02.t revision 196948
1#!/bin/sh 2# $FreeBSD: head/tools/regression/fstest/tests/granular/02.t 196948 2009-09-07 19:40:22Z trasz $ 3 4desc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL" 5 6dir=`dirname $0` 7. ${dir}/../misc.sh 8 9echo "1..83" 10 11n0=`namegen` 12n1=`namegen` 13n2=`namegen` 14 15expect 0 mkdir ${n2} 0755 16cdir=`pwd` 17cd ${n2} 18 19# Check whether user 65534 is permitted to read ACL. 20expect 0 create ${n0} 0644 21expect 0 readacl ${n0} 22expect 0 -u 65534 -g 65534 readacl ${n0} 23expect 0 prependacl ${n0} user:65534:read_acl::deny 24expect 0 readacl ${n0} 25expect EACCES -u 65534 -g 65534 readacl ${n0} 26expect 0 prependacl ${n0} user:65534:read_acl::allow 27expect 0 -u 65534 -g 65534 readacl ${n0} 28expect 0 readacl ${n0} 29expect 0 unlink ${n0} 30 31# Check whether user 65534 is permitted to write ACL. 32expect 0 create ${n0} 0644 33expect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 34expect 0 prependacl ${n0} user:65534:write_acl::allow 35expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 36expect 0 unlink ${n0} 37 38# Check whether user 65534 is permitted to write mode. 39expect 0 create ${n0} 0755 40expect EPERM -u 65534 -g 65534 chmod ${n0} 0777 41expect 0 prependacl ${n0} user:65534:write_acl::allow 42expect 0 -u 65534 -g 65534 chmod ${n0} 0777 43expect 0 unlink ${n0} 44 45# There is an interesting problem with interaction between ACL_WRITE_ACL 46# and SUID/SGID bits. In case user does have ACL_WRITE_ACL, but is not 47# a file owner, Solaris does the following: 48# 1. Setting SUID fails with EPERM. 49# 2. Setting SGID succeeds, but mode is not changed. 50# 3. Modifying ACL does not clear SUID nor SGID bits. 51# 4. Writing the file does clear both SUID and SGID bits. 52# 53# What we are doing is the following: 54# 1. Setting SUID or SGID fails with EPERM. 55# 2. Modifying ACL does not clear SUID nor SGID bits. 56# 3. Writing the file does clear both SUID and SGID bits. 57# 58# Check whether user 65534 is denied to write mode with SUID bit. 59expect 0 create ${n0} 0755 60expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 61expect 0 prependacl ${n0} user:65534:write_acl::allow 62expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 63expect 0 unlink ${n0} 64 65# Check whether user 65534 is denied to write mode with SGID bit. 66expect 0 create ${n0} 0755 67expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 68expect 0 prependacl ${n0} user:65534:write_acl::allow 69expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 70expect 0 unlink ${n0} 71 72# Check whether user 65534 is allowed to write mode with sticky bit. 73expect 0 mkdir ${n0} 0755 74expect EPERM -u 65534 -g 65534 chmod ${n0} 01777 75expect 0 prependacl ${n0} user:65534:write_acl::allow 76expect 0 -u 65534 -g 65534 chmod ${n0} 01777 77expect 0 rmdir ${n0} 78 79# Check whether modifying the ACL by not-owner preserves the SUID. 80expect 0 create ${n0} 04755 81expect 0 prependacl ${n0} user:65534:write_acl::allow 82expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 83expect 04755 stat ${n0} mode 84expect 0 unlink ${n0} 85 86# Check whether modifying the ACL by not-owner preserves the SGID. 87expect 0 create ${n0} 02755 88expect 0 prependacl ${n0} user:65534:write_acl::allow 89expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 90expect 02755 stat ${n0} mode 91expect 0 unlink ${n0} 92 93# Check whether modifying the ACL by not-owner preserves the sticky bit. 94expect 0 mkdir ${n0} 0755 95expect 0 chmod ${n0} 01755 96expect 0 prependacl ${n0} user:65534:write_acl::allow 97expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 98expect 01755 stat ${n0} mode 99expect 0 rmdir ${n0} 100 101# Clearing the SUID and SGID bits when being written to by non-owner 102# is checked in chmod/12.t. 103 104# Check whether the file owner is always permitted to get and set 105# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it. 106expect 0 chmod . 0777 107expect 0 -u 65534 -g 65534 create ${n0} 0600 108expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 109expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 110expect 0 -u 65534 -g 65534 readacl ${n0} 111expect 0600 -u 65534 -g 65534 stat ${n0} mode 112expect 0 -u 65534 -g 65534 chmod ${n0} 0777 113expect 0 unlink ${n0} 114 115expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 116expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 117expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 118expect 0 -u 65534 -g 65534 readacl ${n0} 119expect 0600 -u 65534 -g 65534 stat ${n0} mode 120expect 0 -u 65534 -g 65534 chmod ${n0} 0777 121expect 0 rmdir ${n0} 122 123# Check whether the root is allowed for these as well. 124expect 0 -u 65534 -g 65534 create ${n0} 0600 125expect 0 prependacl ${n0} everyone@:write_acl::deny 126expect 0 prependacl ${n0} everyone@:read_acl::deny 127expect 0 readacl ${n0} 128expect 0600 stat ${n0} mode 129expect 0 chmod ${n0} 0777 130expect 0 unlink ${n0} 131 132expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 133expect 0 prependacl ${n0} everyone@:write_acl::deny 134expect 0 prependacl ${n0} everyone@:read_acl::deny 135expect 0600 stat ${n0} mode 136expect 0 readacl ${n0} 137expect 0600 stat ${n0} mode 138expect 0 chmod ${n0} 0777 139expect 0 rmdir ${n0} 140 141cd ${cdir} 142expect 0 rmdir ${n2} 143