1196938Strasz# Copyright (c) 2008, 2009 Edward Tomasz Napiera��a <trasz@FreeBSD.org> 2196938Strasz# All rights reserved. 3196938Strasz# 4196938Strasz# Redistribution and use in source and binary forms, with or without 5196938Strasz# modification, are permitted provided that the following conditions 6196938Strasz# are met: 7196938Strasz# 1. Redistributions of source code must retain the above copyright 8196938Strasz# notice, this list of conditions and the following disclaimer. 9196938Strasz# 2. Redistributions in binary form must reproduce the above copyright 10196938Strasz# notice, this list of conditions and the following disclaimer in the 11196938Strasz# documentation and/or other materials provided with the distribution. 12196938Strasz# 13196938Strasz# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14196938Strasz# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15196938Strasz# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16196938Strasz# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17196938Strasz# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18196938Strasz# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19196938Strasz# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20196938Strasz# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21196938Strasz# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22196938Strasz# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23196938Strasz# SUCH DAMAGE. 24196938Strasz# 25196938Strasz# $FreeBSD: releng/10.2/tools/regression/acltools/tools-nfs4.test 214923 2010-11-07 17:33:04Z trasz $ 26196938Strasz# 27196938Strasz 28196938Strasz# This is a tools-level test for NFSv4 ACL functionality. Run it as root 29196938Strasz# using ACL-enabled kernel: 30196938Strasz# 31196938Strasz# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test 32196938Strasz# 33196938Strasz# WARNING: Creates files in unsafe way. 34196938Strasz 35196938Strasz$ whoami 36196938Strasz> root 37196938Strasz$ umask 022 38196938Strasz 39196938Strasz# Smoke test for getfacl(1). 40196938Strasz$ touch xxx 41196938Strasz$ getfacl xxx 42196938Strasz> # file: xxx 43196938Strasz> # owner: root 44196938Strasz> # group: wheel 45196938Strasz> owner@:--x-----------:------:deny 46196938Strasz> owner@:rw-p---A-W-Co-:------:allow 47196938Strasz> group@:-wxp----------:------:deny 48196938Strasz> group@:r-------------:------:allow 49196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 50196938Strasz> everyone@:r-----a-R-c--s:------:allow 51196938Strasz 52196938Strasz$ getfacl -q xxx 53196938Strasz> owner@:--x-----------:------:deny 54196938Strasz> owner@:rw-p---A-W-Co-:------:allow 55196938Strasz> group@:-wxp----------:------:deny 56196938Strasz> group@:r-------------:------:allow 57196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 58196938Strasz> everyone@:r-----a-R-c--s:------:allow 59196938Strasz 60196938Strasz# Check verbose mode formatting. 61196938Strasz$ getfacl -v xxx 62196938Strasz> # file: xxx 63196938Strasz> # owner: root 64196938Strasz> # group: wheel 65196938Strasz> owner@:execute::deny 66196938Strasz> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow 67196938Strasz> group@:write_data/execute/append_data::deny 68196938Strasz> group@:read_data::allow 69196938Strasz> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny 70196938Strasz> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow 71196938Strasz 72196938Strasz# Test setfacl -a. 73196938Strasz$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx 74196938Strasz$ getfacl -n xxx 75196938Strasz> # file: xxx 76196938Strasz> # owner: root 77196938Strasz> # group: wheel 78196938Strasz> owner@:--x-----------:------:deny 79196938Strasz> owner@:rw-p---A-W-Co-:------:allow 80196938Strasz> user:0:-----------C--:------:allow 81196938Strasz> group:1:----------c---:------:deny 82196938Strasz> group@:-wxp----------:------:deny 83196938Strasz> group@:r-------------:------:allow 84196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 85196938Strasz> everyone@:r-----a-R-c--s:------:allow 86196938Strasz 87196938Strasz# Test user and group name resolving. 88196938Strasz$ rm xxx 89196938Strasz$ touch xxx 90196938Strasz$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx 91196938Strasz$ getfacl xxx 92196938Strasz> # file: xxx 93196938Strasz> # owner: root 94196938Strasz> # group: wheel 95196938Strasz> owner@:--x-----------:------:deny 96196938Strasz> owner@:rw-p---A-W-Co-:------:allow 97196938Strasz> user:root:-----------C--:------:allow 98196938Strasz> group:daemon:----------c---:------:deny 99196938Strasz> group@:-wxp----------:------:deny 100196938Strasz> group@:r-------------:------:allow 101196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 102196938Strasz> everyone@:r-----a-R-c--s:------:allow 103196938Strasz 104196938Strasz# Check whether ls correctly marks files with "+". 