xref: /illumos-gate/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh (revision 6990962ce8f191dd6bb6a174a2f3dec3e3a51f18) 
1d583b39bSJohn Wren Kennedy#!/bin/ksh -p
2d583b39bSJohn Wren Kennedy#
3d583b39bSJohn Wren Kennedy# CDDL HEADER START
4d583b39bSJohn Wren Kennedy#
5d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the
6d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License").
7d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License.
8d583b39bSJohn Wren Kennedy#
9d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing.
11d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions
12d583b39bSJohn Wren Kennedy# and limitations under the License.
13d583b39bSJohn Wren Kennedy#
14d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each
15d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the
17d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying
18d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner]
19d583b39bSJohn Wren Kennedy#
20d583b39bSJohn Wren Kennedy# CDDL HEADER END
21d583b39bSJohn Wren Kennedy#
22d583b39bSJohn Wren Kennedy
23d583b39bSJohn Wren Kennedy#
24d583b39bSJohn Wren Kennedy# Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
25d583b39bSJohn Wren Kennedy# Use is subject to license terms.
26d583b39bSJohn Wren Kennedy#
27d583b39bSJohn Wren Kennedy
28232f5a2eSYuri Pankov#
29232f5a2eSYuri Pankov# Copyright 2016 Nexenta Systems, Inc.
30*6990962cSToomas Soome# Copyright 2023 RackTop Systems, Inc.
31232f5a2eSYuri Pankov#
32232f5a2eSYuri Pankov
33d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib
34d583b39bSJohn Wren Kennedy
35d583b39bSJohn Wren Kennedy# DESCRIPTION:
36d583b39bSJohn Wren Kennedy# Verify chmod have correct behaviour to directory and file when
37d583b39bSJohn Wren Kennedy# filesystem has the different aclinherit setting
38d583b39bSJohn Wren Kennedy#
39d583b39bSJohn Wren Kennedy# STRATEGY:
40232f5a2eSYuri Pankov# 1. Use both super user and non-super user to run the test case.
41d583b39bSJohn Wren Kennedy# 2. Create basedir and a set of subdirectores and files within it.
42d583b39bSJohn Wren Kennedy# 3. Separately chmod basedir with different inherite options,
43d583b39bSJohn Wren Kennedy#    combine with the variable setting of aclinherit:
44232f5a2eSYuri Pankov#    "discard", "noallow", "restricted" or "passthrough".
45d583b39bSJohn Wren Kennedy# 4. Then create nested directories and files like the following.
46d583b39bSJohn Wren Kennedy#
47d583b39bSJohn Wren Kennedy#               ofile
48d583b39bSJohn Wren Kennedy#               odir
49d583b39bSJohn Wren Kennedy#    chmod -->  basedir -|
50d583b39bSJohn Wren Kennedy#                        |_ nfile1
51d583b39bSJohn Wren Kennedy#                        |_ ndir1 _
52d583b39bSJohn Wren Kennedy#                                  |_ nfile2
53d583b39bSJohn Wren Kennedy#                                  |_ ndir2 _
54d583b39bSJohn Wren Kennedy#                                            |_ nfile3
55d583b39bSJohn Wren Kennedy#                                            |_ ndir3
56d583b39bSJohn Wren Kennedy#
57d583b39bSJohn Wren Kennedy# 5. Verify each directories and files have the correct access control
58d583b39bSJohn Wren Kennedy#    capability.
