1*d583b39bSJohn Wren Kennedy#!/bin/ksh -p 2*d583b39bSJohn Wren Kennedy# 3*d583b39bSJohn Wren Kennedy# CDDL HEADER START 4*d583b39bSJohn Wren Kennedy# 5*d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the 6*d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License"). 7*d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License. 8*d583b39bSJohn Wren Kennedy# 9*d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing. 11*d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions 12*d583b39bSJohn Wren Kennedy# and limitations under the License. 13*d583b39bSJohn Wren Kennedy# 14*d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each 15*d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the 17*d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying 18*d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner] 19*d583b39bSJohn Wren Kennedy# 20*d583b39bSJohn Wren Kennedy# CDDL HEADER END 21*d583b39bSJohn Wren Kennedy# 22*d583b39bSJohn Wren Kennedy 23*d583b39bSJohn Wren Kennedy# 24*d583b39bSJohn Wren Kennedy# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 25*d583b39bSJohn Wren Kennedy# Use is subject to license terms. 26*d583b39bSJohn Wren Kennedy# 27*d583b39bSJohn Wren Kennedy 28*d583b39bSJohn Wren Kennedy# 29*d583b39bSJohn Wren Kennedy# Copyright (c) 2012 by Delphix. All rights reserved. 30*d583b39bSJohn Wren Kennedy# 31*d583b39bSJohn Wren Kennedy 32*d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib 33*d583b39bSJohn Wren Kennedy 34*d583b39bSJohn Wren Kennedy# 35*d583b39bSJohn Wren Kennedy# DESCRIPTION: 36*d583b39bSJohn Wren Kennedy# Verify that the write_owner for 37*d583b39bSJohn Wren Kennedy# owner/group/everyone are correct. 38*d583b39bSJohn Wren Kennedy# 39*d583b39bSJohn Wren Kennedy# STRATEGY: 40*d583b39bSJohn Wren Kennedy# 1. Create file and directory in zfs filesystem 41*d583b39bSJohn Wren Kennedy# 2. Set special write_owner ACE to the file and directory 42*d583b39bSJohn Wren Kennedy# 3. Try to chown/chgrp of the file and directory to take owner/group 43*d583b39bSJohn Wren Kennedy# 4. Verify that the owner/group are correct. Follow these rules: 44*d583b39bSJohn Wren Kennedy# (1) If uid is granted the write_owner permission, then it can only do 45*d583b39bSJohn Wren Kennedy# chown to its own uid, or a group that they are a member of. 46*d583b39bSJohn Wren Kennedy# (2) Owner will ignore permission of (1) even write_owner not granted. 47*d583b39bSJohn Wren Kennedy# (3) Superuser will always permit whatever they do. 48*d583b39bSJohn Wren Kennedy# 49*d583b39bSJohn Wren Kennedy 50*d583b39bSJohn Wren Kennedyverify_runnable "both" 51*d583b39bSJohn Wren Kennedy 52*d583b39bSJohn Wren Kennedyfunction cleanup 53*d583b39bSJohn Wren Kennedy{ 54*d583b39bSJohn Wren Kennedy [[ -d $basedir ]] && $RM -rf $basedir 55*d583b39bSJohn Wren Kennedy [[ -f $TESTDIR/$ARCHIVEFILE ]] && log_must $RM -f $TESTDIR/$ARCHIVEFILE 56*d583b39bSJohn Wren Kennedy return 0 57*d583b39bSJohn Wren Kennedy} 58*d583b39bSJohn Wren Kennedy 59*d583b39bSJohn Wren Kennedylog_assert "Verify that the chown/chgrp could take owner/group " \ 60*d583b39bSJohn Wren Kennedy "while permission is granted." 