xref: /illumos-gate/usr/src/test/zfs-tests/tests/functional/acl/cifs/cifs_attr_002_pos.ksh (revision 1d32ba663e202c24a5a1f2e5aef83fffb447cb7f) 
1d583b39bSJohn Wren Kennedy#!/bin/ksh -p
2d583b39bSJohn Wren Kennedy#
3d583b39bSJohn Wren Kennedy# CDDL HEADER START
4d583b39bSJohn Wren Kennedy#
5d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the
6d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License").
7d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License.
8d583b39bSJohn Wren Kennedy#
9d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing.
11d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions
12d583b39bSJohn Wren Kennedy# and limitations under the License.
13d583b39bSJohn Wren Kennedy#
14d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each
15d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the
17d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying
18d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner]
19d583b39bSJohn Wren Kennedy#
20d583b39bSJohn Wren Kennedy# CDDL HEADER END
21d583b39bSJohn Wren Kennedy#
22d583b39bSJohn Wren Kennedy
23d583b39bSJohn Wren Kennedy#
24d583b39bSJohn Wren Kennedy# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
25d583b39bSJohn Wren Kennedy# Use is subject to license terms.
26d583b39bSJohn Wren Kennedy#
27d583b39bSJohn Wren Kennedy
28d583b39bSJohn Wren Kennedy#
29*1d32ba66SJohn Wren Kennedy# Copyright (c) 2012, 2016 by Delphix. All rights reserved.
30327848f9SYuri Pankov# Copyright 2016 Nexenta Systems, Inc.
31d583b39bSJohn Wren Kennedy#
32d583b39bSJohn Wren Kennedy
33d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib
34d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/cifs/cifs.kshlib
35d583b39bSJohn Wren Kennedy
36d583b39bSJohn Wren Kennedy#
37d583b39bSJohn Wren Kennedy# DESCRIPTION:
38d583b39bSJohn Wren Kennedy#	Verify the user with PRIV_FILE_FLAG_SET/PRIV_FILE_FLAG_CLEAR
39d583b39bSJohn Wren Kennedy#	could set/clear BSD'ish attributes.
40d583b39bSJohn Wren Kennedy#	(Immutable, nounlink, and appendonly)
41d583b39bSJohn Wren Kennedy#
42d583b39bSJohn Wren Kennedy# STRATEGY:
43d583b39bSJohn Wren Kennedy#	1. Loop super user and non-super user to run the test case.
44d583b39bSJohn Wren Kennedy#	2. Create basedir and a set of subdirectores and files within it.
45d583b39bSJohn Wren Kennedy#	3. Grant user has PRIV_FILE_FLAG_SET/PRIV_FILE_FLAG_CLEAR separately.
46d583b39bSJohn Wren Kennedy#	4. Verify set/clear BSD'ish attributes should succeed.
47d583b39bSJohn Wren Kennedy#
48d583b39bSJohn Wren Kennedy
49d583b39bSJohn Wren Kennedyverify_runnable "global"
50d583b39bSJohn Wren Kennedy
51d583b39bSJohn Wren Kennedyfunction cleanup
52d583b39bSJohn Wren Kennedy{
53*1d32ba66SJohn Wren Kennedy	rm -rf $mntpt/file $mntpt/dir >/dev/null 2>&1
54d583b39bSJohn Wren Kennedy
55*1d32ba66SJohn Wren Kennedy	log_must cp $orig_user_attr /etc/user_attr
56*1d32ba66SJohn Wren Kennedy	log_must rm -f $orig_user_attr
57d583b39bSJohn Wren Kennedy}
58d583b39bSJohn Wren Kennedy
59d583b39bSJohn Wren Kennedyfunction try
60d583b39bSJohn Wren Kennedy{
61d583b39bSJohn Wren Kennedy	typeset obj=$1		# The file or dir to operate on
62d583b39bSJohn Wren Kennedy	typeset attr=$2		# The attribute to set or clear
63d583b39bSJohn Wren Kennedy	typeset user=$3		# The user to run the command as
64d583b39bSJohn Wren Kennedy	typeset priv=$4		# What privilege to run with if non-root
65d583b39bSJohn Wren Kennedy	typeset op=$5		# Whether to set or clear the attribute
66d583b39bSJohn Wren Kennedy
67*1d32ba66SJohn Wren Kennedy	typeset cmd="chmod $op$attr $obj"
68d583b39bSJohn Wren Kennedy
69d583b39bSJohn Wren Kennedy	#
70d583b39bSJohn Wren Kennedy	# No one can add 'q' (av_quarantine) to a directory. root can do
71d583b39bSJohn Wren Kennedy	# anything else. A regular user can remove no attributes without the
72d583b39bSJohn Wren Kennedy	# 'all' privilege, and can add attributes (other than 'q' on a
73d583b39bSJohn Wren Kennedy	# directory) with the 'file_flag_set' or 'all' privileges.
