1271294Sngie#!/bin/sh 2271294Sngie# $FreeBSD: head/tools/regression/pjdfstest/tests/granular/02.t 211352 2010-08-15 21:24:17Z pjd $ 3271294Sngie 4271294Sngiedesc="NFSv4 granular permissions checking - ACL_READ_ACL and ACL_WRITE_ACL" 5271294Sngie 6271294Sngiedir=`dirname $0` 7271294Sngie. ${dir}/../misc.sh 8271294Sngie 9271294Sngie[ "${os}:${fs}" = "FreeBSD:ZFS" ] || quick_exit 10271294Sngie 11271294Sngieecho "1..83" 12271294Sngie 13271294Sngien0=`namegen` 14271294Sngien1=`namegen` 15271294Sngien2=`namegen` 16271294Sngie 17271294Sngieexpect 0 mkdir ${n2} 0755 18271294Sngiecdir=`pwd` 19271294Sngiecd ${n2} 20271294Sngie 21271294Sngie# Check whether user 65534 is permitted to read ACL. 22271294Sngieexpect 0 create ${n0} 0644 23271294Sngieexpect 0 readacl ${n0} 24271294Sngieexpect 0 -u 65534 -g 65534 readacl ${n0} 25271294Sngieexpect 0 prependacl ${n0} user:65534:read_acl::deny 26271294Sngieexpect 0 readacl ${n0} 27271294Sngieexpect EACCES -u 65534 -g 65534 readacl ${n0} 28271294Sngieexpect 0 prependacl ${n0} user:65534:read_acl::allow 29271294Sngieexpect 0 -u 65534 -g 65534 readacl ${n0} 30271294Sngieexpect 0 readacl ${n0} 31271294Sngieexpect 0 unlink ${n0} 32271294Sngie 33271294Sngie# Check whether user 65534 is permitted to write ACL. 34271294Sngieexpect 0 create ${n0} 0644 35271294Sngieexpect EPERM -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 36271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 37271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_data::allow 38271294Sngieexpect 0 unlink ${n0} 39271294Sngie 40271294Sngie# Check whether user 65534 is permitted to write mode. 41271294Sngieexpect 0 create ${n0} 0755 42271294Sngieexpect EPERM -u 65534 -g 65534 chmod ${n0} 0777 43271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 44271294Sngieexpect 0 -u 65534 -g 65534 chmod ${n0} 0777 45271294Sngieexpect 0 unlink ${n0} 46271294Sngie 47271294Sngie# There is an interesting problem with interaction between ACL_WRITE_ACL 48271294Sngie# and SUID/SGID bits. In case user does have ACL_WRITE_ACL, but is not 49271294Sngie# a file owner, Solaris does the following: 50271294Sngie# 1. Setting SUID fails with EPERM. 51271294Sngie# 2. Setting SGID succeeds, but mode is not changed. 52271294Sngie# 3. Modifying ACL does not clear SUID nor SGID bits. 53271294Sngie# 4. Writing the file does clear both SUID and SGID bits. 54271294Sngie# 55271294Sngie# What we are doing is the following: 56271294Sngie# 1. Setting SUID or SGID fails with EPERM. 57271294Sngie# 2. Modifying ACL does not clear SUID nor SGID bits. 58271294Sngie# 3. Writing the file does clear both SUID and SGID bits. 59271294Sngie# 60271294Sngie# Check whether user 65534 is denied to write mode with SUID bit. 61271294Sngieexpect 0 create ${n0} 0755 62271294Sngieexpect EPERM -u 65534 -g 65534 chmod ${n0} 04777 63271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 64271294Sngieexpect EPERM -u 65534 -g 65534 chmod ${n0} 04777 65271294Sngieexpect 0 unlink ${n0} 66271294Sngie 67271294Sngie# Check whether user 65534 is denied to write mode with SGID bit. 68271294Sngieexpect 0 create ${n0} 0755 69271294Sngieexpect EPERM -u 65534 -g 65534 chmod ${n0} 02777 70271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 71271294Sngieexpect EPERM -u 65534 -g 65534 chmod ${n0} 02777 72271294Sngieexpect 0 unlink ${n0} 73271294Sngie 74271294Sngie# Check whether user 65534 is allowed to write mode