105196938Strasz$ ls -l xxx | cut -d' ' -f1 106196938Strasz> -rw-r--r--+ 107196938Strasz 108196938Strasz# Test removing entries by number. 109196938Strasz$ setfacl -x 4 xxx 110196938Strasz$ setfacl -x 4 xxx 111196938Strasz$ getfacl -n xxx 112196938Strasz> # file: xxx 113196938Strasz> # owner: root 114196938Strasz> # group: wheel 115196938Strasz> owner@:--x-----------:------:deny 116196938Strasz> owner@:rw-p---A-W-Co-:------:allow 117196938Strasz> user:0:-----------C--:------:allow 118196938Strasz> group:1:----------c---:------:deny 119196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 120196938Strasz> everyone@:r-----a-R-c--s:------:allow 121196938Strasz 122196938Strasz# Test setfacl -m. 123196938Strasz$ setfacl -a0 everyone@:rwx:deny xxx 124196938Strasz$ setfacl -a0 everyone@:rwx:deny xxx 125196938Strasz$ setfacl -a0 everyone@:rwx:deny xxx 126196938Strasz$ setfacl -m everyone@::deny xxx 127196938Strasz$ getfacl -n xxx 128196938Strasz> # file: xxx 129196938Strasz> # owner: root 130196938Strasz> # group: wheel 131196938Strasz> everyone@:--------------:------:deny 132196938Strasz> everyone@:--------------:------:deny 133196938Strasz> everyone@:--------------:------:deny 134196938Strasz> owner@:--x-----------:------:deny 135196938Strasz> owner@:rw-p---A-W-Co-:------:allow 136196938Strasz> user:0:-----------C--:------:allow 137196938Strasz> group:1:----------c---:------:deny 138196938Strasz> everyone@:--------------:------:deny 139196938Strasz> everyone@:r-----a-R-c--s:------:allow 140196938Strasz 141196938Strasz# Test getfacl -i. 142196938Strasz$ getfacl -i xxx 143196938Strasz> # file: xxx 144196938Strasz> # owner: root 145196938Strasz> # group: wheel 146196938Strasz> everyone@:--------------:------:deny 147196938Strasz> everyone@:--------------:------:deny 148196938Strasz> everyone@:--------------:------:deny 149196938Strasz> owner@:--x-----------:------:deny 150196938Strasz> owner@:rw-p---A-W-Co-:------:allow 151196938Strasz> user:root:-----------C--:------:allow:0 152196938Strasz> group:daemon:----------c---:------:deny:1 153196938Strasz> everyone@:--------------:------:deny 154196938Strasz> everyone@:r-----a-R-c--s:------:allow 155196938Strasz 156196938Strasz# Make sure cp without any flags does not copy copy the ACL. 157196938Strasz$ cp xxx yyy 158196938Strasz$ ls -l yyy | cut -d' ' -f1 159196938Strasz> -rw-r--r-- 160196938Strasz 161196938Strasz# Make sure it does with the "-p" flag. 162196938Strasz$ rm yyy 163196938Strasz$ cp -p xxx yyy 164196938Strasz$ getfacl -n yyy 165196938Strasz> # file: yyy 166196938Strasz> # owner: root 167196938Strasz> # group: wheel 168196938Strasz> everyone@:--------------:------:deny 169196938Strasz> everyone@:--------------:------:deny 170196938Strasz> everyone@:--------------:------:deny 171196938Strasz> owner@:--x-----------:------:deny 172196938Strasz> owner@:rw-p---A-W-Co-:------:allow 173196938Strasz> user:0:-----------C--:------:allow 174196938Strasz> group:1:----------c---:------:deny 175196938Strasz> everyone@:--------------:------:deny 176196938Strasz> everyone@:r-----a-R-c--s:------:allow 177196938Strasz 178196938Strasz$ rm yyy 179196938Strasz 180196938Strasz# Test removing entries by... by example? 181196938Strasz$ setfacl -x everyone@::deny xxx 182196938Strasz$ getfacl -n xxx 183196938Strasz> # file: xxx 184196938Strasz> # owner: root 185196938Strasz> # group: wheel 186196938Strasz> owner@:--x-----------:------:deny 187196938Strasz> owner@:rw-p---A-W-Co-:------:allow 188196938Strasz> user:0:-----------C--:------:allow 189196938Strasz> group:1:----------c---:------:deny 190196938Strasz> everyone@:r-----a-R-c--s:------:allow 191196938Strasz 192196938Strasz# Test setfacl -b. 193196938Strasz$ setfacl -b xxx 194196938Strasz$ getfacl -n xxx 195196938Strasz> # file: xxx 196196938Strasz> # owner: root 197196938Strasz> # group: wheel 198196938Strasz> owner@:--x-----------:------:deny 199196938Strasz> owner@:rw-p---A-W-Co-:------:allow 200196938Strasz> group@:-wxp----------:------:deny 201196938Strasz> group@:r-------------:------:allow 202196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 203196938Strasz> everyone@:r-----a-R-c--s:------:allow 204196938Strasz 205196938Strasz$ ls -l xxx | cut -d' ' -f1 206196938Strasz> -rw-r--r-- 207196938Strasz 208196938Strasz# Check setfacl(1) and getfacl(1) with multiple files. 