1#!/bin/ksh -p 2# 3# CDDL HEADER START 4# 5# The contents of this file are subject to the terms of the 6# Common Development and Distribution License (the "License"). 7# You may not use this file except in compliance with the License. 8# 9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10# or http://www.opensolaris.org/os/licensing. 11# See the License for the specific language governing permissions 12# and limitations under the License. 13# 14# When distributing Covered Code, include this CDDL HEADER in each 15# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16# If applicable, add the following below this CDDL HEADER, with the 17# fields enclosed by brackets "[]" replaced with your own identifying 18# information: Portions Copyright [yyyy] [name of copyright owner] 19# 20# CDDL HEADER END 21# 22 23# 24# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 25# Use is subject to license terms. 26# 27 28# 29# Copyright (c) 2016 by Delphix. All rights reserved. 30# 31 32. $STF_SUITE/tests/functional/acl/acl_common.kshlib 33 34# 35# DESCRIPTION: 36# Verify assigned read_acl/write_acl to owner@/group@/everyone@, 37# specificied user and group. File have the correct access permission. 38# 39# STRATEGY: 40# 1. Separatedly verify file and directory was assigned read_acl/write_acl 41# by root and non-root user. 42# 2. Verify owner always can read and write acl, even deny. 43# 3. Verify group access permission, when group was assigned 44# read_acl/write_acl. 45# 4. Verify access permission, after everyone was assigned read_acl/write. 46# 5. Verify everyone@ was deny except specificied user, this user can read 47# and write acl. 48# 6. Verify the group was deny except specified user, this user can read 49# and write acl 50# 51 52verify_runnable "both" 53 54log_assert "Verify chmod A[number]{+|-|=} read_acl/write_acl have correct " \ 55 "behaviour to access permission." 56log_onexit cleanup 57 58function read_ACL #<node> <user1> <user2> ... 59{ 60 typeset node=$1 61 typeset user 62 typeset -i ret 63 64 shift 65 for user in $@; do 66 chgusr_exec $user ls -vd $node > /dev/null 2>&1 67 ret=$? 68 (( ret != 0 )) && return $ret 69 70 shift 71 done 72 73 return 0 74} 75 76function write_ACL #<node> <user1> <user2> ... 77{ 78 typeset node=$1 79 typeset user 80 typeset -i ret before_cnt after_cnt 81 82 shift 83 for user in "$@"; do 84 before_cnt=$(count_ACE $node) 85 ret=$?; 86 (( ret != 0 )) && return $ret 87 88 chgusr_exec $user chmod A0+owner@:read_data:allow $node 89 ret=$? 90 (( ret != 0 )) && return $ret 91 92 after_cnt=$(count_ACE $node) 93 ret=$? 94 (( ret != 0 )) && return $ret 95 96 chgusr_exec $user chmod A0- $node 97 ret=$? 98 (( ret != 0 )) && return $ret 99 100 if (( after_cnt - before_cnt != 1 )); then 101 return 1 102 fi 103 104 shift 105 done 106 107 return 0 108} 109 110function check_owner #<node> 111{ 112 typeset node=$1 113 114 for acc in allow deny; do 115 log_must usr_exec \ 116 chmod A0+owner@:read_acl/write_acl:$acc $node 117 log_must read_ACL $node $ZFS_ACL_CUR_USER 118 log_must write_ACL $node $ZFS_ACL_CUR_USER 119 log_must usr_exec chmod A0- $node 120 done 121} 122 123function check_group #<node> 124{ 125 typeset node=$1 126 127 typeset grp_usr="" 128 if [[ $ZFS_ACL_CUR_USER == root ]]; then 129 grp_usr=$ZFS_ACL_ADMIN 130 elif [[ $ZFS_ACL_CUR_USER == $ZFS_ACL_STAFF1 ]]; then 131 grp_usr=$ZFS_ACL_STAFF2 132 fi 133 134 log_must usr_exec chmod A0+group@:read_acl/write_acl:allow $node 135 log_must read_ACL $node $grp_usr 136 log_must write_ACL $node $grp_usr 137 log_must usr_exec chmod A0- $node 138 139 log_must usr_exec chmod A0+group@:read_acl/write_acl:deny $node 140 log_mustnot read_ACL $node $grp_usr 141 log_mustnot write_ACL $node $grp_usr 142 log_must usr_exec chmod A0- $node 143} 144 145function check_everyone #<node> 146{ 147 typeset node=$1 148 149 typeset flag 150 for flag in allow deny; do 151 if [[ $flag == allow ]]; then 152 log=log_must 153 else 154 log=log_mustnot 155 fi 156 157 log_must usr_exec \ 158 chmod A0+everyone@:read_acl/write_acl:$flag $node 159 160 $log read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 161 $log write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 162 163 log_must usr_exec chmod A0- $node 164 done 165} 166 167function check_spec_user #<node> 168{ 169 typeset node=$1 170 171 log_must usr_exec chmod A0+everyone@:read_acl/write_acl:deny $node 172 log_must usr_exec \ 173 chmod A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node 174 175 # The specified user can read and write acl 176 log_must read_ACL $node $ZFS_ACL_OTHER1 177 log_must write_ACL $node $ZFS_ACL_OTHER1 178 179 # All the other user can't read and write acl 180 log_mustnot \ 181 read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2 182 log_mustnot \ 183 write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2 184 185 log_must usr_exec chmod A0- $node 186 log_must usr_exec chmod A0- $node 187} 188 189function check_spec_group #<node> 190{ 191 typeset node=$1 192 193 log_must usr_exec chmod A0+everyone@:read_acl/write_acl:deny $node 194 log_must usr_exec chmod \ 195 A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:allow $node 196 197 # The specified group can read and write acl 198 log_must read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 199 log_must write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 200 201 # All the other user can't read and write acl 202 log_mustnot read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 203 log_mustnot write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 204} 205 206function check_user_in_group #<node> 207{ 208 typeset node=$1 209 210 log_must usr_exec chmod \ 211 A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:deny $node 212 log_must usr_exec chmod \ 213 A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node 214 log_must read_ACL $node $ZFS_ACL_OTHER1 215 log_must write_ACL $node $ZFS_ACL_OTHER1 216 log_mustnot read_ACL $node $ZFS_ACL_OTHER2 217 log_mustnot write_ACL $node $ZFS_ACL_OTHER2 218 219 log_must usr_exec chmod A0- $node 220 log_must usr_exec chmod A0- $node 221} 222 223set -A func_name check_owner \ 224 check_group \ 225 check_everyone \ 226 check_spec_user \ 227 check_spec_group \ 228 check_user_in_group 229 230for user in root $ZFS_ACL_STAFF1; do 231 log_must set_cur_usr $user 232 233 log_must usr_exec touch $testfile 234 log_must usr_exec mkdir $testdir 235 236 typeset func node 237 for func in ${func_name[@]}; do 238 for node in $testfile $testdir; do 239 eval $func \$node 240 done 241 done 242 243 log_must usr_exec rm -rf $testfile $testdir 244done 245 246log_pass "Verify chmod A[number]{+|-|=} read_acl/write_acl passed." 247