with sticky bit. 75271294Sngieexpect 0 mkdir ${n0} 0755 76271294Sngieexpect EPERM -u 65534 -g 65534 chmod ${n0} 01777 77271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 78271294Sngieexpect 0 -u 65534 -g 65534 chmod ${n0} 01777 79271294Sngieexpect 0 rmdir ${n0} 80271294Sngie 81271294Sngie# Check whether modifying the ACL by not-owner preserves the SUID. 82271294Sngieexpect 0 create ${n0} 04755 83271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 84271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 85271294Sngieexpect 04755 stat ${n0} mode 86271294Sngieexpect 0 unlink ${n0} 87271294Sngie 88271294Sngie# Check whether modifying the ACL by not-owner preserves the SGID. 89271294Sngieexpect 0 create ${n0} 02755 90271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 91271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 92271294Sngieexpect 02755 stat ${n0} mode 93271294Sngieexpect 0 unlink ${n0} 94271294Sngie 95271294Sngie# Check whether modifying the ACL by not-owner preserves the sticky bit. 96271294Sngieexpect 0 mkdir ${n0} 0755 97271294Sngieexpect 0 chmod ${n0} 01755 98271294Sngieexpect 0 prependacl ${n0} user:65534:write_acl::allow 99271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_data::allow 100271294Sngieexpect 01755 stat ${n0} mode 101271294Sngieexpect 0 rmdir ${n0} 102271294Sngie 103271294Sngie# Clearing the SUID and SGID bits when being written to by non-owner 104271294Sngie# is checked in chmod/12.t. 105271294Sngie 106271294Sngie# Check whether the file owner is always permitted to get and set 107271294Sngie# ACL and file mode, even if ACL_{READ,WRITE}_ACL would deny it. 108271294Sngieexpect 0 chmod . 0777 109271294Sngieexpect 0 -u 65534 -g 65534 create ${n0} 0600 110271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 111271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 112271294Sngieexpect 0 -u 65534 -g 65534 readacl ${n0} 113271294Sngieexpect 0600 -u 65534 -g 65534 stat ${n0} mode 114271294Sngieexpect 0 -u 65534 -g 65534 chmod ${n0} 0777 115271294Sngieexpect 0 unlink ${n0} 116271294Sngie 117271294Sngieexpect 0 -u 65534 -g 65534 mkdir ${n0} 0600 118271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:write_acl::deny 119271294Sngieexpect 0 -u 65534 -g 65534 prependacl ${n0} user:65534:read_acl::deny 120271294Sngieexpect 0 -u 65534 -g 65534 readacl ${n0} 121271294Sngieexpect 0600 -u 65534 -g 65534 stat ${n0} mode 122271294Sngieexpect 0 -u 65534 -g 65534 chmod ${n0} 0777 123271294Sngieexpect 0 rmdir ${n0} 124271294Sngie 125271294Sngie# Check whether the root is allowed for these as well. 126271294Sngieexpect 0 -u 65534 -g 65534 create ${n0} 0600 127271294Sngieexpect 0 prependacl ${n0} everyone@:write_acl::deny 128271294Sngieexpect 0 prependacl ${n0} everyone@:read_acl::deny 129271294Sngieexpect 0 readacl ${n0} 130271294Sngieexpect 0600 stat ${n0} mode 131271294Sngieexpect 0 chmod ${n0} 0777 132271294Sngieexpect 0 unlink ${n0} 133271294Sngie 134271294Sngieexpect 0 -u 65534 -g 65534 mkdir ${n0} 0600 135271294Sngieexpect 0 prependacl ${n0} everyone@:write_acl::deny 136271294Sngieexpect 0 prependacl ${n0} everyone@:read_acl::deny 137271294Sngieexpect 0600 stat ${n0} mode 138271294Sngieexpect 0 readacl ${n0} 139271294Sngieexpect 0600 stat ${n0} mode 140271294Sngieexpect 0 chmod ${n0} 0777 141271294Sngieexpect 0 rmdir ${n0} 142271294Sngie 143271294Sngiecd ${cdir} 144271294Sngieexpect 0 rmdir ${n2} 145