From 232f5a2e6e6fcc0e7d4f5bd719cd5e6433a24020 Mon Sep 17 00:00:00 2001 From: Yuri Pankov Date: Tue, 19 Apr 2016 16:46:11 -0700 Subject: [PATCH] 6875 fix zfs-tests ACL cases Reviewed by: Gordon Ross Reviewed by: John Kennedy Approved by: Richard Lowe --- .../nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh | 313 +++++----- .../nontrivial/zfs_acl_chmod_delete_001_pos.ksh | 64 +- .../nontrivial/zfs_acl_chmod_inherit_002_neg.ksh | 265 ++++---- .../nontrivial/zfs_acl_chmod_inherit_003_pos.ksh | 683 +++++++++------------ .../nontrivial/zfs_acl_chmod_inherit_004_pos.ksh | 264 ++++---- 5 files changed, 685 insertions(+), 904 deletions(-) rewrite usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh (70%) rewrite usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh (66%) diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh index 0dfd6864be..6486f58464 100644 --- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh @@ -27,69 +27,62 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2016 Nexenta Systems, Inc. # . $STF_SUITE/tests/functional/acl/acl_common.kshlib -# # DESCRIPTION: -# Verify chmod have correct behaviour on directories and files when -# filesystem has the different aclmode setting +# Verify chmod have correct behaviour on directories and files when +# filesystem has the different aclmode setting # # STRATEGY: -# 1. Loop super user and non-super user to run the test case. -# 2. Create basedir and a set of subdirectores and files within it. -# 3. Separately chmod basedir with different aclmode options, -# combine with the variable setting of aclmode: -# "discard", "groupmask", or "passthrough". -# 4. Verify each directories and files have the correct access control -# capability. -# +# 1. Loop super user and non-super user to run the test case. +# 2. Create basedir and a set of subdirectores and files within it. +# 3. Separately chmod basedir with different aclmode options, +# combine with the variable setting of aclmode: +# "discard", "groupmask", or "passthrough". +# 4. Verify each directories and files have the correct access control +# capability. verify_runnable "both" function cleanup { - # Cleanup tarfile & basedir. - (( ${#cwd} != 0 )) && cd $cwd - if [[ -f $TARFILE ]]; then - log_must $RM -f $TARFILE - fi - - if [[ -d $basedir ]]; then - log_must $RM -rf $basedir - fi + [[ -f $TARFILE ]] && log_must $RM -f $TARFILE + [[ -d $basedir ]] && log_must $RM -rf $basedir } -log_assert "Verify chmod have correct behaviour to directory and file when " \ - "filesystem has the different aclmode setting." +log_assert "Verify chmod have correct behaviour to directory and file when" \ + "filesystem has the different aclmode setting" log_onexit cleanup -# Define aclmode flag -set -A aclmode_flag discard groupmask passthrough - -set -A ace_prefix "user:$ZFS_ACL_OTHER1" \ - "user:$ZFS_ACL_OTHER2" \ - "group:$ZFS_ACL_STAFF_GROUP" \ - "group:$ZFS_ACL_OTHER_GROUP" - -set -A argv "000" "444" "644" "777" "755" "231" "562" "413" - -set -A ace_file_preset "read_data" \ - "write_data" \ - "append_data" \ - "execute" \ - "read_data/write_data" \ - "read_data/write_data/append_data" \ - "write_data/append_data" \ - "read_data/execute" \ - "write_data/append_data/execute" \ - "read_data/write_data/append_data/execute" - -# Defile the based directory and file +set -A aclmode_flag "discard" "groupmask" "passthrough" + +set -A ace_prefix \ + "user:$ZFS_ACL_OTHER1" \ + "user:$ZFS_ACL_OTHER2" \ + "group:$ZFS_ACL_STAFF_GROUP" \ + "group:$ZFS_ACL_OTHER_GROUP" + +set -A argv "000" "444" "644" "777" "755" "231" "562" "413" + +set -A ace_file_preset \ + "read_data" \ + "write_data" \ + "append_data" \ + "execute" \ + "read_data/write_data" \ + "read_data/write_data/append_data" \ + "write_data/append_data" \ + "read_data/execute" \ + "write_data/append_data/execute" \ + "read_data/write_data/append_data/execute" + +# Define the base directory and file basedir=$TESTDIR/basedir; ofile=$basedir/ofile; odir=$basedir/odir nfile=$basedir/nfile; ndir=$basedir/ndir @@ -98,7 +91,6 @@ TARFILE=$TESTDIR/tarfile # Verify all the node have expected correct access control allnodes="$nfile $ndir" -# # According to the original bits, the input ACE access and ACE type, return the # expect bits after 'chmod A0{+|=}'. # @@ -107,7 +99,6 @@ allnodes="$nfile $ndir" # $3 bits_limit which was make up of three bit 'rwx' # $4 ACE access which is read_data, write_data or execute # $5 ctrl which is to determine allow or deny according to owner/group bit -# function cal_bits # isdir bits bits_limit acl_access ctrl { typeset -i isdir=$1 @@ -129,7 +120,7 @@ function cal_bits # isdir bits bits_limit acl_access ctrl flagx=1 fi else - #Determine ACE as per owner/group bit + # Determine ACE as per owner/group bit flagr=1 flagw=1 flagx=1 @@ -147,16 +138,16 @@ function cal_bits # isdir bits bits_limit acl_access ctrl flagx=0 fi fi + if ((flagr != 0)); then if [[ $acl_access == *"read_data"* ]]; then - if [[ $acl_access == *"allow"* && $passthrough == 0 ]]; then - tmpstr=${tmpstr} + if [[ $acl_access == *"allow"* && + $passthrough == 0 ]]; then + tmpstr=${tmpstr} + elif ((isdir == 0)); then + tmpstr=${tmpstr}/read_data else - if ((isdir == 0)); then - tmpstr=${tmpstr}/read_data - else - tmpstr=${tmpstr}/list_directory/read_data - fi + tmpstr=${tmpstr}/list_directory/read_data fi fi fi @@ -176,14 +167,17 @@ function cal_bits # isdir bits bits_limit acl_access ctrl if ((isdir == 0)); then tmpstr=${tmpstr}/append_data else - tmpstr=${tmpstr}/add_subdirectory/append_data + tmpstr=${tmpstr}/add_subdirectory + tmpstr=${tmpstr}/append_data fi fi fi fi + if ((flagx != 0)); then if [[ $acl_access == *"execute"* ]]; then - if [[ $acl_access == *"allow"* && $passthrough == 0 ]]; then + if [[ $acl_access == *"allow"* && + $passthrough == 0 ]]; then tmpstr=${tmpstr} else tmpstr=${tmpstr}/execute @@ -237,6 +231,8 @@ function check_new_acl # bit newmode isdir typeset gbit typeset ebit typeset str=":" + typeset dc="" + gbit=${mode:1:1} ebit=${mode:2:1} if (( ((bits & 4)) == 0 )); then @@ -258,6 +254,7 @@ function check_new_acl # bit newmode isdir else new_acl=${new_acl}${str}add_file/write_data/ new_acl=${new_acl}add_subdirectory/append_data + dc="/delete_child" fi str="/" fi @@ -268,6 +265,7 @@ function check_new_acl # bit newmode isdir new_acl=${new_acl}${str}execute fi fi + new_acl=${new_acl}${dc} $ECHO "$new_acl" } @@ -290,10 +288,8 @@ function build_new_acl # newmode isdir $ECHO $expect } -# # According to inherited flag, verify subdirectories and files within it has # correct inherited access control. -# function verify_aclmode # { # Define the nodes which will be affected by inherit. @@ -345,106 +341,103 @@ function verify_aclmode # # case $aclmode in - passthrough) - if ((acl_count > total_acl)); then - expect1=$(build_new_acl $newmode $isdir) - flag=1 - ((total_acl = total_acl + 1)) - ((i = i + 1)) - else - passthrough=1 - expect1=$(translate_acl $isdir $expect1) - fi - ;; - groupmask) - if ((acl_count > total_acl)); then - expect1=$(build_new_acl $newmode $isdir) - flag=1 - ((total_acl = total_acl + 1)) - ((i = i + 1)) - - elif [[ $expect1 == *":allow"* ]]; then - who=${expect1%%:*} - aclaction=${expect1##*:} - prefix=$who - acltemp="" - reduce=0 - # - # To determine the mask bits - # according to the entry type. - # - case $who in - owner@) - pos=0 - ;; - group@) - pos=1 - ;; - everyone@) - pos=2 - ;; - user) - acltemp=${expect1#*:} - acltemp=${acltemp%%:*} - owner=$(get_owner $node) - group=$(get_group $node) - if [[ $acltemp == \ - $owner ]]; then - pos=0 - else - pos=1 - fi - prefix=$prefix:$acltemp - ;; - group) - acltemp=${expect1#*:} - acltemp=${acltemp%%:*} - pos=1 - prefix=$prefix:$acltemp - reduce=1 - ;; - esac - obits=${newmode:$pos:1} - ((bits = $obits)) - # - # permission should be no greater than the - # group permission bits - # - if ((reduce != 0)); then - ((bits &= ${newmode:1:1})) + passthrough) + if ((acl_count > total_acl)); then + expect1=$(build_new_acl $newmode $isdir) + flag=1 + ((total_acl = total_acl + 1)) + ((i = i + 1)) + else + passthrough=1 + expect1=$(translate_acl $isdir $expect1) + fi + ;; + groupmask) + if ((acl_count > total_acl)); then + expect1=$(build_new_acl $newmode $isdir) + flag=1 + ((total_acl = total_acl + 1)) + ((i = i + 1)) + elif [[ $expect1 == *":allow"* ]]; then + who=${expect1%%:*} + aclaction=${expect1##*:} + prefix=$who + acltemp="" + reduce=0 + # To determine the mask bits + # according to the entry type. + # + case $who in + owner@) + pos=0 + ;; + group@) + pos=1 + ;; + everyone@) + pos=2 + ;; + user) + acltemp=${expect1#*:} + acltemp=${acltemp%%:*} + owner=$(get_owner $node) + group=$(get_group $node) + if [[ $acltemp == $owner ]]; then + pos=0 + else + pos=1 + fi + prefix=$prefix:$acltemp + ;; + group) + acltemp=${expect1#*:} + acltemp=${acltemp%%:*} + pos=1 + prefix=$prefix:$acltemp + reduce=1 + ;; + esac + + obits=${newmode:$pos:1} + ((bits = $obits)) + # permission should be no greater than the + # group permission bits + if ((reduce != 0)); then + ((bits &= ${newmode:1:1})) # The ACL permissions are reduced so # that they are no greater than owner # permission bits. + ((bits_owner = ${newmode:0:1})) + ((bits &= $bits_owner)) + fi - ((bits_owner = ${newmode:0:1})) - ((bits &= $bits_owner)) - fi - - if ((bits < obits)) && \ - [[ -n $acltemp ]]; then - expect2=$prefix: - new_bit=$(cal_bits $isdir $obits $bits_owner $expect1 1) - expect2=${expect2}${new_bit}:allow - else - expect2=$prefix: - new_bit=$(cal_bits $isdir $obits $obits $expect1 1) - expect2=${expect2}${new_bit}:allow - fi - priv=$(cal_bits $isdir $obits $bits_owner $expect2 0) - expect1=$prefix:$priv:$aclaction + if ((bits < obits)) && [[ -n $acltemp ]]; then + expect2=$prefix: + new_bit=$(cal_bits $isdir $obits \ + $bits_owner $expect1 1) + expect2=${expect2}${new_bit}:allow else - expect1=$(translate_acl $isdir $expect1) + expect2=$prefix: + new_bit=$(cal_bits $isdir $obits \ + $obits $expect1 1) + expect2=${expect2}${new_bit}:allow fi - ;; - discard) - passcnt=maxnumber - break - ;; + + priv=$(cal_bits $isdir $obits $bits_owner \ + $expect2 0) + expect1=$prefix:$priv:$aclaction + else + expect1=$(translate_acl $isdir $expect1) + fi + ;; + discard) + passcnt=maxnumber + break + ;; esac if ((pass == 0)) ; then # Get the first ACE to do comparison - aclcur=$(get_ACE $node $count) aclcur=${aclcur#$count:} if [[ -n $expect1 && $expect1 != $aclcur ]]; then @@ -487,11 +480,6 @@ cwd=$PWD cd $TESTDIR for mode in "${aclmode_flag[@]}"; do - - # - # Set different value of aclmode - # - log_must $ZFS set aclmode=$mode $TESTPOOL/$TESTFS for user in root $ZFS_ACL_STAFF1; do @@ -511,17 +499,14 @@ for mode in "${aclmode_flag[@]}"; do acl=$prefix:$preset case $((maxnumber % 2)) in - 0) - acl=$acl:deny - ;; - 1) - acl=$acl:allow - ;; + 0) + acl=$acl:deny + ;; + 1) + acl=$acl:allow + ;; esac - # - # Place on the target should succeed. - # log_must usr_exec $CHMOD A+$acl $obj acls[$maxnumber]=$acl @@ -540,8 +525,6 @@ for mode in "${aclmode_flag[@]}"; do log_must usr_exec $CHMOD $newmode $obj log_must usr_exec $CHMOD $newmode $target log_must verify_aclmode $mode $obj $newmode - - # Restore the tar archive log_must $TAR xpf@ $TARFILE done done @@ -550,4 +533,4 @@ for mode in "${aclmode_flag[@]}"; do done done -log_pass "Verify chmod behaviour co-op with aclmode setting passed." +log_pass "Verify chmod behaviour co-op with aclmode setting passed" diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh index 7ddf774e85..ec96c7bae6 100644 --- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh @@ -25,12 +25,15 @@ # Use is subject to license terms. # +# +# Copyright 2016 Nexenta Systems, Inc. +# + . $STF_SUITE/tests/functional/acl/acl_common.kshlib -# # DESCRIPTION: -# Verify that the combined delete_child/delete permission for -# owner/group/everyone are correct. +# Verify that the combined delete_child/delete permission for +# owner/group/everyone are correct. # # ------------------------------------------------------- # | Parent Dir | Target Object