEnji Cooper$ setfacl -a0 u:42:rwx:fi:allow ddd 321b3af24b4SEnji Cooper$ ls -ld ddd | cut -d' ' -f1 322b3af24b4SEnji Cooper> drwxr-xr-x+ 323b3af24b4SEnji Cooper 324b3af24b4SEnji Cooper$ rmdir ddd 325b3af24b4SEnji Cooper$ mkdir ddd 326b3af24b4SEnji Cooper$ chmod 0 ddd 327b3af24b4SEnji Cooper$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd 328b3af24b4SEnji Cooper$ ls -ld ddd | cut -d' ' -f1 329b3af24b4SEnji Cooper> dr----x---+ 330b3af24b4SEnji Cooper 331b3af24b4SEnji Cooper$ rmdir ddd 332b3af24b4SEnji Cooper$ mkdir ddd 333b3af24b4SEnji Cooper$ chmod 0 ddd 334b3af24b4SEnji Cooper$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd 335b3af24b4SEnji Cooper$ ls -ld ddd | cut -d' ' -f1 336b3af24b4SEnji Cooper> dr---wx---+ 337b3af24b4SEnji Cooper 338b3af24b4SEnji Cooper$ rmdir ddd 339b3af24b4SEnji Cooper$ mkdir ddd 340b3af24b4SEnji Cooper$ chmod 0 ddd 341b3af24b4SEnji Cooper$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd 342b3af24b4SEnji Cooper$ ls -ld ddd | cut -d' ' -f1 343b3af24b4SEnji Cooper> dr--------+ 344b3af24b4SEnji Cooper 345b3af24b4SEnji Cooper$ rmdir ddd 346b3af24b4SEnji Cooper$ mkdir ddd 347b3af24b4SEnji Cooper$ chmod 0 ddd 348b3af24b4SEnji Cooper$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd 349b3af24b4SEnji Cooper$ ls -ld ddd | cut -d' ' -f1 350b3af24b4SEnji Cooper> dr--------+ 351b3af24b4SEnji Cooper 352b3af24b4SEnji Cooper# Test inheritance. 353b3af24b4SEnji Cooper$ rmdir ddd 354b3af24b4SEnji Cooper$ mkdir ddd 355b3af24b4SEnji Cooper$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd 356b3af24b4SEnji Cooper$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd 357b3af24b4SEnji Cooper$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd 358b3af24b4SEnji Cooper$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd 359b3af24b4SEnji Cooper$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd 360b3af24b4SEnji Cooper$ getfacl -qn ddd 361b3af24b4SEnji Cooper> user:41:-w-----A------:f--n---:allow 362b3af24b4SEnji Cooper> group:41:r-----a-------:-din---:allow 363b3af24b4SEnji Cooper> user:42:-----------Co-:f-i----:allow 364b3af24b4SEnji Cooper> user:42:r-x-----------:f-i----:allow 365b3af24b4SEnji Cooper> group:42:-w--D---------:-d-n---:deny 366b3af24b4SEnji Cooper> group:43:-w---------C--:f-in---:deny 367b3af24b4SEnji Cooper> user:43:rwxp----------:-------:allow 368b3af24b4SEnji Cooper> owner@:rwxp--aARWcCos:-------:allow 369b3af24b4SEnji Cooper> group@:r-x---a-R-c--s:-------:allow 370b3af24b4SEnji Cooper> everyone@:r-x---a-R-c--s:-------:allow 371b3af24b4SEnji Cooper 372b3af24b4SEnji Cooper$ cd ddd 373b3af24b4SEnji Cooper$ touch xxx 374b3af24b4SEnji Cooper$ getfacl -qn xxx 375b3af24b4SEnji Cooper> user:41:--------------:------I:allow 376b3af24b4SEnji