209196938Strasz$ touch xxx yyy zzz 210196938Strasz 211196938Strasz$ ls -l xxx yyy zzz | cut -d' ' -f1 212196938Strasz> -rw-r--r-- 213196938Strasz> -rw-r--r-- 214196938Strasz> -rw-r--r-- 215196938Strasz 216196938Strasz$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz 217196938Strasz> setfacl: nnn: stat() failed: No such file or directory 218196938Strasz 219196938Strasz$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 220196938Strasz> ls: nnn: No such file or directory 221196938Strasz> -rw-r--r--+ 222196938Strasz> -rw-r--r--+ 223196938Strasz> -rw-r--r--+ 224196938Strasz 225196938Strasz$ getfacl -nq nnn xxx yyy zzz 226196938Strasz> getfacl: nnn: stat() failed: No such file or directory 227196938Strasz> user:42:--x-----------:------:allow 228196938Strasz> group:43:-w------------:------:allow 229196938Strasz> owner@:--x-----------:------:deny 230196938Strasz> owner@:rw-p---A-W-Co-:------:allow 231196938Strasz> group@:-wxp----------:------:deny 232196938Strasz> group@:r-------------:------:allow 233196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 234196938Strasz> everyone@:r-----a-R-c--s:------:allow 235196938Strasz> 236196938Strasz> user:42:--x-----------:------:allow 237196938Strasz> group:43:-w------------:------:allow 238196938Strasz> owner@:--x-----------:------:deny 239196938Strasz> owner@:rw-p---A-W-Co-:------:allow 240196938Strasz> group@:-wxp----------:------:deny 241196938Strasz> group@:r-------------:------:allow 242196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 243196938Strasz> everyone@:r-----a-R-c--s:------:allow 244196938Strasz> 245196938Strasz> user:42:--x-----------:------:allow 246196938Strasz> group:43:-w------------:------:allow 247196938Strasz> owner@:--x-----------:------:deny 248196938Strasz> owner@:rw-p---A-W-Co-:------:allow 249196938Strasz> group@:-wxp----------:------:deny 250196938Strasz> group@:r-------------:------:allow 251196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 252196938Strasz> everyone@:r-----a-R-c--s:------:allow 253196938Strasz 254196938Strasz$ setfacl -b nnn xxx yyy zzz 255196938Strasz> setfacl: nnn: stat() failed: No such file or directory 256196938Strasz 257196938Strasz$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 258196938Strasz> ls: nnn: No such file or directory 259196938Strasz> -rw-r--r-- 260196938Strasz> -rw-r--r-- 261196938Strasz> -rw-r--r-- 262196938Strasz 263196938Strasz$ rm xxx yyy zzz 264196938Strasz 265196938Strasz# Test applying mode to an ACL. 266196938Strasz$ touch xxx 267196938Strasz$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx 268196938Strasz$ chmod 600 xxx 269196938Strasz$ getfacl -n xxx 270196938Strasz> # file: xxx 271196938Strasz> # owner: root 272196938Strasz> # group: wheel 273196938Strasz> user:42:r-------------:------:deny 274196938Strasz> user:42:r-------------:------:allow 275196938Strasz> user:43:-w------------:------:deny 276196938Strasz> user:43:-w------------:------:allow 277196938Strasz> user:44:--x-----------:------:deny 278196938Strasz> user:44:--x-----------:------:allow 279196938Strasz> owner@:--------------:------:deny 280196938Strasz> owner@:-------A-W-Co-:------:allow 281196938Strasz> group@:--------------:------:deny 282196938Strasz> group@:--------------:------:allow 283196938Strasz> everyone@:-------A-W-Co-:------:deny 284196938Strasz> owner@:--x-----------:------:deny 285196938Strasz> owner@:rw-p---A-W-Co-:------:allow 286196938Strasz> group@:rwxp----------:------:deny 287196938Strasz> group@:--------------:------:allow 288196938Strasz> everyone@:rwxp---A-W-Co-:------:deny 289196938Strasz> everyone@:------a-R-c--s:------:allow 290196938Strasz$ ls -l xxx | cut -d' ' -f1 291196938Strasz> -rw-------+ 292196938Strasz 293196938Strasz$ rm xxx 294196938Strasz$ touch xxx 295196938Strasz$ chown 42 xxx 296196938Strasz$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx 297196938Strasz$ chmod 600 xxx 298196938Strasz$ getfacl -n xxx 299196938Strasz> # file: xxx 300196938Strasz> # owner: 42 301196938Strasz> # group: wheel 302196938Strasz> user:42:--------------:------:deny 303196938Strasz> user:42:r-------------:------:allow 304196938Strasz> user:43:-w------------:------:deny 305196938Strasz> user:43:-w------------:------:allow 306196938Strasz> user:44:--x-----------:------:deny 307196938Strasz> user:44:--x-----------:------:allow 308196938Strasz> owner@:--x-----------:------:deny 309196938Strasz> owner@:rw-p---A-W-Co-:------:allow 310196938Strasz> group@:rwxp----------:------:deny 311196938Strasz> group@:--------------:------:allow 312196938Strasz> everyone@:rwxp---A-W-Co-:------:deny 313196938Strasz> everyone@:------a-R-c--s:------:allow 314196938Strasz$ ls -l xxx | cut -d' ' -f1 315196938Strasz> -rw-------+ 316196938Strasz 317196938Strasz$ rm xxx 318196938Strasz$ touch xxx 319196938Strasz$ chown 43 xxx 