1#!/bin/sh 2# $FreeBSD: head/tools/regression/pjdfstest/tests/granular/02.t 211352 2010-08-15 21:24:17Z pjd $ 3 4desc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL" 5 6dir=`dirname $0` 7. ${dir}/../misc.sh 8 9[ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit 10 11echo "1..83" 12 13n0=`namegen` 14n1=`namegen` 15n2=`namegen` 16 17expect 0 mkdir ${n2} 0755 18cdir=`pwd` 19cd ${n2} 20 21# Check whether user 65534 is permitted to read ACL. 22expect 0 create ${n0} 0644 23expect 0 readacl ${n0} 24expect 0 -u 65534 -g 65534 readacl ${n0} 25expect 0 prependacl ${n0} user:65534:read_acl::deny 26expect 0 readacl ${n0} 27expect EACCES -u 65534 -g 65534 readacl ${n0} 28expect 0 prependacl ${n0} user:65534:read_acl::allow 29expect 0 -u 65534 -g 65534 readacl ${n0} 30expect 0 readacl ${n0} 31expect 0 unlink ${n0} 32 33# Check whether user 65534 is permitted to write ACL. 34expect 0 create ${n0} 0644 35expect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 36expect 0 prependacl ${n0} user:65534:write_acl::allow 37expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 38expect 0 unlink ${n0} 39 40# Check whether user 65534 is permitted to write mode. 41expect 0 create ${n0} 0755 42expect EPERM -u 65534 -g 65534 chmod ${n0} 0777 43expect 0 prependacl ${n0} user:65534:write_acl::allow 44expect 0 -u 65534 -g 65534 chmod ${n0} 0777 45expect 0 unlink ${n0} 46 47# There is an interesting problem with interaction between ACL_WRITE_ACL 48# and SUID/SGID bits. In case user does have ACL_WRITE_ACL, but is not 49# a file owner, Solaris does the following: 50# 1. Setting SUID fails with EPERM. 51# 2. Setting SGID succeeds, but mode is not changed. 52# 3. Modifying ACL does not clear SUID nor SGID bits. 53# 4. Writing the file does clear both SUID and SGID bits. 54# 55# What we are doing is the following: 56# 1. Setting SUID or SGID fails with EPERM. 57# 2. Modifying ACL does not clear SUID nor SGID bits. 58# 3. Writing the file does clear both SUID and SGID bits. 59# 60# Check whether user 65534 is denied to write mode with SUID bit. 61expect 0 create ${n0} 0755 62expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 63expect 0 prependacl ${n0} user:65534:write_acl::allow 64expect EPERM -u 65534 -g 65534 chmod ${n0} 04777 65expect 0 unlink ${n0} 66 67# Check whether user 65534 is denied to write mode with SGID bit. 68expect 0 create ${n0} 0755 69expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 70expect 0 prependacl ${n0} user:65534:write_acl::allow 71expect EPERM -u 65534 -g 65534 chmod ${n0} 02777 72expect 0 unlink ${n0} 73 74# Check whether user 65534 is allowed to write mode with sticky bit. 75expect 0 mkdir ${n0} 0755 76expect EPERM -u 65534 -g 65534 chmod ${n0} 01777 77expect 0 prependacl ${n0} user:65534:write_acl::allow 78expect 0 -u 65534 -g 65534 chmod ${n0} 01777 79expect 0 rmdir ${n0} 80 81# Check whether modifying the ACL by not-owner preserves the SUID. 82expect 0 create ${n0} 04755 83expect 0 prependacl ${n0} user:65534:write_acl::allow 84expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 85expect 04755 stat ${n0} mode 86expect 0 unlink ${n0} 87 88# Check whether modifying the ACL by not-owner preserves the SGID. 89expect 0 create ${n0} 02755 90expect 0 prependacl ${n0} user:65534:write_acl::allow 91expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 92expect 02755 stat ${n0} mode 93expect 0 unlink ${n0} 94 95# Check whether modifying the ACL by not-owner preserves the sticky bit. 96expect 0 mkdir ${n0} 0755 97expect 0 chmod ${n0} 01755 98expect 0 prependacl ${n0} user:65534:write_acl::allow 99expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 100expect 01755 stat ${n0} mode 101expect 0 rmdir ${n0} 102 103# Clearing the SUID and SGID bits when being written to by non-owner 104# is checked in chmod/12.t. 105 106# Check whether the file owner is always permitted to get and set 107# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it. 108expect 0 chmod . 0777 109expect 0 -u 65534 -g 65534 create ${n0} 0600 110expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 111expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 112expect 0 -u 65534 -g 65534 readacl ${n0} 113expect 0600 -u 65534 -g 65534 stat ${n0} mode 114expect 0 -u 65534 -g 65534 chmod ${n0} 0777 115expect 0 unlink ${n0} 116 117expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 118expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 119expect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 120expect 0 -u 65534 -g 65534 readacl ${n0} 121expect 0600 -u 65534 -g 65534 stat ${n0} mode 122expect 0 -u 65534 -g 65534 chmod ${n0} 0777 123expect 0 rmdir ${n0} 124 125# Check whether the root is allowed for these as well. 126expect 0 -u 65534 -g 65534 create ${n0} 0600 127expect 0 prependacl ${n0} everyone@:write_acl::deny 128expect 0 prependacl ${n0} everyone@:read_acl::deny 129expect 0 readacl ${n0} 130expect 0600 stat ${n0} mode 131expect 0 chmod ${n0} 0777 132expect 0 unlink ${n0} 133 134expect 0 -u 65534 -g 65534 mkdir ${n0} 0600 135expect 0 prependacl ${n0} everyone@:write_acl::deny 136expect 0 prependacl ${n0} everyone@:read_acl::deny 137expect 0600 stat ${n0} mode 138expect 0 readacl ${n0} 139expect 0600 stat ${n0} mode 140expect 0 chmod ${n0} 0777 141expect 0 rmdir ${n0} 142 143cd ${cdir} 144expect 0 rmdir ${n2} 145