1d583b39bSJohn Wren Kennedy#!/bin/ksh -p 2d583b39bSJohn Wren Kennedy# 3d583b39bSJohn Wren Kennedy# CDDL HEADER START 4d583b39bSJohn Wren Kennedy# 5d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the 6d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License"). 7d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License. 8d583b39bSJohn Wren Kennedy# 9d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing. 11d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions 12d583b39bSJohn Wren Kennedy# and limitations under the License. 13d583b39bSJohn Wren Kennedy# 14d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each 15d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the 17d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying 18d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner] 19d583b39bSJohn Wren Kennedy# 20d583b39bSJohn Wren Kennedy# CDDL HEADER END 21d583b39bSJohn Wren Kennedy# 22d583b39bSJohn Wren Kennedy 23d583b39bSJohn Wren Kennedy# 24d583b39bSJohn Wren Kennedy# Copyright 2009 Sun Microsystems, Inc. All rights reserved. 25d583b39bSJohn Wren Kennedy# Use is subject to license terms. 26d583b39bSJohn Wren Kennedy# 27d583b39bSJohn Wren Kennedy 281d32ba66SJohn Wren Kennedy# 291d32ba66SJohn Wren Kennedy# Copyright (c) 2016 by Delphix. All rights reserved. 30*6990962cSToomas Soome# Copyright 2023 RackTop Systems, Inc. 311d32ba66SJohn Wren Kennedy# 321d32ba66SJohn Wren Kennedy 33d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib 34d583b39bSJohn Wren Kennedy 35d583b39bSJohn Wren Kennedy# 36d583b39bSJohn Wren Kennedy# DESCRIPTION: 37d583b39bSJohn Wren Kennedy# Verify assigned read_acl/write_acl to owner@/group@/everyone@, 38d583b39bSJohn Wren Kennedy# specificied user and group. File have the correct access permission. 39d583b39bSJohn Wren Kennedy# 40d583b39bSJohn Wren Kennedy# STRATEGY: 41d583b39bSJohn Wren Kennedy# 1. Separatedly verify file and directory was assigned read_acl/write_acl 42d583b39bSJohn Wren Kennedy# by root and non-root user. 43*6990962cSToomas Soome# 2. Verify owner can read and write acl. 44d583b39bSJohn Wren Kennedy# 3. Verify group access permission, when group was assigned 45d583b39bSJohn Wren Kennedy# read_acl/write_acl. 46d583b39bSJohn Wren Kennedy# 4. Verify access permission, after everyone was assigned read_acl/write. 47d583b39bSJohn Wren Kennedy# 5. Verify everyone@ was deny except specificied user, this user can read 48d583b39bSJohn Wren Kennedy# and write acl. 49d583b39bSJohn Wren Kennedy# 6. Verify the group was deny except specified user, this user can read 50d583b39bSJohn Wren Kennedy# and write acl 51d583b39bSJohn Wren Kennedy# 52d583b39bSJohn Wren Kennedy 53d583b39bSJohn Wren Kennedyverify_runnable "both" 54d583b39bSJohn Wren Kennedy 55d583b39bSJohn Wren Kennedylog_assert "Verify chmod A[number]{+|-|=} read_acl/write_acl have correct " \ 56d583b39bSJohn Wren Kennedy "behaviour to access permission." 57d583b39bSJohn Wren Kennedylog_onexit cleanup 58d583b39bSJohn Wren Kennedy 59d583b39bSJohn Wren Kennedyfunction read_ACL #<node> <user1> <user2> ... 60d583b39bSJohn Wren Kennedy{ 61d583b39bSJohn Wren Kennedy typeset node=$1 62d583b39bSJohn Wren Kennedy typeset user 63d583b39bSJohn Wren Kennedy typeset -i ret 64d583b39bSJohn Wren Kennedy 65d583b39bSJohn Wren Kennedy shift 66d583b39bSJohn Wren Kennedy for user in $@; do 671d32ba66SJohn Wren Kennedy chgusr_exec $user ls -vd $node > /dev/null 2>&1 68d583b39bSJohn Wren Kennedy ret=$? 69d583b39bSJohn Wren Kennedy (( ret != 0 )) && return $ret 70d583b39bSJohn Wren Kennedy 71d583b39bSJohn Wren Kennedy shift 72d583b39bSJohn Wren Kennedy done 73d583b39bSJohn Wren Kennedy 74d583b39bSJohn Wren Kennedy return 0 75d583b39bSJohn Wren Kennedy} 76d583b39bSJohn Wren Kennedy 77d583b39bSJohn Wren Kennedyfunction write_ACL #<node> <user1> <user2> ... 