Cooper> user:42:--------------:------I:allow 377b3af24b4SEnji Cooper> user:42:r-------------:------I:allow 378b3af24b4SEnji Cooper> group:43:-w---------C--:------I:deny 379b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 380b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 381b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 382b3af24b4SEnji Cooper 383b3af24b4SEnji Cooper$ rm xxx 384b3af24b4SEnji Cooper$ umask 077 385b3af24b4SEnji Cooper$ touch xxx 386b3af24b4SEnji Cooper$ getfacl -qn xxx 387b3af24b4SEnji Cooper> user:41:--------------:------I:allow 388b3af24b4SEnji Cooper> user:42:--------------:------I:allow 389b3af24b4SEnji Cooper> user:42:--------------:------I:allow 390b3af24b4SEnji Cooper> group:43:-w---------C--:------I:deny 391b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 392b3af24b4SEnji Cooper> group@:------a-R-c--s:-------:allow 393b3af24b4SEnji Cooper> everyone@:------a-R-c--s:-------:allow 394b3af24b4SEnji Cooper 395b3af24b4SEnji Cooper$ rm xxx 396b3af24b4SEnji Cooper$ umask 770 397b3af24b4SEnji Cooper$ touch xxx 398b3af24b4SEnji Cooper$ getfacl -qn xxx 399b3af24b4SEnji Cooper> owner@:rw-p----------:-------:deny 400b3af24b4SEnji Cooper> group@:rw-p----------:-------:deny 401b3af24b4SEnji Cooper> user:41:--------------:------I:allow 402b3af24b4SEnji Cooper> user:42:--------------:------I:allow 403b3af24b4SEnji Cooper> user:42:--------------:------I:allow 404b3af24b4SEnji Cooper> group:43:-w---------C--:------I:deny 405b3af24b4SEnji Cooper> owner@:------aARWcCos:-------:allow 406b3af24b4SEnji Cooper> group@:------a-R-c--s:-------:allow 407b3af24b4SEnji Cooper> everyone@:rw-p--a-R-c--s:-------:allow 408b3af24b4SEnji Cooper 409b3af24b4SEnji Cooper$ rm xxx 410b3af24b4SEnji Cooper$ umask 707 411b3af24b4SEnji Cooper$ touch xxx 412b3af24b4SEnji Cooper$ getfacl -qn xxx 413b3af24b4SEnji Cooper> owner@:rw-p----------:-------:deny 414b3af24b4SEnji Cooper> user:41:-w------------:------I:allow 415b3af24b4SEnji Cooper> user:42:--------------:------I:allow 416b3af24b4SEnji Cooper> user:42:r-------------:------I:allow 417b3af24b4SEnji Cooper> group:43:-w---------C--:------I:deny 418b3af24b4SEnji Cooper> owner@:------aARWcCos:-------:allow 419b3af24b4SEnji Cooper> group@:rw-p--a-R-c--s:-------:allow 420b3af24b4SEnji Cooper> everyone@:------a-R-c--s:-------:allow 421b3af24b4SEnji Cooper 422b3af24b4SEnji Cooper$ umask 077 423b3af24b4SEnji Cooper$ mkdir yyy 424b3af24b4SEnji Cooper$ getfacl -qn yyy 425b3af24b4SEnji Cooper> group:41:------a-------:------I:allow 426b3af24b4SEnji Cooper> user:42:-----------Co-:f-i---I:allow 427b3af24b4SEnji Cooper> user:42:r-x-----------:f-i---I:allow 428b3af24b4SEnji Cooper> group:42:-w--D---------:------I:deny 429b3af24b4SEnji Cooper> owner@:rwxp--aARWcCos:-------:allow 