61*d583b39bSJohn Wren Kennedylog_onexit cleanup 62*d583b39bSJohn Wren Kennedy 63*d583b39bSJohn Wren Kennedy# 64*d583b39bSJohn Wren Kennedy# Get the owner of a file/directory 65*d583b39bSJohn Wren Kennedy# 66*d583b39bSJohn Wren Kennedyfunction get_owner 67*d583b39bSJohn Wren Kennedy{ 68*d583b39bSJohn Wren Kennedy typeset node=$1 69*d583b39bSJohn Wren Kennedy 70*d583b39bSJohn Wren Kennedy if [[ -z $node ]]; then 71*d583b39bSJohn Wren Kennedy log_fail "node are not defined." 72*d583b39bSJohn Wren Kennedy fi 73*d583b39bSJohn Wren Kennedy 74*d583b39bSJohn Wren Kennedy $ECHO $($LS -dl $node | $AWK '{print $3}') 75*d583b39bSJohn Wren Kennedy} 76*d583b39bSJohn Wren Kennedy 77*d583b39bSJohn Wren Kennedy# 78*d583b39bSJohn Wren Kennedy# Get the group of a file/directory 79*d583b39bSJohn Wren Kennedy# 80*d583b39bSJohn Wren Kennedyfunction get_group 81*d583b39bSJohn Wren Kennedy{ 82*d583b39bSJohn Wren Kennedy typeset node=$1 83*d583b39bSJohn Wren Kennedy 84*d583b39bSJohn Wren Kennedy if [[ -z $node ]]; then 85*d583b39bSJohn Wren Kennedy log_fail "node are not defined." 86*d583b39bSJohn Wren Kennedy fi 87*d583b39bSJohn Wren Kennedy 88*d583b39bSJohn Wren Kennedy $ECHO $($LS -dl $node | $AWK '{print $4}') 89*d583b39bSJohn Wren Kennedy} 90*d583b39bSJohn Wren Kennedy 91*d583b39bSJohn Wren Kennedy 92*d583b39bSJohn Wren Kennedy# 93*d583b39bSJohn Wren Kennedy# Get the group name that a UID belongs to 94*d583b39bSJohn Wren Kennedy# 95*d583b39bSJohn Wren Kennedyfunction get_user_group 96*d583b39bSJohn Wren Kennedy{ 97*d583b39bSJohn Wren Kennedy typeset uid=$1 98*d583b39bSJohn Wren Kennedy typeset value 99*d583b39bSJohn Wren Kennedy 100*d583b39bSJohn Wren Kennedy if [[ -z $uid ]]; then 101*d583b39bSJohn Wren Kennedy log_fail "UID not defined." 102*d583b39bSJohn Wren Kennedy fi 103*d583b39bSJohn Wren Kennedy 104*d583b39bSJohn Wren Kennedy value=$(id $uid) 105*d583b39bSJohn Wren Kennedy 106*d583b39bSJohn Wren Kennedy if [[ $? -eq 0 ]]; then 107*d583b39bSJohn Wren Kennedy value=${value##*\(} 108*d583b39bSJohn Wren Kennedy value=${value%%\)*} 109*d583b39bSJohn Wren Kennedy $ECHO $value 110*d583b39bSJohn Wren Kennedy else 111*d583b39bSJohn Wren Kennedy log_fail "Invalid UID (uid)." 112*d583b39bSJohn Wren Kennedy fi 113*d583b39bSJohn Wren Kennedy} 114*d583b39bSJohn Wren Kennedy 115*d583b39bSJohn Wren Kennedyfunction operate_node_owner 116*d583b39bSJohn Wren Kennedy{ 117*d583b39bSJohn Wren Kennedy typeset user=$1 118*d583b39bSJohn Wren Kennedy typeset node=$2 119*d583b39bSJohn Wren Kennedy typeset old_owner=$3 120*d583b39bSJohn Wren Kennedy typeset expect_owner=$4 121*d583b39bSJohn Wren Kennedy typeset ret new_owner 122*d583b39bSJohn Wren Kennedy 123*d583b39bSJohn Wren Kennedy if [[ $user == "" || $node == "" ]]; then 124*d583b39bSJohn Wren Kennedy log_fail "user, node are not defined." 125*d583b39bSJohn Wren Kennedy fi 126*d583b39bSJohn Wren Kennedy 127*d583b39bSJohn Wren Kennedy $SU $user -c "$CHOWN $expect_owner $node" 128*d583b39bSJohn Wren Kennedy ret=$? 