320196938Strasz$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx 321196938Strasz$ chmod 124 xxx 322196938Strasz$ getfacl -n xxx 323196938Strasz> # file: xxx 324196938Strasz> # owner: 43 325196938Strasz> # group: wheel 326196938Strasz> user:42:r-------------:------:deny 327196938Strasz> user:42:r-------------:------:allow 328196938Strasz> user:43:-w------------:------:deny 329196938Strasz> user:43:-w------------:------:allow 330196938Strasz> user:44:--x-----------:------:deny 331196938Strasz> user:44:--x-----------:------:allow 332196938Strasz> owner@:rw-p----------:------:deny 333196938Strasz> owner@:--x----A-W-Co-:------:allow 334196938Strasz> group@:r-x-----------:------:deny 335196938Strasz> group@:-w-p----------:------:allow 336196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 337196938Strasz> everyone@:r-----a-R-c--s:------:allow 338196938Strasz$ ls -l xxx | cut -d' ' -f1 339196938Strasz> ---x-w-r--+ 340196938Strasz 341196938Strasz$ rm xxx 342196938Strasz$ touch xxx 343196938Strasz$ chown 43 xxx 344196938Strasz$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx 345196938Strasz$ chmod 412 xxx 346196938Strasz$ getfacl -n xxx 347196938Strasz> # file: xxx 348196938Strasz> # owner: 43 349196938Strasz> # group: wheel 350196938Strasz> user:42:r-------------:------:deny 351196938Strasz> user:42:r-------------:------:allow 352196938Strasz> user:43:-w------------:------:deny 353196938Strasz> user:43:-w------------:------:allow 354196938Strasz> user:44:--------------:------:deny 355196938Strasz> user:44:--x-----------:------:allow 356196938Strasz> owner@:-wxp----------:------:deny 357196938Strasz> owner@:r------A-W-Co-:------:allow 358196938Strasz> group@:rw-p----------:------:deny 359196938Strasz> group@:--x-----------:------:allow 360196938Strasz> everyone@:r-x----A-W-Co-:------:deny 361196938Strasz> everyone@:-w-p--a-R-c--s:------:allow 362196938Strasz$ ls -l xxx | cut -d' ' -f1 363196938Strasz> -r----x-w-+ 364196938Strasz 365196938Strasz$ mkdir ddd 366196938Strasz$ setfacl -a0 group:44:rwapd:allow ddd 367196938Strasz$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd 368196938Strasz$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd 369196938Strasz$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd 370196938Strasz$ getfacl -n ddd 371196938Strasz> # file: ddd 372196938Strasz> # owner: root 373196938Strasz> # group: wheel 374196938Strasz> user:42:r-x-----------:f-i---:allow 375196938Strasz> group:42:-w--D---------:-d----:allow 376196938Strasz> group:43:-w--D---------:-d----:deny 377196938Strasz> group@:-----da-------:------:allow 378196938Strasz> group:44:rw-p-da-------:------:allow 379196938Strasz> owner@:--------------:------:deny 380196938Strasz> owner@:rwxp---A-W-Co-:------:allow 381196938Strasz> group@:-w-p----------:------:deny 382196938Strasz> group@:r-x-----------:------:allow 383196938Strasz> everyone@:-w-p---A-W-Co-:------:deny 384196938Strasz> everyone@:-w-p--a-R-c--s:f-i---:allow 385196938Strasz$ chmod 777 ddd 386196938Strasz$ getfacl -n ddd 387196938Strasz> # file: ddd 388196938Strasz> # owner: root 389196938Strasz> # group: wheel 390196938Strasz> user:42:r-x-----------:f-i---:allow 391196938Strasz> group:42:-w--D---------:-di---:allow 392196938Strasz> group:42:--------------:------:deny 393196938Strasz> group:42:-w--D---------:------:allow 394196938Strasz> group:43:-w--D---------:-di---:deny 395196938Strasz> group:43:-w--D---------:------:deny 396196938Strasz> group@:-----da-------:------:allow 397196938Strasz> group:44:--------------:------:deny 398196938Strasz> group:44:rw-p-da-------:------:allow 399196938Strasz> owner@:--------------:------:deny 400196938Strasz> owner@:-------A-W-Co-:------:allow 401196938Strasz> group@:--------------:------:deny 402196938Strasz> group@:--------------:------:allow 403196938Strasz> everyone@:-------A-W-Co-:------:deny 404196938Strasz> everyone@:-w-p--a-R-c--s:f-i---:allow 405196938Strasz> owner@:--------------:------:deny 406196938Strasz> owner@:rwxp---A-W-Co-:------:allow 407196938Strasz> group@:--------------:------:deny 408196938Strasz> group@:rwxp----------:------:allow 409196938Strasz> everyone@:-------A-W-Co-:------:deny 410196938Strasz> everyone@:rwxp--a-R-c--s:------:allow 411196938Strasz 412196938Strasz$ rmdir ddd 413196938Strasz$ mkdir ddd 414196938Strasz$ setfacl -a0 group:44:rwapd:allow ddd 415196938Strasz$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd 416196938Strasz$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd 417196938Strasz$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd 418196938Strasz$ chmod 124 ddd 419196938Strasz$ getfacl -n ddd 420196938Strasz> # file: ddd 421196938Strasz> # owner: root 422196938Strasz> # group: wheel 423196938Strasz> user:42:r-x-----------:f-i---:allow 424196938Strasz> group:42:-w--D---------:-di---:allow 425196938Strasz> group:42:--------------:------:deny 426196938Strasz> group:42:----D---------:------:allow 427196938Strasz> group:43:-w--D---------:-di---:deny 428196938Strasz> group:43:-w--D---------:------:deny 429196938Strasz> group@:-----da-------:------:allow 430196938Strasz> group:44:r-------------:------:deny 431196938Strasz> group:44:r----da-------:------:allow 432196938Strasz> owner@:--------------:------:deny 433196938Strasz> owner@:-------A-W-Co-:------:allow 434196938Strasz> group@:--------------:------:deny 435196938Strasz> group@:--------------:------:allow 436196938Strasz> everyone@:-------A-W-Co-:------:deny 437196938Strasz> everyone@:-w-p--a-R-c--s:f-i---:allow 438196938Strasz> owner@:rw-p----------:------:deny 439196938Strasz> owner@:--x----A-W-Co-:------:allow 440196938Strasz> group@:r-x-----------:------:deny 441196938Strasz> group@:-w-p----------:------:allow 442196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 443196938Strasz> everyone@:r-----a-R-c--s:------:allow 444196938Strasz 445196938Strasz$ rmdir ddd 446196938Strasz$ mkdir ddd 447196938Strasz$ setfacl -a0 group:44:rwapd:allow ddd 448196938Strasz$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd 449196938Strasz$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd 450196938Strasz$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd 451196938Strasz$ chmod 412 ddd 452196938Strasz$ getfacl -n ddd 453196938Strasz> # file: ddd 454196938Strasz> # owner: root 455196938Strasz> # group: wheel 456196938Strasz> user:42:r-------------:------:deny 457196938Strasz> user:42:r-x-----------:------:allow 458196938Strasz> user:42:r-x-----------:f-i---:allow 459196938Strasz> group:42:-w--D---------:-di---:allow 460196938Strasz> group:42:-w------------:------:deny 461196938Strasz> group:42:-w--D---------:------:allow 462196938Strasz> group:43:-w--D---------:-di---:deny 463196938Strasz> group:43:-w--D---------:------:deny 464196938Strasz> group@:-----da-------:------:allow 465196938Strasz> group:44:rw-p----------:------:deny 466196938Strasz> group:44:rw-p-da-------:------:allow 467196938Strasz> owner@:--------------:------:deny 468196938Strasz> owner@:-------A-W-Co-:------:allow 469196938Strasz> group@:--------------:------:deny 470196938Strasz> group@:--------------:------:allow 471196938Strasz> everyone@:-------A-W-Co-:------:deny 472196938Strasz> everyone@:-w-p--a-R-c--s:f-i---:allow 473196938Strasz> owner@:-wxp----------:------:deny 474196938Strasz> owner@:r------A-W-Co-:------:allow 475196938Strasz> group@:rw-p----------:------:deny 476196938Strasz> group@:--x-----------:------:allow 477196938Strasz> everyone@:r-x----A-W-Co-:------:deny 478196938Strasz> everyone@:-w-p--a-R-c--s:------:allow 479196938Strasz 480196938Strasz$ rmdir ddd 481196938Strasz$ mkdir ddd 482196938Strasz$ setfacl -a0 group:44:rwapd:allow ddd 483196938Strasz$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd 484196938Strasz$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd 485196938Strasz$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd 486196938Strasz$ chown 42 ddd 487196938Strasz$ chmod 412 ddd 488196938Strasz$ getfacl -n ddd 489196938Strasz> # file: ddd 490196938Strasz> # owner: 42 491196938Strasz> # group: wheel 492196938Strasz> user:42:--x-----------:------:deny 493196938Strasz> user:42:r-x-----------:------:allow 494196938Strasz> user:42:r-x-----------:f-i---:allow 495196938Strasz> group:42:-w--D---------:-di---:allow 496196938Strasz> group:42:-w------------:------:deny 497196938Strasz> group:42:-w--D---------:------:allow 498196938Strasz> group:43:-w--D---------:-di---:deny 499196938Strasz> group:43:-w--D---------:------:deny 500196938Strasz> group@:-----da-------:------:allow 501196938Strasz> group:44:rw-p----------:------:deny 502196938Strasz> group:44:rw-p-da-------:------:allow 503196938Strasz> owner@:--------------:------:deny 504196938Strasz> owner@:-------A-W-Co-:------:allow 505196938Strasz> group@:--------------:------:deny 506196938Strasz> group@:--------------:------:allow 507196938Strasz> everyone@:-------A-W-Co-:------:deny 508196938Strasz> everyone@:-w-p--a-R-c--s:f-i---:allow 509196938Strasz> owner@:-wxp----------:------:deny 510196938Strasz> owner@:r------A-W-Co-:------:allow 511196938Strasz> group@:rw-p----------:------:deny 512196938Strasz> group@:--x-----------:------:allow 513196938Strasz> everyone@:r-x----A-W-Co-:------:deny 514196938Strasz> everyone@:-w-p--a-R-c--s:------:allow 515196938Strasz 516196938Strasz# Test applying ACL to mode. 517196938Strasz$ rmdir