430b3af24b4SEnji Cooper> group@:------a-R-c--s:-------:allow 431b3af24b4SEnji Cooper> everyone@:------a-R-c--s:-------:allow 432b3af24b4SEnji Cooper 433b3af24b4SEnji Cooper$ rmdir yyy 434b3af24b4SEnji Cooper$ umask 770 435b3af24b4SEnji Cooper$ mkdir yyy 436b3af24b4SEnji Cooper$ getfacl -qn yyy 437b3af24b4SEnji Cooper> owner@:rwxp----------:-------:deny 438b3af24b4SEnji Cooper> group@:rwxp----------:-------:deny 439b3af24b4SEnji Cooper> group:41:------a-------:------I:allow 440b3af24b4SEnji Cooper> user:42:-----------Co-:f-i---I:allow 441b3af24b4SEnji Cooper> user:42:r-x-----------:f-i---I:allow 442b3af24b4SEnji Cooper> group:42:-w--D---------:------I:deny 443b3af24b4SEnji Cooper> owner@:------aARWcCos:-------:allow 444b3af24b4SEnji Cooper> group@:------a-R-c--s:-------:allow 445b3af24b4SEnji Cooper> everyone@:rwxp--a-R-c--s:-------:allow 446b3af24b4SEnji Cooper 447b3af24b4SEnji Cooper$ rmdir yyy 448b3af24b4SEnji Cooper$ umask 707 449b3af24b4SEnji Cooper$ mkdir yyy 450b3af24b4SEnji Cooper$ getfacl -qn yyy 451b3af24b4SEnji Cooper> owner@:rwxp----------:-------:deny 452b3af24b4SEnji Cooper> group:41:r-----a-------:------I:allow 453b3af24b4SEnji Cooper> user:42:-----------Co-:f-i---I:allow 454b3af24b4SEnji Cooper> user:42:r-x-----------:f-i---I:allow 455b3af24b4SEnji Cooper> group:42:-w--D---------:------I:deny 456b3af24b4SEnji Cooper> owner@:------aARWcCos:-------:allow 457b3af24b4SEnji Cooper> group@:rwxp--a-R-c--s:-------:allow 458b3af24b4SEnji Cooper> everyone@:------a-R-c--s:-------:allow 459b3af24b4SEnji Cooper 460b3af24b4SEnji Cooper# There is some complication regarding how write_acl and write_owner flags 461b3af24b4SEnji Cooper# get inherited. Make sure we got it right. 462b3af24b4SEnji Cooper$ setfacl -b . 463b3af24b4SEnji Cooper$ setfacl -a0 u:42:Co:f:allow . 464b3af24b4SEnji Cooper$ setfacl -a0 u:43:Co:d:allow . 465b3af24b4SEnji Cooper$ setfacl -a0 u:44:Co:fd:allow . 466b3af24b4SEnji Cooper$ setfacl -a0 u:45:Co:fi:allow . 467b3af24b4SEnji Cooper$ setfacl -a0 u:46:Co:di:allow . 468b3af24b4SEnji Cooper$ setfacl -a0 u:47:Co:fdi:allow . 469b3af24b4SEnji Cooper$ setfacl -a0 u:48:Co:fn:allow . 470b3af24b4SEnji Cooper$ setfacl -a0 u:49:Co:dn:allow . 471b3af24b4SEnji Cooper$ setfacl -a0 u:50:Co:fdn:allow . 472b3af24b4SEnji Cooper$ setfacl -a0 u:51:Co:fni:allow . 473b3af24b4SEnji Cooper$ setfacl -a0 u:52:Co:dni:allow . 474b3af24b4SEnji Cooper$ setfacl -a0 u:53:Co:fdni:allow . 