78d583b39bSJohn Wren Kennedy{ 79d583b39bSJohn Wren Kennedy typeset node=$1 80d583b39bSJohn Wren Kennedy typeset user 81d583b39bSJohn Wren Kennedy typeset -i ret before_cnt after_cnt 82d583b39bSJohn Wren Kennedy 83d583b39bSJohn Wren Kennedy shift 84d583b39bSJohn Wren Kennedy for user in "$@"; do 85d583b39bSJohn Wren Kennedy before_cnt=$(count_ACE $node) 86d583b39bSJohn Wren Kennedy ret=$?; 87d583b39bSJohn Wren Kennedy (( ret != 0 )) && return $ret 88d583b39bSJohn Wren Kennedy 891d32ba66SJohn Wren Kennedy chgusr_exec $user chmod A0+owner@:read_data:allow $node 90d583b39bSJohn Wren Kennedy ret=$? 91d583b39bSJohn Wren Kennedy (( ret != 0 )) && return $ret 92d583b39bSJohn Wren Kennedy 93d583b39bSJohn Wren Kennedy after_cnt=$(count_ACE $node) 94d583b39bSJohn Wren Kennedy ret=$? 95d583b39bSJohn Wren Kennedy (( ret != 0 )) && return $ret 96d583b39bSJohn Wren Kennedy 971d32ba66SJohn Wren Kennedy chgusr_exec $user chmod A0- $node 98d583b39bSJohn Wren Kennedy ret=$? 99d583b39bSJohn Wren Kennedy (( ret != 0 )) && return $ret 100d583b39bSJohn Wren Kennedy 101d583b39bSJohn Wren Kennedy if (( after_cnt - before_cnt != 1 )); then 102d583b39bSJohn Wren Kennedy return 1 103d583b39bSJohn Wren Kennedy fi 104d583b39bSJohn Wren Kennedy 105d583b39bSJohn Wren Kennedy shift 106d583b39bSJohn Wren Kennedy done 107d583b39bSJohn Wren Kennedy 108d583b39bSJohn Wren Kennedy return 0 109d583b39bSJohn Wren Kennedy} 110d583b39bSJohn Wren Kennedy 111d583b39bSJohn Wren Kennedyfunction check_owner #<node> 112d583b39bSJohn Wren Kennedy{ 113d583b39bSJohn Wren Kennedy typeset node=$1 114*6990962cSToomas Soome typeset log 115d583b39bSJohn Wren Kennedy 116d583b39bSJohn Wren Kennedy for acc in allow deny; do 117*6990962cSToomas Soome if [[ $aclimplicit == on || 118*6990962cSToomas Soome $acc == allow || $ZFS_ACL_CUR_USER == root ]]; then 119*6990962cSToomas Soome log=log_must 120*6990962cSToomas Soome else 121*6990962cSToomas Soome log=log_mustnot 122*6990962cSToomas Soome fi 123d583b39bSJohn Wren Kennedy log_must usr_exec \ 1241d32ba66SJohn Wren Kennedy chmod A0+owner@:read_acl/write_acl:$acc $node 125*6990962cSToomas Soome # at this time we can always read acl 126d583b39bSJohn Wren Kennedy log_must read_ACL $node $ZFS_ACL_CUR_USER 127*6990962cSToomas Soome $log write_ACL $node $ZFS_ACL_CUR_USER 128*6990962cSToomas Soome # only root can remove write_acl:deny 129*6990962cSToomas Soome log_must chgusr_exec root chmod A0- $node 130d583b39bSJohn Wren Kennedy done 131d583b39bSJohn Wren Kennedy} 132d583b39bSJohn Wren Kennedy 133d583b39bSJohn Wren Kennedyfunction check_group #<node> 134d583b39bSJohn Wren Kennedy{ 135d583b39bSJohn Wren Kennedy typeset node=$1 136d583b39bSJohn Wren Kennedy 137d583b39bSJohn Wren Kennedy typeset grp_usr="" 138d583b39bSJohn Wren Kennedy if [[ $ZFS_ACL_CUR_USER == root ]]; then 139d583b39bSJohn Wren Kennedy grp_usr=$ZFS_ACL_ADMIN 140d583b39bSJohn Wren Kennedy elif [[ $ZFS_ACL_CUR_USER == $ZFS_ACL_STAFF1 ]]; then 141d583b39bSJohn Wren Kennedy grp_usr=$ZFS_ACL_STAFF2 142d583b39bSJohn Wren Kennedy fi 143d583b39bSJohn Wren Kennedy 1441d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0+group@:read_acl/write_acl:allow $node 145d583b39bSJohn Wren Kennedy log_must read_ACL $node $grp_usr 146d583b39bSJohn Wren Kennedy log_must write_ACL $node $grp_usr 1471d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 148d583b39bSJohn Wren Kennedy 1491d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0+group@:read_acl/write_acl:deny $node 150d583b39bSJohn Wren Kennedy log_mustnot read_ACL $node $grp_usr 151d583b39bSJohn Wren Kennedy log_mustnot write_ACL $node $grp_usr 152*6990962cSToomas Soome # only root can remove write_acl:deny 153*6990962cSToomas Soome log_must chgusr_exec root chmod A0- $node 154d583b39bSJohn Wren Kennedy} 155d583b39bSJohn Wren Kennedy 156d583b39bSJohn Wren Kennedyfunction check_everyone #<node> 157d583b39bSJohn Wren Kennedy{ 158d583b39bSJohn Wren Kennedy typeset node=$1 159*6990962cSToomas Soome typeset log 160d583b39bSJohn Wren Kennedy 161d583b39bSJohn Wren Kennedy typeset flag 162d583b39bSJohn Wren Kennedy for flag in allow deny; do 163d583b39bSJohn Wren Kennedy if [[ $flag == allow ]]; then 164d583b39bSJohn Wren Kennedy log=log_must 165d583b39bSJohn Wren Kennedy else 166d583b39bSJohn Wren Kennedy log=log_mustnot 167d583b39bSJohn Wren Kennedy fi 168d583b39bSJohn Wren Kennedy 169d583b39bSJohn Wren Kennedy log_must usr_exec \ 1701d32ba66SJohn Wren Kennedy chmod A0+everyone@:read_acl/write_acl:$flag $node 171d583b39bSJohn Wren Kennedy 172d583b39bSJohn Wren Kennedy $log read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 173d583b39bSJohn Wren Kennedy $log write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 174d583b39bSJohn Wren Kennedy 175*6990962cSToomas Soome # only root can remove write_acl:deny 176*6990962cSToomas Soome log_must chgusr_exec root chmod A0- $node 177d583b39bSJohn Wren Kennedy done 178d583b39bSJohn Wren Kennedy} 179d583b39bSJohn Wren Kennedy 180d583b39bSJohn Wren Kennedyfunction check_spec_user #<node> 181d583b39bSJohn Wren Kennedy{ 182d583b39bSJohn Wren Kennedy typeset node=$1 183d583b39bSJohn Wren Kennedy 1841d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0+everyone@:read_acl/write_acl:deny $node 185*6990962cSToomas Soome log_must chgusr_exec root \ 1861d32ba66SJohn Wren Kennedy chmod A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node 187d583b39bSJohn Wren Kennedy 188d583b39bSJohn Wren Kennedy # The specified user can read and write acl 189d583b39bSJohn Wren Kennedy log_must read_ACL $node $ZFS_ACL_OTHER1 190d583b39bSJohn Wren Kennedy log_must write_ACL $node $ZFS_ACL_OTHER1 191d583b39bSJohn Wren Kennedy 192d583b39bSJohn Wren Kennedy # All the other user can't read and write acl 193d583b39bSJohn Wren Kennedy log_mustnot \ 194d583b39bSJohn Wren Kennedy read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2 195d583b39bSJohn Wren Kennedy log_mustnot \ 196d583b39bSJohn Wren Kennedy write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 $ZFS_ACL_OTHER2 197d583b39bSJohn Wren Kennedy 198*6990962cSToomas Soome # only root can remove write_acl:deny 199*6990962cSToomas Soome log_must chgusr_exec root chmod A0- $node 200*6990962cSToomas Soome log_must chgusr_exec root chmod A0- $node 201d583b39bSJohn Wren Kennedy} 202d583b39bSJohn Wren Kennedy 203d583b39bSJohn Wren Kennedyfunction check_spec_group #<node> 204d583b39bSJohn Wren Kennedy{ 205d583b39bSJohn Wren Kennedy typeset node=$1 206d583b39bSJohn Wren Kennedy 2071d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0+everyone@:read_acl/write_acl:deny $node 208*6990962cSToomas Soome log_must chgusr_exec root chmod \ 209d583b39bSJohn Wren Kennedy A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:allow $node 210d583b39bSJohn Wren Kennedy 211d583b39bSJohn Wren Kennedy # The specified group can read and write acl 212d583b39bSJohn Wren Kennedy log_must read_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 213d583b39bSJohn Wren Kennedy log_must write_ACL $node $ZFS_ACL_OTHER1 $ZFS_ACL_OTHER2 214d583b39bSJohn Wren Kennedy 215d583b39bSJohn Wren Kennedy # All the other user can't read and write acl 216d583b39bSJohn Wren Kennedy log_mustnot read_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 