Permissions | @@ -39,20 +42,13 @@ # | | ACL Allows | ACL Denies| Delete | # | | Delete | Delete | unspecified| # ------------------------------------------------------- -# | ACL Allows | Permit | Permit | Permit | -# | DELETE_CHILD | | +# | ACL Denies | Permit | Deny | Deny | +# | DELETE_CHILD | | | | +# | or WRITE_DATA | | | | # ------------------------------------------------------- -# | ACL Denies | Permit | Deny | Deny | -# | DELETE_CHILD | | | | -# ------------------------------------------------------- -# | ACL specifies | | | | -# | only allows | Permit | Permit | Permit | -# | write and | | | | -# | execute | | | | -# ------------------------------------------------------- -# | ACL denies | | | | -# | write and | Permit | Deny | Deny | -# | execute | | | | +# | ACL Allows | Permit | Deny | Permit | +# | DELETE_CHILD | | | | +# | or WRITE_DATA | | | | # ------------------------------------------------------- # # STRATEGY: @@ -60,7 +56,6 @@ # 2. Set special ACE combination to the file and directory # 3. Try to remove the file # 4. Verify that combined permissions for owner/group/everyone are correct. -# verify_runnable "both" @@ -99,7 +94,7 @@ set -A access_target \ set -A a_flag "owner@" "group@" "everyone@" "user:$ZFS_ACL_STAFF1" log_assert "Verify that the combined delete_child/delete permission for" \ - "owner/group/everyone are correct." + "owner/group/everyone are correct." log_onexit cleanup function operate_node #user node @@ -139,20 +134,25 @@ function logname #acl_parent acl_target user typeset user=$3 # To super user, read and write deny permission was override. - if [[ $user == root || $acl_target == *:allow ]]; then + if [[ $user == "root" || $acl_target == *":allow"* ]]; then print "log_must" - elif [[ $acl_parent == *"delete_child"* ]]; then - if [[ $acl_parent == *"delete_child:allow"* ]]; then - print "log_must" - else - print "log_mustnot" - fi - elif [[ $acl_parent == *"write_data"* ]]; then - if [[ $acl_parent == *"write_data:allow"* ]]; then - print "log_must" - else - print "log_mustnot" - fi + # If target ACL has an ACE deny'ing delete, DENY + elif [[ $acl_target == *"delete:deny"* ]]; then + print "log_mustnot" + # If target ACL has an ACE allow'ing delete, ALLOW + elif [[ $acl_target == *"delete:allow"* ]]; then + print "log_must" + # If container ACL has an ACE deny'ing delete_child or + # write_data, DENY + elif [[ $acl_parent == *"delete_child:deny"* || + $acl_parent == *"write_data:deny"* ]]; then + print "log_mustnot" + # If container ACL has an ACE allow'ing delete_child or + # write_data, ALLOW + elif [[ $acl_parent == *"delete_child:allow"* || + $acl_parent == *"write_data:allow"* ]]; then + print "log_must" + # Otherwise, DENY else print "log_mustnot" fi @@ -298,4 +298,4 @@ while (( i < ${#users[@]} )); do done log_pass "Verify that the combined delete_child/delete permission for" \ - "owner/group/everyone are correct." + "owner/group/everyone are correct." diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh index 0b675786f7..cade1bf1be 100644 --- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh +++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh @@ -27,59 +27,49 @@ # # Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2016 Nexenta Systems, Inc. # . $STF_SUITE/tests/functional/acl/acl_common.kshlib -# # DESCRIPTION: -# Verify chmod have correct behaviour to directory and file not inherited -# when filesystem has the different aclinherit setting +# Verify chmod have correct behaviour to directory and file not inherited +# when filesystem has the different aclinherit setting # # STRATEGY: -# 1. Loop super user and non-super user to run the test case. -# 2. Create basedir and a set of subdirectores and files within it. -# 3. Separately chmod basedir with different inherite options, -# combine with the variable setting of aclinherit: -# "discard", "noallow", "restricted" or "passthrough". -# 4. Then create nested directories and files like the following. -# -# ofile -# odir -# chmod --> basedir -| -# |_ nfile1 -# |_ ndir1 _ -# |_ nfile2 -# |_ ndir2 _ -# |_ nfile3 -# |_ ndir3 +# 1. Use both super user and non-super user to run the test case. +# 2. Create basedir and a set of subdirectores and files inside of it. +# 3. For the following values of the aclinherity property, add ACEs with +# different inherit options to basedir: +# "discard", "noallow", "restricted" and "passthrough". +# 4. Create nested directories and files like the following. # -# 5. Verify non-inherited directories and files have the correct access -# control capability. +# ofile +# odir +# chmod --> basedir -| +# |_ nfile1 +# |_ ndir1 _ +# |_ nfile2 +# |_ ndir2 _ +# |_ nfile3 +# |_ ndir3 # +# 5. Verify non-inherited directories and files have the correct access +# control capability. verify_runnable "both" function cleanup { - typeset dir - - # Cleanup basedir, compared file and dir. + [[ -f $ofile ]] && log_must $RM -f $ofile + [[ -d $odir ]] && log_must $RM -rf $odir + [[ -d $basedir ]] && log_must $RM -rf $basedir - if [[ -f $ofile ]]; then - log_must $RM -f $ofile - fi - - for dir in $odir $basedir ; do - if [[ -d $dir ]]; then - log_must $RM -rf $dir - fi - done log_must $ZFS set aclmode=discard $TESTPOOL/$TESTFS } -log_assert "Verify chmod have correct behaviour to directory and file when " \ - "filesystem has the different aclinherit setting." +log_assert "Verify different inherit options combined with different" \ + "aclinherit property values" log_onexit cleanup # Define inherit flag @@ -89,10 +79,8 @@ typeset strategy_flag=("" inherit_only no_propagate inherit_only/no_propagate) typeset ace_prefix1="user:$ZFS_ACL_OTHER1" typeset ace_prefix2="user:$ZFS_ACL_OTHER2" -typeset ace_discard ace_noallow ace_secure ace_passthrough -typeset ace_secure_new -# Defile the based directory and file +# Define the base directory and file basedir=$TESTDIR/basedir; ofile=$TESTDIR/ofile; odir=$TESTDIR/odir # Define the files and directories will be created after chmod @@ -102,10 +90,8 @@ nfile1=$basedir/nfile1; nfile2=$ndir1/nfile2; nfile3=$ndir2/nfile3 # Verify all the node have expected correct access control allnodes="$ndir1 $ndir2 $ndir3 $nfile1 $nfile2 $nfile3" -# # According to inherited flag, verify subdirectories and files within it has # correct inherited access control. -# function verify_inherit # [strategy] { # Define the nodes which will be affected by inherit. @@ -118,12 +104,10 @@ function verify_inherit # [strategy] typeset str2="/inherited:" # count: the ACE item to fetch - # maxnumber: predefine as 4 - # passcnt: counter, if it achieves to maxnumber, + # passcnt: counter, if it achieves to maxaces, # then no additional ACE should apply. # isinherit: indicate if the current target is in the inherit list. - - typeset -i count=0 pass=0 passcnt=0 isinherit=0 maxnumber=4 no_propagate=0 + typeset -i count=0 pass=0 passcnt=0 isinherit=0 no_propagate=0 log_must usr_exec $MKDIR -p $ndir3 log_must usr_exec $TOUCH $nfile1 $nfile2 $nfile3 @@ -150,7 +134,7 @@ function verify_inherit # [strategy] no_propagate=1 fi fi - # Verify ACE's for all the dirs/files under $basedir + # Verify ACEs for all the dirs/files under basedir for node in $allnodes; do if [[ " $non_inherit_nodes " == *" $node "* ]]; then no_inherit=1 @@ -160,87 +144,86 @@ function verify_inherit # [strategy] i=0 count=0 passcnt=0 - while ((i < maxnumber)); do - pass=0 - eval expect1=\$acl$i + while ((i < maxaces)); do + typeset expacl + + if [[ $inherit == "restricted" ]]; then + eval expacl=\$acls$i + else + eval expacl=\$acl$i + fi case $inherit in - noallow) - [[ $expect1 == *":allow" ]] && pass=1 - ;; - discard) - passcnt=maxnumber - break - ;; + noallow) + if [[ $expacl == *":allow" ]]; then + ((i = i + 1)) + continue + fi + ;; + discard) + ((passcnt = maxaces)) + break + ;; esac - if ((pass == 0 && no_inherit == 1)); then - aclaction=${expect1##*:} - acltemp=${expect1%:*} - # Verify ACE's for sub-directory - if [[ -d $node ]]; then - eval expect1=\$acl$i - acltemp=${expect1%:*} - if [[ $inherit_type == "directory" || \ - $inherit_type == "both" ]]; then - expect1=${acltemp}/inherited: - expect1=${expect1}${aclaction} - elif [[ $inherit_type == "file" ]]; then - if [[ $expect1 != \ - *"inherit_only"* ]]; then - # - # directory should append - # "inherit_only" if not have - # - expect1=${acltemp}${str1} - expect1=${expect1}${aclaction} - else - expect1=${acltemp}${str2} - expect1=${expect1}${aclaction} - fi - fi - aclcur=$(get_ACE $node $count) - aclcur=${aclcur#$count:} - if [[ $no_propagate == 0 ]]; then - if [[ $expect1 != $aclcur ]]; then - $LS -vd $basedir - $LS -vd $node - log_fail "$inherit $i #"\ - "$count ACE: $aclcur"\ - "expect to be $expect1" - fi + if ((no_inherit == 0)); then + ((i = i + 1)) + continue + fi + + if [[ -d $node ]]; then + # Verify ACEs for subdirectory + aclaction=${expacl##*:} + acltemp=${expacl%:*} + if [[ $inherit_type == "directory" || + $inherit_type == "both" ]]; then + expacl=${acltemp}${str2} + expacl=${expacl}${aclaction} + elif [[ $inherit_type == "file" ]]; then + if [[ $expacl != *"inherit_only"* ]]; then + # Directory should have + # "inherit_only" appended + expacl=${acltemp}${str1} + expacl=${expacl}${aclaction} else - # compare if directory has basic - # ACL's - compare_acls $node $odir - if [[ $? -ne 0 ]]; then - $LS -vd $basedir - $LS -vd $node - log_fail "Unexpect acl:"\ - " $node, $inherit" - "($str)" - fi + expacl=${acltemp}${str2} + expacl=${expacl}${aclaction} + fi + fi + aclcur=$(get_ACE $node $count) + aclcur=${aclcur#$count:} + if [[ $no_propagate == 0 ]]; then + if [[ $expacl != $aclcur ]]; then + $LS -vd $basedir + $LS -vd $node + log_fail "$inherit $i #$count" \ + "ACE: $aclcur," \ + "expected: $expacl" fi - # Verify ACE's for nested file - elif [[ -f $node ]]; then - compare_acls $node $ofile + else + # Compare if directory has trivial ACL + compare_acls $node $odir if [[ $? -ne 0 ]]; then $LS -vd $basedir $LS -vd $node - log_fail "Unexpect acl: $node," \ - "$inherit ($str)" + log_fail "unexpected ACE:" + "$node, $inherit ($str)" fi - fi - ((count = count + 1)) + # Verify ACE's for nested file + elif [[ -f $node ]]; then + compare_acls $node $ofile + if [[ $? -ne 0 ]]; then + $LS -vd $basedir + $LS -vd $node + log_fail "unexpected ACE:" \ + "$node, $inherit ($str)" + fi fi + ((count = count + 1)) ((i = i + 1)) done - # - # If there's no any ACE be checked, it should be identify as - # an normal file/dir, verify it. - # - - if ((passcnt == maxnumber)); then + # If there are no ACEs to be checked, compare the trivial ones. + if ((passcnt == maxaces)); then if [[ -d $node ]]; then compare_acls $node $odir elif [[ -f $node ]]; then @@ -250,32 +233,19 @@ function verify_inherit # [strategy] if [[ $? -ne 0 ]]; then $LS -vd $basedir $LS -vd $node - log_fail "Unexpect acl: $node, $inherit ($str)" + log_fail "Unexpected ACE: $node, $inherit ($str)" fi fi done } -typeset -i i=0 +typeset -i i=0 maxaces=4 typeset acl0 acl1 acl2 acl3 typeset acls0 acls1 acls2 acls3 -# -# Set aclmode=passthrough to make sure -# the acl will not change during chmod. -# A general testing should verify the combination of -# aclmode/aclinherit works well, -# here we just simple test them separately. -# - log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS for inherit in "${aclinherit_flag[@]}"; do - - # - # Set different value of aclinherit - # - log_must $ZFS set aclinherit=$inherit $TESTPOOL/$TESTFS for user in root $ZFS_ACL_STAFF1; do @@ -286,25 +256,20 @@ for inherit in "${aclinherit_flag[@]}"; do typeset inh_opt=$obj ((${#str} != 0)) && inh_opt=$inh_opt/$str - # - # Prepare 4 ACES, which should include : + # Prepare 4 ACES, which should include: # deny -> to verify "noallow" - # write_acl/write_owner -> to verify "secure" - # - - acl0=${ace_prefix1}":read_xattr/write_acl/" - acl0=${acl0}"write_owner:"${inh_opt}":deny" - acl1="$ace_prefix2:read_xattr/write_acl/" - acl1=${acl1}"write_owner:$inh_opt:allow" - acl2="$ace_prefix1:read_xattr:$inh_opt:deny" - acl3="$ace_prefix2:read_xattr:$inh_opt:allow" - - # - # The