475b3af24b4SEnji Cooper$ umask 022 476b3af24b4SEnji Cooper$ rm xxx 477b3af24b4SEnji Cooper$ touch xxx 478b3af24b4SEnji Cooper$ getfacl -nq xxx 479b3af24b4SEnji Cooper> user:53:--------------:------I:allow 480b3af24b4SEnji Cooper> user:51:--------------:------I:allow 481b3af24b4SEnji Cooper> user:50:--------------:------I:allow 482b3af24b4SEnji Cooper> user:48:--------------:------I:allow 483b3af24b4SEnji Cooper> user:47:--------------:------I:allow 484b3af24b4SEnji Cooper> user:45:--------------:------I:allow 485b3af24b4SEnji Cooper> user:44:--------------:------I:allow 486b3af24b4SEnji Cooper> user:42:--------------:------I:allow 487b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 488b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 489b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 490b3af24b4SEnji Cooper 491b3af24b4SEnji Cooper$ rmdir yyy 492b3af24b4SEnji Cooper$ mkdir yyy 493b3af24b4SEnji Cooper$ getfacl -nq yyy 494b3af24b4SEnji Cooper> user:53:--------------:------I:allow 495b3af24b4SEnji Cooper> user:52:--------------:------I:allow 496b3af24b4SEnji Cooper> user:50:--------------:------I:allow 497b3af24b4SEnji Cooper> user:49:--------------:------I:allow 498b3af24b4SEnji Cooper> user:47:--------------:fd----I:allow 499b3af24b4SEnji Cooper> user:46:--------------:-d----I:allow 500b3af24b4SEnji Cooper> user:45:-----------Co-:f-i---I:allow 501b3af24b4SEnji Cooper> user:44:--------------:fd----I:allow 502b3af24b4SEnji Cooper> user:43:--------------:-d----I:allow 503b3af24b4SEnji Cooper> user:42:-----------Co-:f-i---I:allow 504b3af24b4SEnji Cooper> owner@:rwxp--aARWcCos:-------:allow 505b3af24b4SEnji Cooper> group@:r-x---a-R-c--s:-------:allow 506b3af24b4SEnji Cooper> everyone@:r-x---a-R-c--s:-------:allow 507b3af24b4SEnji Cooper 508b3af24b4SEnji Cooper$ setfacl -b . 509b3af24b4SEnji Cooper$ setfacl -a0 u:42:Co:f:deny . 510b3af24b4SEnji Cooper$ setfacl -a0 u:43:Co:d:deny . 511b3af24b4SEnji Cooper$ setfacl -a0 u:44:Co:fd:deny . 512b3af24b4SEnji Cooper$ setfacl -a0 u:45:Co:fi:deny . 513b3af24b4SEnji Cooper$ setfacl -a0 u:46:Co:di:deny . 514b3af24b4SEnji Cooper$ setfacl -a0 u:47:Co:fdi:deny . 515b3af24b4SEnji Cooper$ setfacl -a0 u:48:Co:fn:deny . 516b3af24b4SEnji Cooper$ setfacl -a0 u:49:Co:dn:deny . 517b3af24b4SEnji Cooper$ setfacl -a0 u:50:Co:fdn:deny . 518b3af24b4SEnji Cooper$ setfacl -a0 u:51:Co:fni:deny . 519b3af24b4SEnji Cooper$ setfacl -a0 u:52:Co:dni:deny . 520b3af24b4SEnji Cooper$ setfacl -a0 u:53:Co:fdni:deny . 521b3af24b4SEnji Cooper$ umask 022 522b3af24b4SEnji Cooper$ rm xxx 523b3af24b4SEnji Cooper$ touch xxx 524b3af24b4SEnji Cooper$ getfacl -nq xxx 525b3af24b4SEnji Cooper> user:53:-----------Co-:------I:deny 526b3af24b4SEnji Cooper> user:51:-----------Co-:------I:deny 527b3af24b4SEnji Cooper> user:50:-----------Co-:------I:deny 528b3af24b4SEnji Cooper> user:48:-----------Co-:------I:deny 529b3af24b4SEnji Cooper> user:47:-----------Co-:------I:deny 530b3af24b4SEnji Cooper> user:45:-----------Co-:------I:deny 531b3af24b4SEnji Cooper> user:44:-----------Co-:------I:deny 532b3af24b4SEnji