ddd 518196938Strasz$ mkdir ddd 519196938Strasz$ setfacl -a0 u:42:rwx:fi:allow ddd 520196938Strasz$ ls -ld ddd | cut -d' ' -f1 521196938Strasz> drwxr-xr-x+ 522196938Strasz 523196938Strasz$ rmdir ddd 524196938Strasz$ mkdir ddd 525196938Strasz$ chmod 0 ddd 526196938Strasz$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd 527196938Strasz$ ls -ld ddd | cut -d' ' -f1 528196938Strasz> dr----x---+ 529196938Strasz 530196938Strasz$ rmdir ddd 531196938Strasz$ mkdir ddd 532196938Strasz$ chmod 0 ddd 533196938Strasz$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd 534196938Strasz$ ls -ld ddd | cut -d' ' -f1 535196938Strasz> dr---wx---+ 536196938Strasz 537196938Strasz$ rmdir ddd 538196938Strasz$ mkdir ddd 539196938Strasz$ chmod 0 ddd 540196938Strasz$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd 541196938Strasz$ ls -ld ddd | cut -d' ' -f1 542196938Strasz> dr--------+ 543196938Strasz 544196938Strasz$ rmdir ddd 545196938Strasz$ mkdir ddd 546196938Strasz$ chmod 0 ddd 547196938Strasz$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd 548196938Strasz$ ls -ld ddd | cut -d' ' -f1 549196938Strasz> dr--------+ 550196938Strasz 551196938Strasz# Test inheritance. 552196938Strasz$ rmdir ddd 553196938Strasz$ mkdir ddd 554196938Strasz$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd 555196938Strasz$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd 556196938Strasz$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd 557196938Strasz$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd 558196938Strasz$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd 559196938Strasz$ getfacl -qn ddd 560196938Strasz> user:41:-w-----A------:f--n--:allow 561196938Strasz> group:41:r-----a-------:-din--:allow 562196938Strasz> user:42:-----------Co-:f-i---:allow 563196938Strasz> user:42:r-x-----------:f-i---:allow 564196938Strasz> group:42:-w--D---------:-d-n--:deny 565196938Strasz> group:43:-w---------C--:f-in--:deny 566196938Strasz> user:43:rwxp----------:------:allow 567196938Strasz> owner@:--------------:------:deny 568196938Strasz> owner@:rwxp---A-W-Co-:------:allow 569196938Strasz> group@:-w-p----------:------:deny 570196938Strasz> group@:r-x-----------:------:allow 571196938Strasz> everyone@:-w-p---A-W-Co-:------:deny 572196938Strasz> everyone@:r-x---a-R-c--s:------:allow 573196938Strasz 574196938Strasz$ cd ddd 575196938Strasz$ touch xxx 576196938Strasz$ getfacl -qn xxx 577196938Strasz> user:41:-w------------:------:deny 578196938Strasz> user:41:-w-----A------:------:allow 579196938Strasz> user:42:--------------:------:deny 580196938Strasz> user:42:--------------:------:allow 581196938Strasz> user:42:--x-----------:------:deny 582196938Strasz> user:42:r-x-----------:------:allow 583196938Strasz> group:43:-w---------C--:------:deny 584196938Strasz> owner@:--x-----------:------:deny 585196938Strasz> owner@:rw-p---A-W-Co-:------:allow 586196938Strasz> group@:-wxp----------:------:deny 587196938Strasz> group@:r-------------:------:allow 588196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 589196938Strasz> everyone@:r-----a-R-c--s:------:allow 590196938Strasz 591196938Strasz$ rm xxx 592196938Strasz$ umask 077 593196938Strasz$ touch xxx 594196938Strasz$ getfacl -qn xxx 595196938Strasz> user:41:-w------------:------:deny 596196938Strasz> user:41:-w-----A------:------:allow 597196938Strasz> user:42:--------------:------:deny 598196938Strasz> user:42:--------------:------:allow 599196938Strasz> user:42:r-x-----------:------:deny 600196938Strasz> user:42:r-x-----------:------:allow 601196938Strasz> group:43:-w---------C--:------:deny 602196938Strasz> owner@:--x-----------:------:deny 603196938Strasz> owner@:rw-p---A-W-Co-:------:allow 604196938Strasz> group@:rwxp----------:------:deny 605196938Strasz> group@:--------------:------:allow 606196938Strasz> everyone@:rwxp---A-W-Co-:------:deny 607196938Strasz> everyone@:------a-R-c--s:------:allow 608196938Strasz 609196938Strasz$ rm xxx 610196938Strasz$ umask 770 611196938Strasz$ touch xxx 612196938Strasz$ getfacl -qn xxx 613196938Strasz> user:41:-w------------:------:deny 614196938Strasz> user:41:-w-----A------:------:allow 615196938Strasz> user:42:--------------:------:deny 616196938Strasz> user:42:--------------:------:allow 617196938Strasz> user:42:r-x-----------:------:deny 618196938Strasz> user:42:r-x-----------:------:allow 619196938Strasz> group:43:-w---------C--:------:deny 620196938Strasz> owner@:rwxp----------:------:deny 621196938Strasz> owner@:-------A-W-Co-:------:allow 622196938Strasz> group@:rwxp----------:------:deny 623196938Strasz> group@:--------------:------:allow 624196938Strasz> everyone@:--x----A-W-Co-:------:deny 