59d583b39bSJohn Wren Kennedy
60d583b39bSJohn Wren Kennedyverify_runnable "both"
61d583b39bSJohn Wren Kennedy
62d583b39bSJohn Wren Kennedyfunction cleanup
63d583b39bSJohn Wren Kennedy{
641d32ba66SJohn Wren Kennedy	[[ -f $ofile ]] && log_must rm -f $ofile
651d32ba66SJohn Wren Kennedy	[[ -d $odir ]] && log_must rm -rf $odir
661d32ba66SJohn Wren Kennedy	[[ -d $basedir ]] && log_must rm -rf $basedir
67d583b39bSJohn Wren Kennedy}
68d583b39bSJohn Wren Kennedy
69d583b39bSJohn Wren Kennedylog_assert "Verify chmod have correct behaviour to directory and file when" \
70232f5a2eSYuri Pankov    "filesystem has the different aclinherit setting"
71d583b39bSJohn Wren Kennedylog_onexit cleanup
72d583b39bSJohn Wren Kennedy
73d583b39bSJohn Wren Kennedy# Define inherit flag
74232f5a2eSYuri Pankovtypeset aclinherit_flag=("discard" "noallow" "restricted" "passthrough")
75d583b39bSJohn Wren Kennedytypeset object_flag=("f-" "-d" "fd")
76d583b39bSJohn Wren Kennedytypeset strategy_flag=("--" "i-" "-n" "in")
77d583b39bSJohn Wren Kennedy
78d583b39bSJohn Wren Kennedytypeset ace_prefix1="owner@"
79d583b39bSJohn Wren Kennedytypeset ace_prefix2="group@"
80d583b39bSJohn Wren Kennedytypeset ace_prefix3="everyone@"
81d583b39bSJohn Wren Kennedy
82232f5a2eSYuri Pankov# Define the base directory and file
83d583b39bSJohn Wren Kennedybasedir=$TESTDIR/basedir; ofile=$TESTDIR/ofile; odir=$TESTDIR/odir
84d583b39bSJohn Wren Kennedy
85232f5a2eSYuri Pankov# Define the files and directories that will be created after chmod
86d583b39bSJohn Wren Kennedyndir1=$basedir/ndir1; ndir2=$ndir1/ndir2; ndir3=$ndir2/ndir3
87d583b39bSJohn Wren Kennedynfile1=$basedir/nfile1; nfile2=$ndir1/nfile2; nfile3=$ndir2/nfile3
88d583b39bSJohn Wren Kennedy
89232f5a2eSYuri Pankov# Verify all nodes have expected correct access control
90d583b39bSJohn Wren Kennedyallnodes="$ndir1 $ndir2 $ndir3 $nfile1 $nfile2 $nfile3"
91d583b39bSJohn Wren Kennedy
92d583b39bSJohn Wren Kennedy# According to inherited flag, verify subdirectories and files within it has
93d583b39bSJohn Wren Kennedy# correct inherited access control.
94d583b39bSJohn Wren Kennedyfunction verify_inherit #<aclinherit> <object> [strategy]
95d583b39bSJohn Wren Kennedy{
96d583b39bSJohn Wren Kennedy	# Define the nodes which will be affected by inherit.
97d583b39bSJohn Wren Kennedy	typeset inherit_nodes
98d583b39bSJohn Wren Kennedy	typeset inherit=$1
99d583b39bSJohn Wren Kennedy	typeset obj=$2
100d583b39bSJohn Wren Kennedy	typeset str=$3
101d583b39bSJohn Wren Kennedy
1021d32ba66SJohn Wren Kennedy	log_must usr_exec mkdir -p $ndir3
1031d32ba66SJohn Wren Kennedy	log_must usr_exec touch $nfile1 $nfile2 $nfile3
104d583b39bSJohn Wren Kennedy
105232f5a2eSYuri Pankov	# Check if we have any inheritance flags set
106232f5a2eSYuri Pankov	if [[ $obj != "--" ]]; then
107232f5a2eSYuri Pankov		# Files should have inherited ACEs only if file_inherit is set
10801ff4119SYuri Pankov		if [[ ${obj:0:1} == "f" ]]; then