217d583b39bSJohn Wren Kennedy log_mustnot write_ACL $node $ZFS_ACL_ADMIN $ZFS_ACL_STAFF2 218*6990962cSToomas Soome 219*6990962cSToomas Soome # only root can remove write_acl:deny 220*6990962cSToomas Soome log_must chgusr_exec root chmod A0- $node 221*6990962cSToomas Soome log_must chgusr_exec root chmod A0- $node 222d583b39bSJohn Wren Kennedy} 223d583b39bSJohn Wren Kennedy 224d583b39bSJohn Wren Kennedyfunction check_user_in_group #<node> 225d583b39bSJohn Wren Kennedy{ 226d583b39bSJohn Wren Kennedy typeset node=$1 227d583b39bSJohn Wren Kennedy 2281d32ba66SJohn Wren Kennedy log_must usr_exec chmod \ 229d583b39bSJohn Wren Kennedy A0+group:$ZFS_ACL_OTHER_GROUP:read_acl/write_acl:deny $node 2301d32ba66SJohn Wren Kennedy log_must usr_exec chmod \ 231d583b39bSJohn Wren Kennedy A0+user:$ZFS_ACL_OTHER1:read_acl/write_acl:allow $node 232d583b39bSJohn Wren Kennedy log_must read_ACL $node $ZFS_ACL_OTHER1 233d583b39bSJohn Wren Kennedy log_must write_ACL $node $ZFS_ACL_OTHER1 234d583b39bSJohn Wren Kennedy log_mustnot read_ACL $node $ZFS_ACL_OTHER2 235d583b39bSJohn Wren Kennedy log_mustnot write_ACL $node $ZFS_ACL_OTHER2 236d583b39bSJohn Wren Kennedy 2371d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 2381d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 239d583b39bSJohn Wren Kennedy} 240d583b39bSJohn Wren Kennedy 241d583b39bSJohn Wren Kennedyset -A func_name check_owner \ 242d583b39bSJohn Wren Kennedy check_group \ 243d583b39bSJohn Wren Kennedy check_everyone \ 244d583b39bSJohn Wren Kennedy check_spec_user \ 245d583b39bSJohn Wren Kennedy check_spec_group \ 246d583b39bSJohn Wren Kennedy check_user_in_group 247d583b39bSJohn Wren Kennedy 248*6990962cSToomas Soometypeset a_prop="on off" 249*6990962cSToomas Soometypeset aclimplicit=$(zfs get -Ho value aclimplicit $TESTPOOL/$TESTFS) 250*6990962cSToomas Soometypeset val 251*6990962cSToomas Soome 252*6990962cSToomas Soomefor val in $a_prop; do 253*6990962cSToomas Soome log_must zfs set aclimplicit=$val $TESTPOOL/$TESTFS 254*6990962cSToomas Soome aclimplicit=$(zfs get -Ho value aclimplicit $TESTPOOL/$TESTFS) 255*6990962cSToomas Soome if [[ $val == off ]]; then 256*6990962cSToomas Soome # aclimplicit=off also needs aclmode=passthrough and 257*6990962cSToomas Soome # aclinherit=passthrough 258*6990962cSToomas Soome log_must zfs set aclmode=passthrough $TESTPOOL/$TESTFS 259*6990962cSToomas Soome log_must zfs set aclinherit=passthrough $TESTPOOL/$TESTFS 260*6990962cSToomas Soome fi 261*6990962cSToomas Soome 262*6990962cSToomas Soome for user in root $ZFS_ACL_STAFF1; do 263*6990962cSToomas Soome log_must set_cur_usr $user 264d583b39bSJohn Wren Kennedy 265*6990962cSToomas Soome log_must usr_exec touch $testfile 266*6990962cSToomas Soome log_must usr_exec mkdir $testdir 267d583b39bSJohn Wren Kennedy 268*6990962cSToomas Soome typeset func node 269*6990962cSToomas Soome for func in ${func_name[@]}; do 270*6990962cSToomas Soome for node in $testfile $testdir; do 271*6990962cSToomas Soome eval $func \$node 272*6990962cSToomas Soome done 273d583b39bSJohn Wren Kennedy done 274d583b39bSJohn Wren Kennedy 275*6990962cSToomas Soome log_must usr_exec rm -rf $testfile $testdir 276*6990962cSToomas Soome done 277d583b39bSJohn Wren Kennedydone 278d583b39bSJohn Wren Kennedy 279*6990962cSToomas Soome# restore defaults 280*6990962cSToomas Soomelog_must zfs inherit aclmode $TESTPOOL/$TESTFS 281*6990962cSToomas Soomelog_must zfs inherit aclinherit $TESTPOOL/$TESTFS 282*6990962cSToomas Soomelog_must zfs inherit aclimplicit $TESTPOOL/$TESTFS 283*6990962cSToomas Soome 284d583b39bSJohn Wren Kennedylog_pass "Verify chmod A[number]{+|-|=} read_acl/write_acl passed." 285