5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
24 # Copyright 2009 Sun Microsystems, Inc. All rights reserved.
25 # Use is subject to license terms.
29 # Copyright (c) 2016 by Delphix. All rights reserved.
32 .
$STF_SUITE/tests
/functional
/acl
/acl_common.kshlib
36 # Verify assigned read_acl/write_acl to owner@/group@/everyone@,
37 # specificied user and group. File have the correct access permission.
40 # 1. Separatedly verify file and directory was assigned read_acl/write_acl
41 # by root and non-root user.
42 # 2. Verify owner always can read and write acl, even deny.
43 # 3. Verify group access permission, when group was assigned
45 # 4. Verify access permission, after everyone was assigned read_acl/write.
46 # 5. Verify everyone@ was deny except specificied user, this user can read
48 # 6. Verify the group was deny except specified user, this user can read
52 verify_runnable
"both"
54 log_assert
"Verify chmod A[number]{+|-|=} read_acl/write_acl have correct " \
55 "behaviour to access permission."
58 function read_ACL
#<node> <user1> <user2> ...
66 chgusr_exec
$user ls -vd $node > /dev
/null
2>&1
68 (( ret
!= 0 )) && return $ret
76 function write_ACL
#<node> <user1> <user2> ...
80 typeset
-i ret before_cnt after_cnt
84 before_cnt
=$
(count_ACE
$node)
86 (( ret
!= 0 )) && return $ret
88 chgusr_exec
$user chmod A0
+owner@
:read_data
:allow
$node
90 (( ret
!= 0 )) && return $ret
92 after_cnt
=$
(count_ACE
$node)
94 (( ret
!= 0 )) && return $ret
96 chgusr_exec
$user chmod A0-
$node
98 (( ret
!= 0 )) && return $ret
100 if (( after_cnt
- before_cnt
!= 1 )); then
110 function check_owner
#<node>
114 for acc
in allow deny
; do
116 chmod A0
+owner@
:read_acl
/write_acl
:$acc $node
117 log_must read_ACL
$node $ZFS_ACL_CUR_USER
118 log_must write_ACL
$node $ZFS_ACL_CUR_USER
119 log_must usr_exec
chmod A0-
$node
123 function check_group
#<node>
128 if [[ $ZFS_ACL_CUR_USER == root
]]; then
129 grp_usr
=$ZFS_ACL_ADMIN
130 elif [[ $ZFS_ACL_CUR_USER == $ZFS_ACL_STAFF1 ]]; then
131 grp_usr
=$ZFS_ACL_STAFF2
134 log_must usr_exec
chmod A0
+group@
:read_acl
/write_acl
:allow
$node
135 log_must read_ACL
$node $grp_usr
136 log_must write_ACL
$node $grp_usr
137 log_must usr_exec
chmod A0-
$node
139 log_must usr_exec
chmod A0
+group@
:read_acl
/write_acl
:deny
$node
140 log_mustnot read_ACL
$node $grp_usr
141 log_mustnot write_ACL
$node $grp_usr
142 log_must usr_exec
chmod A0-
$node
145 function check_everyone
#<node>
150 for flag
in allow deny
; do
151 if [[ $flag == allow
]]; then
158 chmod A0
+everyone@
:read_acl
/write_acl
:$flag $node
160 $log read_ACL
$node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
161 $log write_ACL
$node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
163 log_must usr_exec
chmod A0-
$node
167 function check_spec_user
#<node>
171 log_must usr_exec
chmod A0
+everyone@
:read_acl
/write_acl
:deny
$node
173 chmod A0
+user
:$ZFS_ACL_OTHER1:read_acl
/write_acl
:allow
$node
175 # The specified user can read and write acl
176 log_must read_ACL
$node $ZFS_ACL_OTHER1
177 log_must write_ACL
$node $ZFS_ACL_OTHER1
179 # All the other user can't read and write acl
181 read_ACL
$node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2
183 write_ACL
$node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2
185 log_must usr_exec
chmod A0-
$node
186 log_must usr_exec
chmod A0-
$node
189 function check_spec_group
#<node>
193 log_must usr_exec
chmod A0
+everyone@
:read_acl
/write_acl
:deny
$node
194 log_must usr_exec
chmod \
195 A0
+group
:$ZFS_ACL_OTHER_GROUP:read_acl
/write_acl
:allow
$node
197 # The specified group can read and write acl
198 log_must read_ACL
$node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
199 log_must write_ACL
$node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2
201 # All the other user can't read and write acl
202 log_mustnot read_ACL
$node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2
203 log_mustnot write_ACL
$node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2
206 function check_user_in_group
#<node>
210 log_must usr_exec
chmod \
211 A0
+group
:$ZFS_ACL_OTHER_GROUP:read_acl
/write_acl
:deny
$node
212 log_must usr_exec
chmod \
213 A0
+user
:$ZFS_ACL_OTHER1:read_acl
/write_acl
:allow
$node
214 log_must read_ACL
$node $ZFS_ACL_OTHER1
215 log_must write_ACL
$node $ZFS_ACL_OTHER1
216 log_mustnot read_ACL
$node $ZFS_ACL_OTHER2
217 log_mustnot write_ACL
$node $ZFS_ACL_OTHER2
219 log_must usr_exec
chmod A0-
$node
220 log_must usr_exec
chmod A0-
$node
223 set -A func_name check_owner \
230 for user
in root
$ZFS_ACL_STAFF1; do
231 log_must set_cur_usr
$user
233 log_must usr_exec
touch $testfile
234 log_must usr_exec mkdir
$testdir
237 for func
in ${func_name[@]}; do
238 for node
in $testfile $testdir; do
243 log_must usr_exec
rm -rf $testfile $testdir
246 log_pass
"Verify chmod A[number]{+|-|=} read_acl/write_acl passed."