129*d583b39bSJohn Wren Kennedy new_owner=$(get_owner $node) 130*d583b39bSJohn Wren Kennedy 131*d583b39bSJohn Wren Kennedy if [[ $new_owner != $old_owner ]]; then 132*d583b39bSJohn Wren Kennedy $TAR xpf $TESTDIR/$ARCHIVEFILE 133*d583b39bSJohn Wren Kennedy fi 134*d583b39bSJohn Wren Kennedy 135*d583b39bSJohn Wren Kennedy if [[ $ret -eq 0 ]]; then 136*d583b39bSJohn Wren Kennedy if [[ $new_owner != $expect_owner ]]; then 137*d583b39bSJohn Wren Kennedy log_note "Owner not changed as expected " \ 138*d583b39bSJohn Wren Kennedy "($old_owner|$new_owner|$expect_owner), " \ 139*d583b39bSJohn Wren Kennedy "but return code is $ret." 140*d583b39bSJohn Wren Kennedy return 1 141*d583b39bSJohn Wren Kennedy fi 142*d583b39bSJohn Wren Kennedy elif [[ $ret -ne 0 && $new_owner != $old_owner ]]; then 143*d583b39bSJohn Wren Kennedy log_note "Owner changed ($old_owner|$new_owner), " \ 144*d583b39bSJohn Wren Kennedy "but return code is $ret." 145*d583b39bSJohn Wren Kennedy return 2 146*d583b39bSJohn Wren Kennedy fi 147*d583b39bSJohn Wren Kennedy 148*d583b39bSJohn Wren Kennedy return $ret 149*d583b39bSJohn Wren Kennedy} 150*d583b39bSJohn Wren Kennedy 151*d583b39bSJohn Wren Kennedyfunction operate_node_group 152*d583b39bSJohn Wren Kennedy{ 153*d583b39bSJohn Wren Kennedy typeset user=$1 154*d583b39bSJohn Wren Kennedy typeset node=$2 155*d583b39bSJohn Wren Kennedy typeset old_group=$3 156*d583b39bSJohn Wren Kennedy typeset expect_group=$4 157*d583b39bSJohn Wren Kennedy typeset ret new_group 158*d583b39bSJohn Wren Kennedy 159*d583b39bSJohn Wren Kennedy if [[ $user == "" || $node == "" ]]; then 160*d583b39bSJohn Wren Kennedy log_fail "user, node are not defined." 161*d583b39bSJohn Wren Kennedy fi 162*d583b39bSJohn Wren Kennedy 163*d583b39bSJohn Wren Kennedy $SU $user -c "$CHGRP $expect_group $node" 164*d583b39bSJohn Wren Kennedy ret=$? 165*d583b39bSJohn Wren Kennedy new_group=$(get_group $node) 166*d583b39bSJohn Wren Kennedy 167*d583b39bSJohn Wren Kennedy if [[ $new_group != $old_group ]]; then 168*d583b39bSJohn Wren Kennedy $TAR xpf $TESTDIR/$ARCHIVEFILE 169*d583b39bSJohn Wren Kennedy fi 170*d583b39bSJohn Wren Kennedy 171*d583b39bSJohn Wren Kennedy if [[ $ret -eq 0 ]]; then 172*d583b39bSJohn Wren Kennedy if [[ $new_group != $expect_group ]]; then 173*d583b39bSJohn Wren Kennedy log_note "Group not changed as expected " \ 174*d583b39bSJohn Wren Kennedy "($old_group|$new_group|$expect_group), " \ 175*d583b39bSJohn Wren Kennedy "but return code is $ret." 176*d583b39bSJohn Wren Kennedy return 1 177*d583b39bSJohn Wren Kennedy fi 178*d583b39bSJohn Wren Kennedy elif [[ $ret -ne 0 && $new_group != $old_group ]]; then 179*d583b39bSJohn Wren Kennedy log_note "Group changed ($old_group|$new_group), " \ 180*d583b39bSJohn Wren Kennedy "but return code is $ret." 181*d583b39bSJohn Wren Kennedy return 2 182*d583b39bSJohn Wren Kennedy fi 183*d583b39bSJohn Wren Kennedy 184*d583b39bSJohn Wren Kennedy return $ret 185*d583b39bSJohn Wren Kennedy} 186*d583b39bSJohn Wren Kennedy 187*d583b39bSJohn Wren Kennedyfunction logname 188*d583b39bSJohn Wren Kennedy{ 189*d583b39bSJohn Wren Kennedy typeset acl_target=$1 190*d583b39bSJohn Wren Kennedy typeset user=$2 191*d583b39bSJohn Wren Kennedy typeset old=$3 192*d583b39bSJohn Wren Kennedy typeset new=$4 193*d583b39bSJohn Wren Kennedy typeset ret="log_mustnot" 194*d583b39bSJohn Wren Kennedy 195*d583b39bSJohn Wren Kennedy # To super user, read and write deny permission was override. 