ACE filtered by write_acl/write_owner - # - - acls0="$ace_prefix1:read_xattr:$inh_opt:deny" - acls1="$ace_prefix2:read_xattr:$inh_opt:allow" + # write_acl/write_owner -> to verify "restricted" + acl0="${ace_prefix1}:read_xattr/write_acl" + acl0="${acl0}/write_owner:${inh_opt}:deny" + acl1="${ace_prefix2}:read_xattr/write_acl" + acl1="${acl1}/write_owner:${inh_opt}:allow" + acl2="${ace_prefix1}:read_xattr:${inh_opt}:deny" + acl3="${ace_prefix2}:read_xattr:${inh_opt}:allow" + + # The ACEs filtered by write_acl/write_owner + acls0=$acl0 + acls1="${ace_prefix2}:read_xattr" + acls1="${acls1}:${inh_opt}:allow" acls2=$acl2 acls3=$acl3 # @@ -319,12 +284,7 @@ for inherit in "${aclinherit_flag[@]}"; do i=3 while ((i >= 0)); do eval acl=\$acl$i - - # - # Place on a directory should succeed. - # log_must usr_exec $CHMOD A+$acl $basedir - ((i = i - 1)) done log_note "verify_inherit $inherit $obj $str" @@ -336,4 +296,5 @@ for inherit in "${aclinherit_flag[@]}"; do done done -log_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed." +log_pass "Verify different inherit options combined with different" \ + "aclinherit property values" diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh dissimilarity index 70% index 3ce7547f0f..28126d5071 100644 --- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh @@ -1,406 +1,277 @@ -#!/bin/ksh -p -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# - -# -# Copyright 2008 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. -# - -. $STF_SUITE/tests/functional/acl/acl_common.kshlib - -# -# DESCRIPTION: -# Verify chmod have correct behaviour to directory and file when -# filesystem has the different aclinherit setting -# -# STRATEGY: -# 1. Loop super user and non-super user to run the test case. -# 2. Create basedir and a set of subdirectores and files within it. -# 3. Separately chmod basedir with different inherite options, -# combine with the variable setting of aclinherit: -# "discard", "noallow", "secure" or "passthrough". -# 4. Then create nested directories and files like the following. -# -# ofile -# odir -# chmod --> basedir -| -# |_ nfile1 -# |_ ndir1 _ -# |_ nfile2 -# |_ ndir2 _ -# |_ nfile3 -# |_ ndir3 -# -# 5. Verify each directories and files have the correct access control -# capability. -# - -verify_runnable "both" - -function cleanup -{ - typeset dir - - # Cleanup basedir, compared file and dir. - - if [[ -f $ofile ]]; then - log_must $RM -f $ofile - fi - - for dir in $odir $basedir ; do - if [[ -d $dir ]]; then - log_must $RM -rf $dir - fi - done -} - -log_assert "Verify chmod have correct behaviour to directory and file when " \ - "filesystem has the different aclinherit setting." -log_onexit cleanup - -# Define inherit flag -typeset aclinherit_flag=(discard noallow secure passthrough) -typeset object_flag=("f-" "-d" "fd") -typeset strategy_flag=("--" "i-" "-n" "in") - -typeset ace_prefix1="owner@" -typeset ace_prefix2="group@" -typeset ace_prefix3="everyone@" -typeset ace_discard ace_noallow ace_secure ace_passthrough -typeset ace_secure_new - -# Defile the based directory and file -basedir=$TESTDIR/basedir; ofile=$TESTDIR/ofile; odir=$TESTDIR/odir - -# Define the files and directories will be created after chmod -ndir1=$basedir/ndir1; ndir2=$ndir1/ndir2; ndir3=$ndir2/ndir3 -nfile1=$basedir/nfile1; nfile2=$ndir1/nfile2; nfile3=$ndir2/nfile3 - -# Verify all the node have expected correct access control -allnodes="$ndir1 $ndir2 $ndir3 $nfile1 $nfile2 $nfile3" - -# -# According to inherited flag, verify subdirectories and files within it has -# correct inherited access control. -# -function verify_inherit # [strategy] -{ - # Define the nodes which will be affected by inherit. - typeset inherit_nodes - typeset inherit=$1 - typeset obj=$2 - typeset str=$3 - - # count: the ACE item to fetch - # pass: to mark if the current ACE should apply to the target - # maxnumber: predefine as 4 - # passcnt: counter, if it achieves to maxnumber, - # then no additional ACE should apply. - # isinherit: indicate if the current target is in the inherit list. - # step: indicate if the ACE be split during inherit. - - typeset -i count=0 pass=0 passcnt=0 isinherit=0 maxnumber=4 step=0 - - log_must usr_exec $MKDIR -p $ndir3 - log_must usr_exec $TOUCH $nfile1 $nfile2 $nfile3 - - # Get the files which inherited ACE. - if [[ ${obj:0:1} == "f" ]]; then - inherit_nodes="$inherit_nodes $nfile1" - - if [[ ${str:1:1} != "n" ]]; then - inherit_nodes="$inherit_nodes $nfile2 $nfile3" - fi - fi - # Get the directores which inherited ACE. - if [[ ${obj:1:1} == "d" ]]; then - inherit_nodes="$inherit_nodes $ndir1" - - if [[ ${str:1:1} != "n" ]]; then - inherit_nodes="$inherit_nodes $ndir2 $ndir3" - fi - fi - - for node in $allnodes; do - step=0 - if [[ " $inherit_nodes " == *" $node "* ]]; then - isinherit=1 - if [[ -d $node ]] ; then - step=1 - fi - else - isinherit=0 - fi - - i=0 - count=0 - passcnt=0 - while ((i < maxnumber)); do - pass=0 - eval expect1=\$acl$i - expect2=$expect1 - - # - # aclinherit=passthrough, - # inherit all inheritable ACL entries without any - # modifications made to the ACL entries when they - # are inherited. - # - # aclinherit=secure, - # any inheritable ACL entries will remove - # write_acl and write_owner permissions when the ACL entry is - # inherited. - # - # aclinherit=noallow, - # only inherit inheritable ACE that specify "deny" permissions - # - # aclinherit=discard - # will not inherit any ACL entries - # - - case $inherit in - passthrough) - action=${expect1##*:} - expect1=${expect1%:$action} - expect1=${expect1%-} - expect1=${expect1%I} - expect1=${expect1}I:$action - ;; - secure) - eval expect2=\$acls$i - ;; - noallow) - if [[ $expect1 == *":allow" ]] ; then - pass=1 - ((passcnt = passcnt + 1)) - else - eval expect2=\$acls$i - fi - ;; - discard) - passcnt=maxnumber - break - ;; - esac - - if ((pass == 0)) ; then - acltemp=${expect2%:*} - acltemp=${acltemp%:*} - aclaction=${expect2##*:} - expect2=${acltemp}:------I:${aclaction} - - acltemp=${expect1%:*} - inh=${acltemp##*:} - - if [[ -d $node ]]; then - if [[ ${inh:3:1} == "n" ]]; then - - # - # if no_propagate is set, - # then clear all inherit flags, - # only one ACE should left. - # - - step=0 - expect1="" - - elif [[ ${inh:2:1} != "i" ]]; then - - # - # directory should append - # "inherit_only" if not have - # - acltemp=${acltemp%i*} - expect1=${acltemp}i---I:${aclaction} - else - acltemp=${acltemp%-} - acltemp=${acltemp%I} - expect1=${acltemp}I:${aclaction} - fi - - # - # cleanup the first ACE if the directory - # not in inherit list - # - - if ((isinherit == 0)); then - expect1="" - fi - elif [[ -f $node ]] ; then - expect1="" - fi - - # Get the first ACE to do comparison - - aclcur=$(get_ACE $node $count compact) - aclcur=${aclcur#$count:} - if [[ -n $expect1 && $expect1 != $aclcur ]]; then - $LS -Vd $basedir - $LS -Vd $node - log_fail "$inherit $i #$count " \ - "ACE: $aclcur, expect to be " \ - "$expect1" - fi - - # - # Get the second ACE (if should have) to do - # comparison - # - if ((step > 0)); then - ((count = count + step)) - - aclcur=$(get_ACE $node $count compact) - aclcur=${aclcur#$count:} - if [[ -n $expect2 && \ - $expect2 != $aclcur ]]; then - - $LS -Vd $basedir - $LS -Vd $node - log_fail "$inherit $i " \ - "#$count ACE: $aclcur, " \ - "expect to be $expect2" - fi - fi - ((count = count + 1)) - fi - ((i = i + 1)) - done - - # - # If there's no any ACE be checked, it should be identify as - # an normal file/dir, verify it. - # - - if ((passcnt == maxnumber)); then - if [[ -d $node ]]; then - compare_acls $node $odir - elif [[ -f $node ]]; then - compare_acls $node $ofile - fi - - if [[ $? -ne 0 ]]; then - $LS -Vd $basedir - $LS -Vd $node - log_fail "Unexpect acl: $node, $inherit ($str)" - fi - fi - done -} - -typeset -i i=0 -typeset acl0 acl1 acl2 acl3 -typeset acls0 acls1 acls2 acls3 - -# -# Set aclmode=passthrough to make sure -# the acl will not change during chmod. -# A general testing should verify the combination of -# aclmode/aclinherit works well, -# here we just simple test them separately. -# - -log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS - -for inherit in "${aclinherit_flag[@]}"; do - - # - # Set different value of aclinherit - # - - log_must $ZFS set aclinherit=$inherit $TESTPOOL/$TESTFS - - for user in root $ZFS_ACL_STAFF1; do - log_must set_cur_usr $user - - for obj in "${object_flag[@]}"; do - for str in "${strategy_flag[@]}"; do - typeset inh_opt=$obj - ((${#str} != 0)) && inh_opt=${inh_opt}${str}-- - - inh_a=${inh_opt}- - inh_b=${inh_opt}I - - # - # Prepare 4 ACES, which should include : - # deny -> to verify "noallow" - # write_acl/write_owner -> to verify "secure" - # - - acl0="$ace_prefix1:rwxp---A-W-Co-:${inh_a}:allow" - acl1="$ace_prefix2:rwxp---A-W-Co-:${inh_a}:deny" - acl2="$ace_prefix3:rwxp---A-W-Co-:${inh_a}:allow" - acl3="$ace_prefix1:-------A-W----:${inh_a}:deny" - acl4="$ace_prefix2:-------A-W----:${inh_a}:allow" - acl5="$ace_prefix3:-------A-W----:${inh_a}:deny" - - - # - # The ACE filtered by write_acl/write_owner - # - - if [[ $inheri == "passthrough" ]]; then - acls0="$ace_prefix1:rwxp---A-W----:${inh_b}:allow" - acls1="$ace_prefix2:rwxp---A-W----:${inh_b}:deny" - acls2="$ace_prefix3:rwxp---A-W----:${inh_b}:allow" - acls3="$ace_prefix1:rwxp---A-W----:${inh_b}:deny" - acls4="$ace_prefix2:rwxp---A-W----:${inh_b}:allow" - acls5="$ace_prefix3:rwxp---A-W----:${inh_b}:deny" - else - acls0="$ace_prefix1:-------A-W----:${inh_b}:allow" - acls1="$ace_prefix2:-------A-W-Co-:${inh_b}:deny" - acls2="$ace_prefix3:-------A-W----:${inh_b}:allow" - acls3="$ace_prefix1:-------A-W----:${inh_b}:deny" - acls4="$ace_prefix2:-------A-W----:${inh_b}:allow" - acls5="$ace_prefix3:-------A-W----:${inh_b}:deny" - fi - - # - # Create basedir and tmp dir/file - # for comparison. - # - - log_note "$user: $CHMOD $acl $basedir" - log_must usr_exec $MKDIR $basedir - log_must usr_exec $MKDIR $odir - log_must usr_exec $TOUCH $ofile - - i=5 - while ((i >= 0)); do - eval acl=\$acl$i - - # - # Place on a directory should succeed. - # - log_must usr_exec $CHMOD A+$acl $basedir - - ((i = i - 1)) - done - - verify_inherit $inherit $obj $str - - log_must usr_exec $RM -rf $ofile $odir $basedir - done - done - done -done - -log_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed." +#!/bin/ksh -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2008 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +# +# Copyright 2016 Nexenta Systems, Inc. +# + +. $STF_SUITE/tests/functional/acl/acl_common.kshlib + +# DESCRIPTION: +# Verify chmod have correct behaviour to directory and file when +# filesystem has the different aclinherit setting +# +# STRATEGY: +# 1. Use both super user and non-super user to run the test case. +# 2. Create basedir and a set of subdirectores and files within it. +# 3. Separately chmod basedir with different inherite options, +# combine with the variable setting of aclinherit: +# "discard", "noallow", "restricted" or "passthrough". +# 4. Then create nested directories and files like the following. +# +# ofile +# odir +# chmod --> basedir -| +# |_ nfile1 +# |_ ndir1 _ +# |_ nfile2 +# |_ ndir2 _ +# |_ nfile3 +# |_ ndir3 +# +# 5. Verify each directories and files have the correct access control +# capability. + +verify_runnable "both" + +function cleanup +{ + [[ -f $ofile ]] && log_must $RM -f $ofile + [[ -d $odir ]] && log_must $RM -rf $odir + [[ -d $basedir ]] && log_must $RM -rf $basedir +} + +log_assert "Verify chmod have correct behaviour to directory and file when" \ + "filesystem has the different aclinherit setting" +log_onexit cleanup + +# Define inherit flag +typeset aclinherit_flag=("discard" "noallow" "restricted" "passthrough") +typeset object_flag=("f-" "-d" "fd") +typeset strategy_flag=("--" "i-" "-n" "in") + +typeset ace_prefix1="owner@" +typeset ace_prefix2="group@" +typeset ace_prefix3="everyone@" + +# Define the base directory and file +basedir=$TESTDIR/basedir; ofile=$TESTDIR/ofile; odir=$TESTDIR/odir + +# Define the files