Cooper> user:42:-----------Co-:------I:deny 533b3af24b4SEnji Cooper> owner@:rw-p--aARWcCos:-------:allow 534b3af24b4SEnji Cooper> group@:r-----a-R-c--s:-------:allow 535b3af24b4SEnji Cooper> everyone@:r-----a-R-c--s:-------:allow 536b3af24b4SEnji Cooper 537b3af24b4SEnji Cooper$ rmdir yyy 538b3af24b4SEnji Cooper$ mkdir yyy 539b3af24b4SEnji Cooper$ getfacl -nq yyy 540b3af24b4SEnji Cooper> user:53:-----------Co-:------I:deny 541b3af24b4SEnji Cooper> user:52:-----------Co-:------I:deny 542b3af24b4SEnji Cooper> user:50:-----------Co-:------I:deny 543b3af24b4SEnji Cooper> user:49:-----------Co-:------I:deny 544b3af24b4SEnji Cooper> user:47:-----------Co-:fd----I:deny 545b3af24b4SEnji Cooper> user:46:-----------Co-:-d----I:deny 546b3af24b4SEnji Cooper> user:45:-----------Co-:f-i---I:deny 547b3af24b4SEnji Cooper> user:44:-----------Co-:fd----I:deny 548b3af24b4SEnji Cooper> user:43:-----------Co-:-d----I:deny 549b3af24b4SEnji Cooper> user:42:-----------Co-:f-i---I:deny 550b3af24b4SEnji Cooper> owner@:rwxp--aARWcCos:-------:allow 551b3af24b4SEnji Cooper> group@:r-x---a-R-c--s:-------:allow 552b3af24b4SEnji Cooper> everyone@:r-x---a-R-c--s:-------:allow 553b3af24b4SEnji Cooper 554b3af24b4SEnji Cooper$ rmdir yyy 555b3af24b4SEnji Cooper$ rm xxx 556b3af24b4SEnji Cooper$ cd .. 557b3af24b4SEnji Cooper$ rmdir ddd 558b3af24b4SEnji Cooper$ rm xxx 559b3af24b4SEnji Cooper 560*36847545SMark Johnston# Test basic recursive setting of ACLs. 561*36847545SMark Johnston$ mkdir ddd 562*36847545SMark Johnston$ touch ddd/xxx 563*36847545SMark Johnston$ mkdir ddd/eee 564*36847545SMark Johnston$ touch ddd/eee/yyy 565*36847545SMark Johnston$ setfacl -R -m owner@:full_set:f:allow,group@:full_set::allow,everyone@:full_set::allow ddd 566*36847545SMark Johnston$ getfacl -q ddd 567*36847545SMark Johnston> owner@:rwxpDdaARWcCos:f------:allow 568*36847545SMark Johnston> group@:rwxpDdaARWcCos:-------:allow 569*36847545SMark Johnston> everyone@:rwxpDdaARWcCos:-------:allow 570*36847545SMark Johnston$ getfacl -q ddd/xxx 571*36847545SMark Johnston> owner@:rwxpDdaARWcCos:-------:allow 572*36847545SMark Johnston> group@:rwxpDdaARWcCos:-------:allow 573*36847545SMark Johnston> everyone@:rwxpDdaARWcCos:-------:allow 574*36847545SMark Johnston$ getfacl -q ddd/eee 575*36847545SMark Johnston> owner@:rwxpDdaARWcCos:f------:allow 576*36847545SMark Johnston> group@:rwxpDdaARWcCos:-------:allow 577*36847545SMark Johnston> everyone@:rwxpDdaARWcCos:-------:allow 578*36847545SMark Johnston$ getfacl -q ddd/eee/yyy 579*36847545SMark Johnston> owner@:rwxpDdaARWcCos:-------:allow 580*36847545SMark Johnston> group@:rwxpDdaARWcCos:-------:allow 581*36847545SMark Johnston> everyone@:rwxpDdaARWcCos:-------:allow 582*36847545SMark Johnston 583*36847545SMark Johnston$ rm -r ddd 584