188004Sgad#!/bin/sh 288004Sgad# $FreeBSD: releng/10.3/tools/regression/pjdfstest/tests/granular/02.t 210984 2010-08-06 23:58:54Z pjd $ 388004Sgad 488004Sgaddesc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL" 588004Sgad 688004Sgaddir=`dirname $0` 788004Sgad. ${dir}/../misc.sh 888004Sgad 988004Sgad[ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit 1088004Sgad 1188004Sgadecho "1..83" 1288004Sgad 1388004Sgadn0=`namegen` 1488004Sgadn1=`namegen` 1588004Sgadn2=`namegen` 1688004Sgad 1788004Sgadexpect 0 mkdir ${n2} 0755 1888004Sgadcdir=`pwd` 1988004Sgadcd ${n2} 2088004Sgad 2188004Sgad# Check whether user 65534 is permitted to read ACL. 2288004Sgadexpect 0 create ${n0} 0644 2388004Sgadexpect 0 readacl ${n0} 2488004Sgadexpect 0 -u 65534 -g 65534 readacl ${n0} 2588004Sgadexpect 0 prependacl ${n0} user:65534:read_acl::deny 2688004Sgadexpect 0 readacl ${n0} 2788004Sgadexpect EACCES -u 65534 -g 65534 readacl ${n0} 2888004Sgadexpect 0 prependacl ${n0} user:65534:read_acl::allow 2988004Sgadexpect 0 -u 65534 -g 65534 readacl ${n0} 3088004Sgadexpect 0 readacl ${n0} 3188004Sgadexpect 0 unlink ${n0} 3288004Sgad 3388004Sgad# Check whether user 65534 is permitted to write ACL. 3488004Sgadexpect 0 create ${n0} 0644 3588004Sgadexpect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 3688004Sgadexpect 0 prependacl ${n0} user:65534:write_acl::allow 3788004Sgadexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 3888004Sgadexpect 0 unlink ${n0} 3988004Sgad 4088004Sgad# Check whether user 65534 is permitted to write mode. 4188004Sgadexpect 0 create ${n0} 0755 4288004Sgadexpect EPERM -u 65534 -g 65534 chmod ${n0} 0777 4388004Sgadexpect 0 prependacl ${n0} user:65534:write_acl::allow 4488004Sgadexpect 0 -u 65534 -g 65534 chmod ${n0} 0777 45expect 0 unlink ${n0} 46 47# There is an interesting problem with interaction between ACL_WRITE_ACL 48# and SUID/SGID bits. In case user does have ACL_WRITE_ACL, but is not 49# a file owner, Solaris does the following: 50# 1. Setting SUID fails with EPERM. 51# 2. Setting SGID succeeds, but mode is not changed. 52# 3. Modifying ACL does not clear SUID nor SGID bits. 53# 4. Writing the file does clear both SUID and SGID bits. 54# 55# What we are doing is the following: 56# 1. Setting SUID or SGID fails with EPERM. 57# 2. Modifying ACL does not clear SUID nor SGID bits. 58# 3. Writing the file does clear both SUID and SGID bits. 59# 60# Check whether user 65534 is denied to write mode with SUID bit. 61expect 0 create ${n0} 0755 62expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 63expect 0 prependacl ${n0} user:65534:write_acl::allow 64expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 65expect 0 unlink ${n0} 66 67# Check whether user 65534 is denied to write mode with SGID bit. 68expect 0 create ${n0} 0755 69expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 70expect 0 prependacl ${n0} user:65534:write_acl::allow 71expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 72expect 0 unlink ${n0} 73 74# Check whether user 65534 is allowed to write mode with sticky bit. 75expect 0 mkdir ${n0} 0755 76expect EPERM -u 65534 -g 65534 chmod ${n0} 01777 77expect 0 prependacl ${n0} user:65534:write_acl::allow 78expect 0 -u 65534 -g 65534 chmod ${n0} 01777 79expect 0 rmdir ${n0} 80 81# Check whether modifying the ACL by not-owner preserves the SUID. 82expect 0 create ${n0} 04755 83expect 0 prependacl ${n0} user:65534:write_acl::allow 84expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 85expect 04755 stat ${n0} mode 86expect 0 unlink ${n0} 87 88# Check whether modifying the ACL by not-owner preserves the SGID. 89expect 0 create ${n0} 02755 90expect 0 prependacl ${n0} user:65534:write_acl::allow 91expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 92expect 02755 stat ${n0} mode 93expect 0 unlink ${n0} 94 95# Check whether modifying the ACL by not-owner preserves the sticky bit. 96expect 0 mkdir ${n0} 0755 97expect 0 chmod ${n0} 01755 98expect 0 prependacl ${n0} user:65534:write_acl::allow 99expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 100expect 01755 stat ${n0} mode 101expect 0 rmdir ${n0} 102 103# Clearing the SUID and SGID bits when being written to by non-owner 104# is checked in chmod/12.t. 105 106# Check whether the file owner is always permitted to get and set 107# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it. 108expect 0 chmod . 0777 109expect 0 -u 65534 -g 65534 create ${n0} 0600 110expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 111expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 112expect 0 -u 65534 -g 65534 readacl ${n0} 113expect 0600 -u 65534 -g 65534 stat ${n0} mode 114expect 0 -u 65534 -g 65534 chmod ${n0} 0777 115expect 0 unlink ${n0} 116 117expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 118expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 119expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 120expect 0 -u 65534 -g 65534 readacl ${n0} 121expect 0600 -u 65534 -g 65534 stat ${n0} mode 122expect 0 -u 65534 -g 65534 chmod ${n0} 0777 123expect 0 rmdir ${n0} 124 125# Check whether the root is allowed for these as well. 126expect 0 -u 65534 -g 65534 create ${n0} 0600 127expect 0 prependacl ${n0} everyone@:write_acl::deny 128expect 0 prependacl ${n0} everyone@:read_acl::deny 129expect 0 readacl ${n0} 130expect 0600 stat ${n0} mode 131expect 0 chmod ${n0} 0777 132expect 0 unlink ${n0} 133 134expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 135expect 0 prependacl ${n0} everyone@:write_acl::deny 136expect 0 prependacl ${n0} everyone@:read_acl::deny 137expect 0600 stat ${n0} mode 138expect 0 readacl ${n0} 139expect 0600 stat ${n0} mode 140expect 0 chmod ${n0} 0777 141expect 0 rmdir ${n0} 142 143cd ${cdir} 144expect 0 rmdir ${n2} 145