74d583b39bSJohn Wren Kennedy	#
75d583b39bSJohn Wren Kennedy	if [[ $user == 'root' ]]; then
76d583b39bSJohn Wren Kennedy		if [[ $attr =~ 'q' && -d $obj && $op == $add ]]; then
77d583b39bSJohn Wren Kennedy			log_mustnot $cmd
78d583b39bSJohn Wren Kennedy		else
79d583b39bSJohn Wren Kennedy			log_must $cmd
80d583b39bSJohn Wren Kennedy		fi
81d583b39bSJohn Wren Kennedy	else
82d583b39bSJohn Wren Kennedy		if [[ $attr =~ 'q' && -d $obj && $op == $add ]]; then
83*1d32ba66SJohn Wren Kennedy			log_mustnot su $user -c "$cmd"
84d583b39bSJohn Wren Kennedy		else
85d583b39bSJohn Wren Kennedy			if [[ $op == $add ]]; then
86d583b39bSJohn Wren Kennedy				if [[ -n $priv ]]; then
87*1d32ba66SJohn Wren Kennedy					log_must su $user -c "$cmd"
88d583b39bSJohn Wren Kennedy				else
89*1d32ba66SJohn Wren Kennedy					log_mustnot su $user -c "$cmd"
90d583b39bSJohn Wren Kennedy				fi
91d583b39bSJohn Wren Kennedy			else
92d583b39bSJohn Wren Kennedy				if [[ $attr = 'q' && -d $obj ]]; then
93*1d32ba66SJohn Wren Kennedy					log_must su $user -c "$cmd"
94d583b39bSJohn Wren Kennedy				elif [[ $priv =~ 'all' ]]; then
95*1d32ba66SJohn Wren Kennedy					log_must su $user -c "$cmd"
96d583b39bSJohn Wren Kennedy				else
97*1d32ba66SJohn Wren Kennedy					log_mustnot su $user -c "$cmd"
98d583b39bSJohn Wren Kennedy					#
99d583b39bSJohn Wren Kennedy					# Remove the attribute, so the next
100d583b39bSJohn Wren Kennedy					# iteration starts with a known state.
101d583b39bSJohn Wren Kennedy					#
102d583b39bSJohn Wren Kennedy					log_must $cmd
103d583b39bSJohn Wren Kennedy				fi
104d583b39bSJohn Wren Kennedy			fi
105d583b39bSJohn Wren Kennedy		fi
106d583b39bSJohn Wren Kennedy	fi
107d583b39bSJohn Wren Kennedy
108d583b39bSJohn Wren Kennedy
109d583b39bSJohn Wren Kennedy	# Can't add av_quarantine to a directory, so don't check for that
110d583b39bSJohn Wren Kennedy	[[ $attr == 'q' && $op == $add && -d $obj ]] && return
111d583b39bSJohn Wren Kennedy	chk_attr $op $obj $attr
112d583b39bSJohn Wren Kennedy}
113d583b39bSJohn Wren Kennedy
114d583b39bSJohn Wren Kennedyfunction chk_attr
115d583b39bSJohn Wren Kennedy{
116d583b39bSJohn Wren Kennedy	typeset op=$1
117d583b39bSJohn Wren Kennedy	typeset obj=$2
118d583b39bSJohn Wren Kennedy	typeset attr=$3
119d583b39bSJohn Wren Kennedy
120d583b39bSJohn Wren Kennedy	# Extract the attribute string - just the text inside the braces
121*1d32ba66SJohn Wren Kennedy	typeset attrstr="$(ls -d/ c $obj | sed '1d; s/.*{\(.*\)}.*/\1/g')"
122d583b39bSJohn Wren Kennedy
123d583b39bSJohn Wren Kennedy	if [[ $op == $add ]]; then
124d583b39bSJohn Wren Kennedy		[[ $attrstr =~ $attr ]] || log_fail "$op $attr -> $attrstr"
125d583b39bSJohn Wren Kennedy	else
126d583b39bSJohn Wren Kennedy		[[ $attrstr =~ $attr ]] && log_fail "$op $attr -> $attrstr"
127d583b39bSJohn Wren Kennedy	fi
128d583b39bSJohn Wren Kennedy}
129d583b39bSJohn Wren Kennedy
130d583b39bSJohn Wren Kennedy#
131d583b39bSJohn Wren Kennedy# Grant the privset to the given user
132d583b39bSJohn Wren Kennedy#
133d583b39bSJohn Wren Kennedy# $1: The given user
134d583b39bSJohn Wren Kennedy# $2: The given privset
135d583b39bSJohn Wren Kennedy#
136d583b39bSJohn Wren Kennedyfunction grant_priv
137d583b39bSJohn Wren Kennedy{
138d583b39bSJohn Wren Kennedy	typeset user=$1
139d583b39bSJohn Wren Kennedy	typeset priv=$2
140d583b39bSJohn Wren Kennedy
141d583b39bSJohn Wren Kennedy	if [[ -z $user || -z $priv ]]; then
142d583b39bSJohn Wren Kennedy		log_fail "User($user), Priv($priv) not defined."