and directories that will be created after chmod +ndir1=$basedir/ndir1; ndir2=$ndir1/ndir2; ndir3=$ndir2/ndir3 +nfile1=$basedir/nfile1; nfile2=$ndir1/nfile2; nfile3=$ndir2/nfile3 + +# Verify all nodes have expected correct access control +allnodes="$ndir1 $ndir2 $ndir3 $nfile1 $nfile2 $nfile3" + +# According to inherited flag, verify subdirectories and files within it has +# correct inherited access control. +function verify_inherit # [strategy] +{ + # Define the nodes which will be affected by inherit. + typeset inherit_nodes + typeset inherit=$1 + typeset obj=$2 + typeset str=$3 + + log_must usr_exec $MKDIR -p $ndir3 + log_must usr_exec $TOUCH $nfile1 $nfile2 $nfile3 + + # Check if we have any inheritance flags set + if [[ $obj != "--" ]]; then + # Files should have inherited ACEs only if file_inherit is set + if [[ ${obj:0:1} == "f" ]]; then + inherit_nodes="$inherit_nodes $nfile1" + if [[ ${str:1:1} != "n" ]]; then + inherit_nodes="$inherit_nodes $nfile2 $nfile3" + fi + fi + + # Directories should have inherited ACEs if file_inherit without + # no_propagate and/or dir_inherit is set + if [[ (${obj:0:1} == "f" && ${str:1:1} != "n") || + ${obj:1:1} == "d" ]]; then + inherit_nodes="$inherit_nodes $ndir1" + if [[ ${str:1:1} != "n" ]]; then + inherit_nodes="$inherit_nodes $ndir2 $ndir3" + fi + fi + fi + + for node in $allnodes; do + typeset -i i=0 count=0 inherited=0 + typeset expacl perm inh act + + if [[ "$inherit_nodes" == *"$node"* ]]; then + inherited=1 + fi + + while ((i < $maxaces)); do + # If current node isn't in inherit list, there's + # nothing to check, skip to checking trivial ACL + if ((inherited == 0)); then + ((count = maxaces + 1)) + break + fi + + eval expacl=\$acl$i + case $inherit in + discard) + # Do not inherit any ACEs + ((count = maxaces + 1)) + break + ;; + noallow) + # Only inherit inheritable ACEs that specify + # "deny" permissions + if [[ $expacl == *":allow" ]] ; then + ((i = i + 1)) + continue + fi + ;; + restricted) + # Remove write_acl and write_owner permissions + # when the ACEs is inherited + eval expacl=\$acls$i + ;; + passthrough) + ;; + esac + + perm=${expacl%:*} + inh=${perm##*:} + inh=${inh:0:2} + perm=${perm%:*} + act=${expacl##*:} + + if [[ -d $node ]]; then + # Clear inheritance flags if no_propagate is set + if [[ ${str:1:1} == "n" ]]; then + inh="--" + fi + expacl="$perm:$inh" + # Set inherit_only if there's a file_inherit + # without dir_inherit + if [[ ${obj:0:1} == "f" && + ${obj:1:1} != "d" ]]; then + expacl="${expacl}i---I:$act" + else + expacl="${expacl}----I:$act" + fi + elif [[ -f $node ]] ; then + expacl="$perm:------I:$act" + fi + + aclcur=$(get_ACE $node $count compact) + aclcur=${aclcur#$count:} + if [[ -n $expacl && $expacl != $aclcur ]]; then + $LS -Vd $basedir + $LS -Vd $node + log_fail "$inherit $i #$count" \ + "expected: $expacl, current: $aclcur" + fi + + ((i = i + 1)) + ((count = count + 1)) + done + + # There were no non-trivial ACEs to check, do the trivial ones + if ((count == maxaces + 1)); then + if [[ -d $node ]]; then + compare_acls $node $odir + elif [[ -f $node ]]; then + compare_acls $node $ofile + fi + + if [[ $? -ne 0 ]]; then + $LS -Vd $basedir + $LS -Vd $node + log_fail "unexpected acl: $node," \ + "$inherit ($str)" + fi + fi + + done +} + +typeset -i i=0 maxaces=6 +typeset acl0 acl1 acl2 acl3 acl4 acl5 +typeset acls0 acls1 acls2 acls3 acls4 acls5 + +log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS + +for inherit in "${aclinherit_flag[@]}"; do + log_must $ZFS set aclinherit=$inherit $TESTPOOL/$TESTFS + + for user in root $ZFS_ACL_STAFF1; do + log_must set_cur_usr $user + + for obj in "${object_flag[@]}"; do + for str in "${strategy_flag[@]}"; do + typeset inh_opt=$obj + ((${#str} != 0)) && inh_opt="${inh_opt}${str}--" + + inh_a="${inh_opt}-" + inh_b="${inh_opt}I" + + # deny - to verify "noallow" + # write_acl/write_owner - to verify "restricted" + acl0="$ace_prefix1:-------A-W-Co-:$inh_a:allow" + acl1="$ace_prefix2:-------A-W-Co-:$inh_a:deny" + acl2="$ace_prefix3:-------A-W-Co-:$inh_a:allow" + acl3="$ace_prefix1:-------A-W----:$inh_a:deny" + acl4="$ace_prefix2:-------A-W----:$inh_a:allow" + acl5="$ace_prefix3:-------A-W----:$inh_a:deny" + + # ACEs filtered by write_acl/write_owner + acls0="$ace_prefix1:-------A-W----:$inh_b:allow" + acls1="$ace_prefix2:-------A-W-Co-:$inh_b:deny" + acls2="$ace_prefix3:-------A-W----:$inh_b:allow" + acls3="$ace_prefix1:-------A-W----:$inh_b:deny" + acls4="$ace_prefix2:-------A-W----:$inh_b:allow" + acls5="$ace_prefix3:-------A-W----:$inh_b:deny" + + log_must usr_exec $MKDIR $basedir + log_must usr_exec $MKDIR $odir + log_must usr_exec $TOUCH $ofile + + ((i = maxaces - 1)) + while ((i >= 0)); do + eval acl=\$acl$i + log_must usr_exec $CHMOD A+$acl $basedir + ((i = i - 1)) + done + + verify_inherit $inherit $obj $str + + log_must usr_exec $RM -rf $ofile $odir $basedir + done + done + done +done + +log_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed" diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh dissimilarity index 66% index 0ecf85eccb..98b5568e8d 100644 --- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh +++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh @@ -1,149 +1,115 @@ -#!