196*d583b39bSJohn Wren Kennedy if [[ $user == root ]]; then 197*d583b39bSJohn Wren Kennedy ret="log_must" 198*d583b39bSJohn Wren Kennedy elif [[ $user == $new ]] ; then 199*d583b39bSJohn Wren Kennedy if [[ $user == $old || $acl_target == *:allow ]]; then 200*d583b39bSJohn Wren Kennedy ret="log_must" 201*d583b39bSJohn Wren Kennedy fi 202*d583b39bSJohn Wren Kennedy fi 203*d583b39bSJohn Wren Kennedy 204*d583b39bSJohn Wren Kennedy print $ret 205*d583b39bSJohn Wren Kennedy} 206*d583b39bSJohn Wren Kennedy 207*d583b39bSJohn Wren Kennedyfunction check_chmod_results 208*d583b39bSJohn Wren Kennedy{ 209*d583b39bSJohn Wren Kennedy typeset user=$1 210*d583b39bSJohn Wren Kennedy typeset node=$2 211*d583b39bSJohn Wren Kennedy typeset flag=$3 212*d583b39bSJohn Wren Kennedy typeset acl_target=$3:$4 213*d583b39bSJohn Wren Kennedy typeset g_usr=$5 214*d583b39bSJohn Wren Kennedy typeset o_usr=$6 215*d583b39bSJohn Wren Kennedy typeset log old_owner old_group new_owner new_group 216*d583b39bSJohn Wren Kennedy 217*d583b39bSJohn Wren Kennedy old_owner=$(get_owner $node) 218*d583b39bSJohn Wren Kennedy old_group=$(get_group $node) 219*d583b39bSJohn Wren Kennedy 220*d583b39bSJohn Wren Kennedy if [[ $flag == "owner@" || $flag == "everyone@" ]]; then 221*d583b39bSJohn Wren Kennedy for new_owner in $user "nobody"; do 222*d583b39bSJohn Wren Kennedy new_group=$(get_user_group $new_owner) 223*d583b39bSJohn Wren Kennedy 224*d583b39bSJohn Wren Kennedy log=$(logname $acl_target $user \ 225*d583b39bSJohn Wren Kennedy $old_owner $new_owner) 226*d583b39bSJohn Wren Kennedy 227*d583b39bSJohn Wren Kennedy $log operate_node_owner $user $node \ 228*d583b39bSJohn Wren Kennedy $old_owner $new_owner 229*d583b39bSJohn Wren Kennedy 230*d583b39bSJohn Wren Kennedy $log operate_node_group $user $node \ 231*d583b39bSJohn Wren Kennedy $old_group $new_group 232*d583b39bSJohn Wren Kennedy done 233*d583b39bSJohn Wren Kennedy fi 234*d583b39bSJohn Wren Kennedy if [[ $flag == "group@" || $flag == "everyone@" ]]; then 235*d583b39bSJohn Wren Kennedy for new_owner in $g_usr "nobody"; do 236*d583b39bSJohn Wren Kennedy new_group=$(get_user_group $new_owner) 237*d583b39bSJohn Wren Kennedy 238*d583b39bSJohn Wren Kennedy log=$(logname $acl_target $g_usr $old_owner \ 239*d583b39bSJohn Wren Kennedy $new_owner) 240*d583b39bSJohn Wren Kennedy 241*d583b39bSJohn Wren Kennedy $log operate_node_owner $g_usr $node \ 242*d583b39bSJohn Wren Kennedy $old_owner $new_owner 243*d583b39bSJohn Wren Kennedy 244*d583b39bSJohn Wren Kennedy $log operate_node_group $g_usr \ 245*d583b39bSJohn Wren Kennedy $node $old_group $new_group 246*d583b39bSJohn Wren Kennedy done 247*d583b39bSJohn Wren Kennedy fi 248*d583b39bSJohn Wren Kennedy if [[ $flag == "everyone@" ]]; then 249*d583b39bSJohn Wren Kennedy for new_owner in $g_usr "nobody"; do 250*d583b39bSJohn Wren Kennedy new_group=$(get_user_group $new_owner) 251*d583b39bSJohn Wren Kennedy 252*d583b39bSJohn Wren Kennedy log=$(logname $acl_target $o_usr $old_owner \ 253*d583b39bSJohn Wren Kennedy $new_owner) 254*d583b39bSJohn Wren Kennedy 255*d583b39bSJohn Wren Kennedy $log operate_node_owner $o_usr $node \ 256*d583b39bSJohn Wren Kennedy $old_owner $new_owner 257*d583b39bSJohn Wren Kennedy 258*d583b39bSJohn Wren Kennedy $log operate_node_group $o_usr $node \ 259*d583b39bSJohn Wren Kennedy $old_group $new_group 260*d583b39bSJohn Wren Kennedy done 261*d583b39bSJohn Wren Kennedy fi 262*d583b39bSJohn Wren Kennedy} 263*d583b39bSJohn Wren Kennedy 264*d583b39bSJohn Wren Kennedyfunction test_chmod_basic_access 265*d583b39bSJohn Wren Kennedy{ 266*d583b39bSJohn Wren Kennedy typeset user=$1 267*d583b39bSJohn Wren Kennedy typeset