xref: /titanic_44/usr/src/test/zfs-tests/tests/functional/privilege/privilege_002_pos.ksh (revision f38cb554a534c6df738be3f4d23327e69888e634) 
1#! /usr/bin/ksh -p
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22
23#
24# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
25# Use is subject to license terms.
26#
27
28#
29# Copyright (c) 2013 by Delphix. All rights reserved.
30#
31
32. $STF_SUITE/include/libtest.shlib
33
34#
35# DESCRIPTION:
36#
37# The RBAC profile "ZFS File System Management" works
38#
39# STRATEGY:
40#
41#	The following actions are taken, both using profile execution (pfexec)
42#	and without profile execution - we make sure that the latter should
43#	always fail.
44#
45#	(create)
46#	1. As a normal user, try to create a filesystem - which should fail.
47#       2. Assign "ZFS File System Management" profile, try to create fs again,
48#	   which should succeed.
49#
50#	(pools)
51#	3. Ensure a user with this profile can't perform pool administration
52#	   by attempting to destroy a pool.
53#
54#	(destroy)
55#       5. Remove the FS profile, then attempt to destroy the fs, which
56# 	   should fail.
57#	6. Assign the FS profile, then attempt to destroy the fs, which
58#	   should succeed.
59#
60
61verify_runnable "both"
62
63log_assert "The RBAC profile \"ZFS File System Management\" works"
64
65ZFS_USER=$($CAT /tmp/zfs-privs-test-user.txt)
66
67# Set a $DATASET where we can create child files systems
68if is_global_zone; then
69	log_must $ZPOOL create -f $TESTPOOL $DISKS
70	DATASET=$TESTPOOL
71else
72	DATASET=zonepool/zonectr0
73fi
74
75# A user shouldn't be able to create filesystems
76log_mustnot $SU $ZFS_USER -c "$ZFS create $DATASET/zfsprivfs"
77
78# Insist this invocation of usermod works
79log_must $USERMOD -P "ZFS File System Management" $ZFS_USER
80
81# Now try to create file systems as the user
82log_mustnot $SU $ZFS_USER -c "$ZFS create $DATASET/zfsprivfs"
83log_must $SU $ZFS_USER -c "$PFEXEC $ZFS create $DATASET/zfsprivfs"
84
85# Ensure the user can't do anything to pools in this state:
86log_mustnot $SU $ZFS_USER -c "$ZPOOL destroy $DATASET"
87log_mustnot $SU $ZFS_USER -c "$PFEXEC $ZPOOL destroy $DATASET"
88
89# revoke File System Management profile
90$USERMOD -P, $ZFS_USER
91
92# Ensure the user can't create more filesystems
93log_mustnot $SU $ZFS_USER -c "$ZFS create $DATASET/zfsprivfs2"
94log_mustnot $SU $ZFS_USER -c "$PFEXEC $ZFS create $DATASET/zfsprivfs2"
95
96# assign the profile again and destroy the fs.
97$USERMOD -P "ZFS File System Management" $ZFS_USER
98log_must $SU $ZFS_USER -c "$PFEXEC $ZFS destroy $DATASET/zfsprivfs"
99$USERMOD -P, $ZFS_USER
100
101log_pass "The RBAC profile \"ZFS File System Management\" works"
102