t/t1304-default-acl.sh

   1 #!/bin/sh
   2 #
   3 # Copyright (c) 2010 Matthieu Moy
   4 #
   5
   6 test_description='Test repository with default ACL'
   7
   8 # Create the test repo with restrictive umask
   9 # => this must come before . ./test-lib.sh
  10 umask 077
  11
  12 TEST_PASSES_SANITIZE_LEAK=true
  13 . ./test-lib.sh
  14
  15 # We need an arbitrary other user give permission to using ACLs. root
  16 # is a good candidate: exists on all unices, and it has permission
  17 # anyway, so we don't create a security hole running the testsuite.
  18 test_expect_success 'checking for a working acl setup' '
  19         if setfacl -m d:m:rwx -m u:root:rwx . &&
  20            getfacl . | grep user:root:rwx &&
  21            touch should-have-readable-acl &&
  22            getfacl should-have-readable-acl | grep -E "mask::?rw-"
  23         then
  24                 test_set_prereq SETFACL
  25         fi
  26 '
  27
  28 if test -z "$LOGNAME"
  29 then
  30         LOGNAME="${USER:-$(id -u -n)}"
  31 fi
  32
  33 check_perms_and_acl () {
  34         test -r "$1" &&
  35         getfacl "$1" > actual &&
  36         grep -q "user:root:rwx" actual &&
  37         grep -q "user:${LOGNAME}:rwx" actual &&
  38         grep -E "mask::?r--" actual > /dev/null 2>&1 &&
  39         grep -q "group::---" actual || false
  40 }
  41
  42 dirs_to_set="./ .git/ .git/objects/ .git/objects/pack/"
  43
  44 test_expect_success SETFACL 'Setup test repo' '
  45         setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx $dirs_to_set &&
  46         setfacl -m m:rwx               $dirs_to_set &&
  47         setfacl -m u:root:rwx          $dirs_to_set &&
  48         setfacl -m d:u:"$LOGNAME":rwx  $dirs_to_set &&
  49         setfacl -m d:u:root:rwx        $dirs_to_set &&
  50
  51         touch file.txt &&
  52         git add file.txt &&
  53         git commit -m "init"
  54 '
  55
  56 test_expect_success SETFACL 'Objects creation does not break ACLs with restrictive umask' '
  57         # SHA1 for empty blob
  58         check_perms_and_acl .git/objects/$(echo $EMPTY_BLOB | sed -e "s,^\(..\),\1/,")
  59 '
  60
  61 test_expect_success SETFACL 'git gc does not break ACLs with restrictive umask' '
  62         git gc &&
  63         check_perms_and_acl .git/objects/pack/*.pack
  64 '
  65
  66 test_done