143d583b39bSJohn Wren Kennedy	fi
144d583b39bSJohn Wren Kennedy
145d583b39bSJohn Wren Kennedy	priv_mod=",$priv"
146d583b39bSJohn Wren Kennedy
147d583b39bSJohn Wren Kennedy	# If we're root, don't modify /etc/user_attr
148d583b39bSJohn Wren Kennedy	[[ $user == 'root' ]] && return 0
149d583b39bSJohn Wren Kennedy
150*1d32ba66SJohn Wren Kennedy	echo "$user::::type=normal;defaultpriv=basic$priv_mod" >> \
151d583b39bSJohn Wren Kennedy	    /etc/user_attr
152d583b39bSJohn Wren Kennedy	return $?
153d583b39bSJohn Wren Kennedy}
154d583b39bSJohn Wren Kennedy
155d583b39bSJohn Wren Kennedy#
156d583b39bSJohn Wren Kennedy# Revoke the all additional privset from the given user
157d583b39bSJohn Wren Kennedy#
158d583b39bSJohn Wren Kennedy# $1: The given user
159d583b39bSJohn Wren Kennedy#
160d583b39bSJohn Wren Kennedyfunction reset_privs
161d583b39bSJohn Wren Kennedy{
162d583b39bSJohn Wren Kennedy	typeset user=$1
163d583b39bSJohn Wren Kennedy
164d583b39bSJohn Wren Kennedy	if [[ -z $user ]]; then
165d583b39bSJohn Wren Kennedy		log_fail "User not defined."
166d583b39bSJohn Wren Kennedy	fi
167d583b39bSJohn Wren Kennedy
168d583b39bSJohn Wren Kennedy	priv_mod=
169d583b39bSJohn Wren Kennedy
170*1d32ba66SJohn Wren Kennedy	cp $orig_user_attr /etc/user_attr || log_fail "Couldn't modify user_attr"
171d583b39bSJohn Wren Kennedy	return 0
172d583b39bSJohn Wren Kennedy}
173d583b39bSJohn Wren Kennedy
174d583b39bSJohn Wren Kennedylog_assert "Verify set/clear BSD'ish attributes will succeed while user has " \
175d583b39bSJohn Wren Kennedy    "file_flag_set or all privilege"
176d583b39bSJohn Wren Kennedylog_onexit cleanup
177d583b39bSJohn Wren Kennedy
178d583b39bSJohn Wren Kennedyadd='S+c'
179d583b39bSJohn Wren Kennedydel='S-c'
180d583b39bSJohn Wren Kennedymntpt=$(get_prop mountpoint $TESTPOOL/$TESTFS)
181d583b39bSJohn Wren Kennedyorig_user_attr="/tmp/user_attr.$$"
182d583b39bSJohn Wren Kennedyattributes="u i a d q m"
183d583b39bSJohn Wren Kennedy
184*1d32ba66SJohn Wren Kennedylog_must cp /etc/user_attr $orig_user_attr
185d583b39bSJohn Wren Kennedy
186d583b39bSJohn Wren Kennedyfor owner in root $ZFS_ACL_STAFF1 $ZFS_ACL_STAFF2; do
187*1d32ba66SJohn Wren Kennedy	touch $mntpt/file || log_fail "Failed to create $mntpt/file"
188*1d32ba66SJohn Wren Kennedy	mkdir $mntpt/dir || log_fail "Failed to mkdir $mntpt/dir"
189*1d32ba66SJohn Wren Kennedy	chown $owner $mntpt/file $mntpt/dir || log_fail "Failed to chown file"
190d583b39bSJohn Wren Kennedy	for user in 'root' $ZFS_ACL_STAFF2; do
191d583b39bSJohn Wren Kennedy		for attr in $attributes; do
192d583b39bSJohn Wren Kennedy			for priv in 'file_flag_set' 'all'; do
193d583b39bSJohn Wren Kennedy				log_note "Trying $owner $user $attr $priv"
194d583b39bSJohn Wren Kennedy				grant_priv $user $priv
195d583b39bSJohn Wren Kennedy				try $mntpt/file $attr $user $priv $add
196d583b39bSJohn Wren Kennedy				try $mntpt/file $attr $user $priv $del
197d583b39bSJohn Wren Kennedy				try $mntpt/dir $attr $user $priv $add
198d583b39bSJohn Wren Kennedy				try $mntpt/dir $attr $user $priv $del
199d583b39bSJohn Wren Kennedy				reset_privs $user
200d583b39bSJohn Wren Kennedy			done
201d583b39bSJohn Wren Kennedy		done
202d583b39bSJohn Wren Kennedy	done
203*1d32ba66SJohn Wren Kennedy	rm -rf $mntpt/file $mntpt/dir || log_fail \
204*1d32ba66SJohn Wren Kennedy	    "$(ls -d/ c $mntpt/file $mntpt/dir)"
205d583b39bSJohn Wren Kennedydone
206d583b39bSJohn Wren Kennedy
207d583b39bSJohn Wren Kennedylog_pass "Set/Clear BSD'ish attributes succeed while user has " \
208d583b39bSJohn Wren Kennedy    "PRIV_FILE_FLAG_SET/PRIV_FILE_FLAG_CLEAR privilege"
209