node=${2%/} 268*d583b39bSJohn Wren Kennedy typeset g_usr=$3 269*d583b39bSJohn Wren Kennedy typeset o_usr=$4 270*d583b39bSJohn Wren Kennedy typeset flag acl_t 271*d583b39bSJohn Wren Kennedy 272*d583b39bSJohn Wren Kennedy for flag in $a_flag; do 273*d583b39bSJohn Wren Kennedy for acl_t in $a_access; do 274*d583b39bSJohn Wren Kennedy log_must $SU $user -c "$CHMOD A+$flag:$acl_t $node" 275*d583b39bSJohn Wren Kennedy 276*d583b39bSJohn Wren Kennedy $TAR cpf $TESTDIR/$ARCHIVEFILE basedir 277*d583b39bSJohn Wren Kennedy 278*d583b39bSJohn Wren Kennedy check_chmod_results $user $node $flag $acl_t $g_usr \ 279*d583b39bSJohn Wren Kennedy $o_usr 280*d583b39bSJohn Wren Kennedy 281*d583b39bSJohn Wren Kennedy log_must $SU $user -c "$CHMOD A0- $node" 282*d583b39bSJohn Wren Kennedy done 283*d583b39bSJohn Wren Kennedy done 284*d583b39bSJohn Wren Kennedy} 285*d583b39bSJohn Wren Kennedy 286*d583b39bSJohn Wren Kennedyfunction setup_test_files 287*d583b39bSJohn Wren Kennedy{ 288*d583b39bSJohn Wren Kennedy typeset base_node=$1 289*d583b39bSJohn Wren Kennedy typeset user=$2 290*d583b39bSJohn Wren Kennedy typeset group=$3 291*d583b39bSJohn Wren Kennedy 292*d583b39bSJohn Wren Kennedy $RM -rf $base_node 293*d583b39bSJohn Wren Kennedy 294*d583b39bSJohn Wren Kennedy log_must $MKDIR -p $base_node 295*d583b39bSJohn Wren Kennedy log_must $CHOWN $user:$group $base_node 296*d583b39bSJohn Wren Kennedy 297*d583b39bSJohn Wren Kennedy # Prepare all files/sub-dirs for testing. 298*d583b39bSJohn Wren Kennedy log_must $SU $user -c "$TOUCH $file" 299*d583b39bSJohn Wren Kennedy log_must $SU $user -c "$CHMOD 444 $file" 300*d583b39bSJohn Wren Kennedy log_must $SU $user -c "$MKDIR -p $dir" 301*d583b39bSJohn Wren Kennedy log_must $SU $user -c "$CHMOD 444 $dir" 302*d583b39bSJohn Wren Kennedy log_must $SU $user -c "$CHMOD 555 $base_node" 303*d583b39bSJohn Wren Kennedy} 304*d583b39bSJohn Wren Kennedy 305*d583b39bSJohn Wren Kennedytypeset ARCHIVEFILE=archive.tar 306*d583b39bSJohn Wren Kennedytypeset a_access="write_owner:allow write_owner:deny" 307*d583b39bSJohn Wren Kennedytypeset a_flag="owner@ group@ everyone@" 308*d583b39bSJohn Wren Kennedytypeset basedir="$TESTDIR/basedir" 309*d583b39bSJohn Wren Kennedytypeset file="$basedir/file" 310*d583b39bSJohn Wren Kennedytypeset dir="$basedir/dir" 311*d583b39bSJohn Wren Kennedy 312*d583b39bSJohn Wren Kennedycd $TESTDIR 313*d583b39bSJohn Wren Kennedysetup_test_files $basedir 'root' 'root' 314*d583b39bSJohn Wren Kennedytest_chmod_basic_access 'root' $file $ZFS_ACL_ADMIN $ZFS_ACL_OTHER1 315*d583b39bSJohn Wren Kennedytest_chmod_basic_access 'root' $dir $ZFS_ACL_ADMIN $ZFS_ACL_OTHER1 316*d583b39bSJohn Wren Kennedy$RM -rf $basedir 317*d583b39bSJohn Wren Kennedy 318*d583b39bSJohn Wren Kennedysetup_test_files $basedir $ZFS_ACL_STAFF1 $ZFS_ACL_STAFF_GROUP 319*d583b39bSJohn Wren Kennedytest_chmod_basic_access $ZFS_ACL_STAFF1 $file $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER1 320*d583b39bSJohn Wren Kennedytest_chmod_basic_access $ZFS_ACL_STAFF1 $dir $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER1 321*d583b39bSJohn Wren Kennedy$RM -rf $basedir 322*d583b39bSJohn Wren Kennedy 323*d583b39bSJohn Wren Kennedylog_pass "Verify that the chown/chgrp could take owner/group " \ 324*d583b39bSJohn Wren Kennedy "while permission is granted." 325