625196938Strasz> everyone@:rw-p--a-R-c--s:------:allow 626196938Strasz 627196938Strasz$ rm xxx 628196938Strasz$ umask 707 629196938Strasz$ touch xxx 630196938Strasz$ getfacl -qn xxx 631196938Strasz> user:41:--------------:------:deny 632196938Strasz> user:41:-w-----A------:------:allow 633196938Strasz> user:42:--------------:------:deny 634196938Strasz> user:42:--------------:------:allow 635196938Strasz> user:42:--x-----------:------:deny 636196938Strasz> user:42:r-x-----------:------:allow 637196938Strasz> group:43:-w---------C--:------:deny 638196938Strasz> owner@:rwxp----------:------:deny 639196938Strasz> owner@:-------A-W-Co-:------:allow 640196938Strasz> group@:--x-----------:------:deny 641196938Strasz> group@:rw-p----------:------:allow 642196938Strasz> everyone@:rwxp---A-W-Co-:------:deny 643196938Strasz> everyone@:------a-R-c--s:------:allow 644196938Strasz 645196938Strasz$ umask 077 646196938Strasz$ mkdir yyy 647196938Strasz$ getfacl -qn yyy 648196938Strasz> group:41:r-------------:------:deny 649196938Strasz> group:41:r-----a-------:------:allow 650196938Strasz> user:42:-----------Co-:f-i---:allow 651196938Strasz> user:42:r-x-----------:f-i---:allow 652196938Strasz> group:42:-w--D---------:------:deny 653196938Strasz> owner@:--------------:------:deny 654196938Strasz> owner@:rwxp---A-W-Co-:------:allow 655196938Strasz> group@:rwxp----------:------:deny 656196938Strasz> group@:--------------:------:allow 657196938Strasz> everyone@:rwxp---A-W-Co-:------:deny 658196938Strasz> everyone@:------a-R-c--s:------:allow 659196938Strasz 660196938Strasz$ rmdir yyy 661196938Strasz$ umask 770 662196938Strasz$ mkdir yyy 663196938Strasz$ getfacl -qn yyy 664196938Strasz> group:41:r-------------:------:deny 665196938Strasz> group:41:r-----a-------:------:allow 666196938Strasz> user:42:-----------Co-:f-i---:allow 667196938Strasz> user:42:r-x-----------:f-i---:allow 668196938Strasz> group:42:-w--D---------:------:deny 669196938Strasz> owner@:rwxp----------:------:deny 670196938Strasz> owner@:-------A-W-Co-:------:allow 671196938Strasz> group@:rwxp----------:------:deny 672196938Strasz> group@:--------------:------:allow 673196938Strasz> everyone@:-------A-W-Co-:------:deny 674196938Strasz> everyone@:rwxp--a-R-c--s:------:allow 675196938Strasz 676196938Strasz$ rmdir yyy 677196938Strasz$ umask 707 678196938Strasz$ mkdir yyy 679196938Strasz$ getfacl -qn yyy 680196938Strasz> group:41:--------------:------:deny 681196938Strasz> group:41:------a-------:------:allow 682196938Strasz> user:42:-----------Co-:f-i---:allow 683196938Strasz> user:42:r-x-----------:f-i---:allow 684196938Strasz> group:42:-w--D---------:------:deny 685196938Strasz> owner@:rwxp----------:------:deny 686196938Strasz> owner@:-------A-W-Co-:------:allow 687196938Strasz> group@:--------------:------:deny 688196938Strasz> group@:rwxp----------:------:allow 689196938Strasz> everyone@:rwxp---A-W-Co-:------:deny 690196938Strasz> everyone@:------a-R-c--s:------:allow 691196938Strasz 692196938Strasz# There is some complication regarding how write_acl and write_owner flags 693196938Strasz# get inherited. Make sure we got it right. 694196938Strasz$ setfacl -b . 695196938Strasz$ setfacl -a0 u:42:Co:f:allow . 696196938Strasz$ setfacl -a0 u:43:Co:d:allow . 697196938Strasz$ setfacl -a0 u:44:Co:fd:allow . 698196938Strasz$ setfacl -a0 u:45:Co:fi:allow . 699196938Strasz$ setfacl -a0 u:46:Co:di:allow . 700196938Strasz$ setfacl -a0 u:47:Co:fdi:allow . 701196938Strasz$ setfacl -a0 u:48:Co:fn:allow . 702196938Strasz$ setfacl -a0 u:49:Co:dn:allow . 703196938Strasz$ setfacl -a0 u:50:Co:fdn:allow . 704196938Strasz$ setfacl -a0 u:51:Co:fni:allow . 705196938Strasz$ setfacl -a0 u:52:Co:dni:allow . 706196938Strasz$ setfacl -a0 u:53:Co:fdni:allow . 707196938Strasz$ umask 022 708196938Strasz$ rm xxx 709196938Strasz$ touch xxx 710196938Strasz$ getfacl -nq xxx 711196938Strasz> user:53:--------------:------:deny 712196938Strasz> user:53:--------------:------:allow 713196938Strasz> user:51:--------------:------:deny 714196938Strasz> user:51:--------------:------:allow 715196938Strasz> user:50:--------------:------:deny 716196938Strasz> user:50:--------------:------:allow 717196938Strasz> user:48:--------------:------:deny 718196938Strasz> user:48:--------------:------:allow 719196938Strasz> user:47:--------------:------:deny 720196938Strasz> user:47:--------------:------:allow 721196938Strasz> user:45:--------------:------:deny 722196938Strasz> user:45:--------------:------:allow 723196938Strasz> user:44:--------------:------:deny 724196938Strasz> user:44:--------------:------:allow 725196938Strasz> user:42:--------------:------:deny 726196938Strasz> user:42:--------------:------:allow 