109d583b39bSJohn Wren Kennedy			inherit_nodes="$inherit_nodes $nfile1"
11001ff4119SYuri Pankov			if [[ ${str:1:1} != "n" ]]; then
111d583b39bSJohn Wren Kennedy				inherit_nodes="$inherit_nodes $nfile2 $nfile3"
112d583b39bSJohn Wren Kennedy			fi
113d583b39bSJohn Wren Kennedy		fi
114d583b39bSJohn Wren Kennedy
115232f5a2eSYuri Pankov		# Directories should have inherited ACEs if file_inherit without
116232f5a2eSYuri Pankov		# no_propagate and/or dir_inherit is set
117232f5a2eSYuri Pankov		if [[ (${obj:0:1} == "f" && ${str:1:1} != "n") ||
118232f5a2eSYuri Pankov		    ${obj:1:1} == "d" ]]; then
119232f5a2eSYuri Pankov			inherit_nodes="$inherit_nodes $ndir1"
12001ff4119SYuri Pankov			if [[ ${str:1:1} != "n" ]]; then
121d583b39bSJohn Wren Kennedy				inherit_nodes="$inherit_nodes $ndir2 $ndir3"
122d583b39bSJohn Wren Kennedy			fi
123d583b39bSJohn Wren Kennedy		fi
124232f5a2eSYuri Pankov	fi
125d583b39bSJohn Wren Kennedy
126d583b39bSJohn Wren Kennedy	for node in $allnodes; do
127232f5a2eSYuri Pankov		typeset -i i=0 count=0 inherited=0
128232f5a2eSYuri Pankov		typeset expacl perm inh act
129232f5a2eSYuri Pankov
130d583b39bSJohn Wren Kennedy		if [[ "$inherit_nodes" == *"$node"* ]]; then
131232f5a2eSYuri Pankov			inherited=1
132d583b39bSJohn Wren Kennedy		fi
133d583b39bSJohn Wren Kennedy
134b4f6c3d2SToomas Soome		while ((i < maxaces)); do
135232f5a2eSYuri Pankov			# If current node isn't in inherit list, there's
136232f5a2eSYuri Pankov			# nothing to check, skip to checking trivial ACL
137232f5a2eSYuri Pankov			if ((inherited == 0)); then
138232f5a2eSYuri Pankov				((count = maxaces + 1))
139232f5a2eSYuri Pankov				break
140232f5a2eSYuri Pankov			fi
141d583b39bSJohn Wren Kennedy
142232f5a2eSYuri Pankov			eval expacl=\$acl$i
143d583b39bSJohn Wren Kennedy			case $inherit in
144232f5a2eSYuri Pankov			discard)
145232f5a2eSYuri Pankov				# Do not inherit any ACEs
146232f5a2eSYuri Pankov				((count = maxaces + 1))
147232f5a2eSYuri Pankov				break
148d583b39bSJohn Wren Kennedy				;;
149d583b39bSJohn Wren Kennedy			noallow)
150232f5a2eSYuri Pankov				# Only inherit inheritable ACEs that specify
151232f5a2eSYuri Pankov				# "deny" permissions
152232f5a2eSYuri Pankov				if [[ $expacl == *":allow" ]] ; then
153232f5a2eSYuri Pankov					((i = i + 1))
154232f5a2eSYuri Pankov					continue
155d583b39bSJohn Wren Kennedy				fi
156d583b39bSJohn Wren Kennedy				;;
157232f5a2eSYuri Pankov			restricted)
158232f5a2eSYuri Pankov				# Remove write_acl and write_owner permissions
159232f5a2eSYuri Pankov				# when the ACEs is inherited
160232f5a2eSYuri Pankov				eval expacl=\$acls$i
161232f5a2eSYuri Pankov				;;
162232f5a2eSYuri Pankov			passthrough)
163d583b39bSJohn Wren Kennedy				;;
164d583b39bSJohn Wren Kennedy			esac
165d583b39bSJohn Wren Kennedy
166232f5a2eSYuri Pankov			perm=${expacl%:*}
167232f5a2eSYuri Pankov			inh=${perm##*:}
168232f5a2eSYuri Pankov			inh=${inh:0:2}