/bin/ksh -p -# -# CDDL HEADER START -# -# The contents of this file are subject to the terms of the -# Common Development and Distribution License (the "License"). -# You may not use this file except in compliance with the License. -# -# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE -# or http://www.opensolaris.org/os/licensing. -# See the License for the specific language governing permissions -# and limitations under the License. -# -# When distributing Covered Code, include this CDDL HEADER in each -# file and include the License file at usr/src/OPENSOLARIS.LICENSE. -# If applicable, add the following below this CDDL HEADER, with the -# fields enclosed by brackets "[]" replaced with your own identifying -# information: Portions Copyright [yyyy] [name of copyright owner] -# -# CDDL HEADER END -# - -# -# Copyright 2009 Sun Microsystems, Inc. All rights reserved. -# Use is subject to license terms. -# - -# -# Copyright (c) 2012 by Delphix. All rights reserved. -# - -. $STF_SUITE/tests/functional/acl/acl_common.kshlib - -# -# DESCRIPTION: -# Verify aclinherit=passthrough-x will inherit the 'x' bits while mode request. -# -# STRATEGY: -# 1. Loop super user and non-super user to run the test case. -# 2. Create basedir and a set of subdirectores and files within it. -# 3. Set aclinherit=passthrough-x -# 4. Verify only passthrough-x will inherit the 'x' bits while mode request. -# - -verify_runnable "both" - -function cleanup -{ - if [[ -d $basedir ]]; then - log_must $RM -rf $basedir - fi -} -$ZPOOL upgrade -v -$ZPOOL upgrade -v | $GREP "passthrough-x aclinherit" > /dev/null 2>&1 -if (($? != 0)); then - log_unsupported "passthrough-x aclinherit not supported." -fi - -log_assert "Verify aclinherit=passthrough-x will inherit the 'x' bits while" \ - " mode request." -log_onexit cleanup - -set -A aces \ - "owner@:read_data/write_data/add_subdirectory/append_data/execute:dir_inherit/inherit_only:allow" \ - "owner@:read_data/write_data/add_subdirectory/append_data/execute::allow" \ - "group@:add_subdirectory/append_data/execute:dir_inherit/inherit_only:allow" \ - "group@:add_subdirectory/append_data/execute::allow" \ - "everyone@:add_subdirectory/append_data/execute:dir_inherit/inherit_only:allow" \ - "everyone@:add_subdirectory/append_data/execute::allow" \ - "owner@:read_data/write_data/add_subdirectory/append_data/execute:file_inherit/inherit_only:allow" \ - "group@:read_data/add_subdirectory/append_data/execute:file_inherit/inherit_only:allow" \ - "everyone@:read_data/add_subdirectory/append_data/execute:file_inherit/inherit_only:allow" - -# Defile the based directory and file -basedir=$TESTDIR/basedir - - -# -# According to inherited flag, verify subdirectories and files within it has -# correct inherited access control. -# -function verify_inherit # -{ - typeset obj=$1 - - # Define the files and directories will be created after chmod - ndir1=$obj/ndir1; ndir2=$ndir1/ndir2 - nfile1=$ndir1/nfile1.c; nfile2=$ndir1/nfile2 - - log_must usr_exec $MKDIR -p $ndir1 - - typeset -i i=0 - while ((i < ${#aces[*]})); do - if ((i < 3)); then - log_must usr_exec $CHMOD A$i=${aces[i]} $ndir1 - else - log_must usr_exec $CHMOD A$i+${aces[i]} $ndir1 - fi - ((i = i + 1)) - done - log_must usr_exec $MKDIR -p $ndir2 - log_must usr_exec $TOUCH $nfile1 - - $CAT > $nfile1 < -#include -int main() -{ return 0; } -EOF - - mode=$(get_mode $ndir2) - if [[ $mode != "drwx--x--x"* ]]; then - log_fail "Unexpect mode of $ndir2, expect: drwx--x--x, current: $mode" - fi - - mode=$(get_mode $nfile1) - if [[ $mode != "-rw-r--r--"* ]]; then - log_fail "Unexpect mode of $nfile1, expect: -rw-r--r--, current: $mode" - fi - - if [[ -x /usr/sfw/bin/gcc ]]; then - log_must /usr/sfw/bin/gcc -o $nfile2 $nfile1 - mode=$(get_mode $nfile2) - if [[ $mode != "-rwxr-xr-x"* ]]; then - log_fail "Unexpect mode of $nfile2, expect: -rwxr-xr-x, current: $mode" - fi - fi -} - -# -# Set aclmode=passthrough to make sure -# the acl will not change during chmod. -# A general testing should verify the combination of -# aclmode/aclinherit works well, -# here we just simple test them separately. -# - -log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS -log_must $ZFS set aclinherit=passthrough-x $TESTPOOL/$TESTFS - -for user in root $ZFS_ACL_STAFF1; do - log_must set_cur_usr $user - - verify_inherit $basedir - - cleanup -done - -log_pass "Verify aclinherit=passthrough-x will inherit the 'x' bits while mode request." +#!/bin/ksh -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2009 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# + +# Copyright (c) 2012 by Delphix. All rights reserved. +# Copyright 2016 Nexenta Systems, Inc. +# + +. $STF_SUITE/tests/functional/acl/acl_common.kshlib + +# DESCRIPTION: +# Verify aclinherit=passthrough-x will inherit the execute permission only if +# file creation mode requests it. +# +# STRATEGY: +# 1. Use both super user and non-super user to run the test case. +# 2. Set aclinherit=passthrough-x +# 3. Create basedir and a set of files, one with 644 and one with 755 mode. +# 4. Verify that execute permission is inherited only if file creation mode +# requests them. + +verify_runnable "both" + +function cleanup +{ + [[ -d $basedir ]] && log_must $RM -rf $basedir +} + +log_assert "aclinherit=passthrough-x should inherit the execute permission" \ + "only if file creation mode requests it" +log_onexit cleanup + +set -A aces \ + "owner@:rwxp:f:allow" \ + "group@:rxp:f:allow" \ + "everyone@:rxp:f:allow" + +typeset basedir="$TESTDIR/basedir" +typeset nfile1="$basedir/nfile1" nfile2="$basedir/nfile2" + +function check_execute_bit +{ + typeset ace + typeset file=$1 + typeset -i i=0 + + while ((i < 6)); do + ace=$(get_ACE $file $i) + if [[ "$ace" == *"execute"* ]]; then + return 0 + fi + ((i = i + 1)) + done + + return 1 +} + +function verify_inherit +{ + typeset -i i=0 + + log_must usr_exec $MKDIR $basedir + + # Modify owner@, group@ and everyone@ ACEs to include execute + # permission (see above), and make them file-inheritable + while ((i < ${#aces[*]})); do + log_must usr_exec $CHMOD A$i=${aces[i]} $basedir + ((i = i + 1)) + done + + # Create file with 644 mode + log_must usr_exec $TOUCH $nfile1 + # Check that execute permission wasn't inherited + log_mustnot check_execute_bit $nfile1 + + # Use cp(1) to copy over /usr/bin/true + log_must usr_exec $CP $TRUE $nfile2 + # Check that execute permission was inherited + log_must check_execute_bit $nfile2 +} + +log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS +log_must $ZFS set aclinherit=passthrough-x $TESTPOOL/$TESTFS + +for user in root $ZFS_ACL_STAFF1; do + log_must set_cur_usr $user + verify_inherit + cleanup +done + +log_pass "aclinherit=passthrough-x should inherit the execute permission" \ + "only if file creation mode requests it" -- 2.11.4.GIT