727196938Strasz> owner@:--x-----------:------:deny 728196938Strasz> owner@:rw-p---A-W-Co-:------:allow 729196938Strasz> group@:-wxp----------:------:deny 730196938Strasz> group@:r-------------:------:allow 731196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 732196938Strasz> everyone@:r-----a-R-c--s:------:allow 733196938Strasz 734196938Strasz$ rmdir yyy 735196938Strasz$ mkdir yyy 736196938Strasz$ getfacl -nq yyy 737196938Strasz> user:53:--------------:------:deny 738196938Strasz> user:53:--------------:------:allow 739196938Strasz> user:52:--------------:------:deny 740196938Strasz> user:52:--------------:------:allow 741196938Strasz> user:50:--------------:------:deny 742196938Strasz> user:50:--------------:------:allow 743196938Strasz> user:49:--------------:------:deny 744196938Strasz> user:49:--------------:------:allow 745196938Strasz> user:47:-----------Co-:fdi---:allow 746196938Strasz> user:47:--------------:------:deny 747196938Strasz> user:47:--------------:------:allow 748196938Strasz> user:46:-----------Co-:-di---:allow 749196938Strasz> user:46:--------------:------:deny 750196938Strasz> user:46:--------------:------:allow 751196938Strasz> user:45:-----------Co-:f-i---:allow 752196938Strasz> user:44:-----------Co-:fdi---:allow 753196938Strasz> user:44:--------------:------:deny 754196938Strasz> user:44:--------------:------:allow 755196938Strasz> user:43:-----------Co-:-di---:allow 756196938Strasz> user:43:--------------:------:deny 757196938Strasz> user:43:--------------:------:allow 758196938Strasz> user:42:-----------Co-:f-i---:allow 759196938Strasz> owner@:--------------:------:deny 760196938Strasz> owner@:rwxp---A-W-Co-:------:allow 761196938Strasz> group@:-w-p----------:------:deny 762196938Strasz> group@:r-x-----------:------:allow 763196938Strasz> everyone@:-w-p---A-W-Co-:------:deny 764196938Strasz> everyone@:r-x---a-R-c--s:------:allow 765196938Strasz 766196938Strasz$ setfacl -b . 767196938Strasz$ setfacl -a0 u:42:Co:f:deny . 768196938Strasz$ setfacl -a0 u:43:Co:d:deny . 769196938Strasz$ setfacl -a0 u:44:Co:fd:deny . 770196938Strasz$ setfacl -a0 u:45:Co:fi:deny . 771196938Strasz$ setfacl -a0 u:46:Co:di:deny . 772196938Strasz$ setfacl -a0 u:47:Co:fdi:deny . 773196938Strasz$ setfacl -a0 u:48:Co:fn:deny . 774196938Strasz$ setfacl -a0 u:49:Co:dn:deny . 775196938Strasz$ setfacl -a0 u:50:Co:fdn:deny . 776196938Strasz$ setfacl -a0 u:51:Co:fni:deny . 777196938Strasz$ setfacl -a0 u:52:Co:dni:deny . 778196938Strasz$ setfacl -a0 u:53:Co:fdni:deny . 779196938Strasz$ umask 022 780196938Strasz$ rm xxx 781196938Strasz$ touch xxx 782196938Strasz$ getfacl -nq xxx 783196938Strasz> user:53:-----------Co-:------:deny 784196938Strasz> user:51:-----------Co-:------:deny 785196938Strasz> user:50:-----------Co-:------:deny 786196938Strasz> user:48:-----------Co-:------:deny 787196938Strasz> user:47:-----------Co-:------:deny 788196938Strasz> user:45:-----------Co-:------:deny 789196938Strasz> user:44:-----------Co-:------:deny 790196938Strasz> user:42:-----------Co-:------:deny 791196938Strasz> owner@:--x-----------:------:deny 792196938Strasz> owner@:rw-p---A-W-Co-:------:allow 793196938Strasz> group@:-wxp----------:------:deny 794196938Strasz> group@:r-------------:------:allow 795196938Strasz> everyone@:-wxp---A-W-Co-:------:deny 796196938Strasz> everyone@:r-----a-R-c--s:------:allow 797196938Strasz 798196938Strasz$ rmdir yyy 799196938Strasz$ mkdir yyy 800196938Strasz$ getfacl -nq yyy 801196938Strasz> user:53:-----------Co-:------:deny 802196938Strasz> user:52:-----------Co-:------:deny 803196938Strasz> user:50:-----------Co-:------:deny 804196938Strasz> user:49:-----------Co-:------:deny 805196938Strasz> user:47:-----------Co-:fdi---:deny 806196938Strasz> user:47:-----------Co-:------:deny 807196938Strasz> user:46:-----------Co-:-di---:deny 808196938Strasz> user:46:-----------Co-:------:deny 809196938Strasz> user:45:-----------Co-:f-i---:deny 810196938Strasz> user:44:-----------Co-:fdi---:deny 811196938Strasz> user:44:-----------Co-:------:deny 812196938Strasz> user:43:-----------Co-:-di---:deny 813196938Strasz> user:43:-----------Co-:------:deny 814196938Strasz> user:42:-----------Co-:f-i---:deny 815196938Strasz> owner@:--------------:------:deny 816196938Strasz> owner@:rwxp---A-W-Co-:------:allow 817196938Strasz> group@:-w-p----------:------:deny 818196938Strasz> group@:r-x-----------:------:allow 819196938Strasz> everyone@:-w-p---A-W-Co-:------:deny 820196938Strasz> everyone@:r-x---a-R-c--s:------:allow 821196938Strasz 822196938Strasz$ rmdir yyy 823196938Strasz$ rm xxx 824196938Strasz$ cd .. 825196938Strasz$ rmdir ddd 826196938Strasz 827196938Strasz$ rm xxx 828196938Strasz 829