169232f5a2eSYuri Pankov			perm=${perm%:*}
170232f5a2eSYuri Pankov			act=${expacl##*:}
171d583b39bSJohn Wren Kennedy
172d583b39bSJohn Wren Kennedy			if [[ -d $node ]]; then
173232f5a2eSYuri Pankov				# Clear inheritance flags if no_propagate is set
174232f5a2eSYuri Pankov				if [[ ${str:1:1} == "n" ]]; then
175232f5a2eSYuri Pankov					inh="--"
176d583b39bSJohn Wren Kennedy				fi
177232f5a2eSYuri Pankov				expacl="$perm:$inh"
178232f5a2eSYuri Pankov				# Set inherit_only if there's a file_inherit
179232f5a2eSYuri Pankov				# without dir_inherit
180232f5a2eSYuri Pankov				if [[ ${obj:0:1} == "f" &&
181232f5a2eSYuri Pankov				    ${obj:1:1} != "d" ]]; then
182232f5a2eSYuri Pankov					expacl="${expacl}i---I:$act"
183232f5a2eSYuri Pankov				else
184232f5a2eSYuri Pankov					expacl="${expacl}----I:$act"
185d583b39bSJohn Wren Kennedy				fi
186d583b39bSJohn Wren Kennedy			elif [[ -f $node ]] ; then
187232f5a2eSYuri Pankov				expacl="$perm:------I:$act"
188d583b39bSJohn Wren Kennedy			fi
189d583b39bSJohn Wren Kennedy
190d583b39bSJohn Wren Kennedy			aclcur=$(get_ACE $node $count compact)
191d583b39bSJohn Wren Kennedy			aclcur=${aclcur#$count:}
192232f5a2eSYuri Pankov			if [[ -n $expacl && $expacl != $aclcur ]]; then
1931d32ba66SJohn Wren Kennedy				ls -Vd $basedir
1941d32ba66SJohn Wren Kennedy				ls -Vd $node
195d583b39bSJohn Wren Kennedy				log_fail "$inherit $i #$count" \
196232f5a2eSYuri Pankov				    "expected: $expacl, current: $aclcur"
197d583b39bSJohn Wren Kennedy			fi
198d583b39bSJohn Wren Kennedy
199d583b39bSJohn Wren Kennedy			((i = i + 1))
200232f5a2eSYuri Pankov			((count = count + 1))
201d583b39bSJohn Wren Kennedy		done
202d583b39bSJohn Wren Kennedy
203232f5a2eSYuri Pankov		# There were no non-trivial ACEs to check, do the trivial ones
204232f5a2eSYuri Pankov		if ((count == maxaces + 1)); then
205d583b39bSJohn Wren Kennedy			if [[ -d $node ]]; then
206d583b39bSJohn Wren Kennedy				compare_acls $node $odir
207d583b39bSJohn Wren Kennedy			elif [[ -f $node ]]; then
208d583b39bSJohn Wren Kennedy				compare_acls $node $ofile
209d583b39bSJohn Wren Kennedy			fi
210d583b39bSJohn Wren Kennedy
211b4f6c3d2SToomas Soome			if (( $? != 0 )); then
2121d32ba66SJohn Wren Kennedy				ls -Vd $basedir
2131d32ba66SJohn Wren Kennedy				ls -Vd $node
214232f5a2eSYuri Pankov				log_fail "unexpected acl: $node," \
215232f5a2eSYuri Pankov				    "$inherit ($str)"
216d583b39bSJohn Wren Kennedy			fi
217d583b39bSJohn Wren Kennedy		fi
218232f5a2eSYuri Pankov
219d583b39bSJohn Wren Kennedy	done
220d583b39bSJohn Wren Kennedy}
221d583b39bSJohn Wren Kennedy
222232f5a2eSYuri Pankovtypeset -i i=0 maxaces=6
223232f5a2eSYuri Pankovtypeset acl0 acl1 acl2 acl3 acl4 acl5
224232f5a2eSYuri Pankovtypeset acls0 acls1 acls2 acls3 acls4 acls5
225d583b39bSJohn Wren Kennedy
2261d32ba66SJohn Wren Kennedylog_must zfs set aclmode=passthrough $TESTPOOL/$TESTFS
227d583b39bSJohn Wren Kennedy
228d583b39bSJohn Wren Kennedyfor inherit in "${aclinherit_flag[@]}"; do
2291d32ba66SJohn Wren Kennedy	log_must zfs set aclinherit=$inherit $TESTPOOL/$TESTFS
230d583b39bSJohn Wren Kennedy
231d583b39bSJohn Wren Kennedy	for user in root $ZFS_ACL_STAFF1; do
232d583b39bSJohn Wren Kennedy		log_must set_cur_usr $user
233d583b39bSJohn Wren Kennedy
234d583b39bSJohn Wren Kennedy		for obj in "${object_flag[@]}"; do
235d583b39bSJohn Wren Kennedy			for str in "${strategy_flag[@]}"; do
236d583b39bSJohn Wren Kennedy				typeset inh_opt=$obj
237232f5a2eSYuri Pankov				((${#str} != 0)) && inh_opt="${inh_opt}${str}--"
238d583b39bSJohn Wren Kennedy
239232f5a2eSYuri Pankov				inh_a="${inh_opt}-"
240232f5a2eSYuri Pankov				inh_b="${inh_opt}I"
241d583b39bSJohn Wren Kennedy
242232f5a2eSYuri Pankov				# deny - to verify "noallow"
243232f5a2eSYuri Pankov				# write_acl/write_owner - to verify "restricted"
244b4f6c3d2SToomas Soome				acl0="$ace_prefix1:rwxp---A-W-Co-:$inh_a:allow"
245*6990962cSToomas Soome				acl1="$ace_prefix2:-------A-W--o-:$inh_a:deny"
246232f5a2eSYuri Pankov				acl2="$ace_prefix3:-------A-W-Co-:$inh_a:allow"
247232f5a2eSYuri Pankov				acl3="$ace_prefix1:-------A-W----:$inh_a:deny"
248232f5a2eSYuri Pankov				acl4="$ace_prefix2:-------A-W----:$inh_a:allow"
249232f5a2eSYuri Pankov				acl5="$ace_prefix3:-------A-W----:$inh_a:deny"
250d583b39bSJohn Wren Kennedy
251232f5a2eSYuri Pankov				# ACEs filtered by write_acl/write_owner
252b4f6c3d2SToomas Soome				acls0="$ace_prefix1:rwxp---A-W----:$inh_b:allow"
253*6990962cSToomas Soome				acls1="$ace_prefix2:-------A-W--o-:$inh_b:deny"
254232f5a2eSYuri Pankov				acls2="$ace_prefix3:-------A-W----:$inh_b:allow"
255232f5a2eSYuri Pankov				acls3="$ace_prefix1:-------A-W----:$inh_b:deny"
256232f5a2eSYuri Pankov				acls4="$ace_prefix2:-------A-W----:$inh_b:allow"
257232f5a2eSYuri Pankov				acls5="$ace_prefix3:-------A-W----:$inh_b:deny"
258d583b39bSJohn Wren Kennedy
2591d32ba66SJohn Wren Kennedy				log_must usr_exec mkdir $basedir
2601d32ba66SJohn Wren Kennedy				log_must usr_exec mkdir $odir
2611d32ba66SJohn Wren Kennedy				log_must usr_exec touch $ofile
262d583b39bSJohn Wren Kennedy
263232f5a2eSYuri Pankov				((i = maxaces - 1))
264d583b39bSJohn Wren Kennedy				while ((i >= 0)); do
265d583b39bSJohn Wren Kennedy					eval acl=\$acl$i
2661d32ba66SJohn Wren Kennedy					log_must usr_exec chmod A+$acl $basedir
267d583b39bSJohn Wren Kennedy					((i = i - 1))
268d583b39bSJohn Wren Kennedy				done
269d583b39bSJohn Wren Kennedy
270d583b39bSJohn Wren Kennedy				verify_inherit $inherit $obj $str
271d583b39bSJohn Wren Kennedy
2721d32ba66SJohn Wren Kennedy				log_must usr_exec rm -rf $ofile $odir $basedir
273d583b39bSJohn Wren Kennedy			done
274d583b39bSJohn Wren Kennedy		done
275d583b39bSJohn Wren Kennedy	done
276d583b39bSJohn Wren Kennedydone
277d583b39bSJohn Wren Kennedy
278232f5a2eSYuri Pankovlog_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed"
279