1#!/bin/ksh -p
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or http://www.opensolaris.org/os/licensing.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22
23#
24# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
25# Use is subject to license terms.
26#
27
28#
29# Copyright (c) 2012, 2016 by Delphix. All rights reserved.
30#
31
32. $STF_SUITE/tests/functional/acl/acl_common.kshlib
33
34#
35# DESCRIPTION:
36#	Verify that explicit ACL setting to specified user or group will
37#	override existed access rule.
38#
39# STRATEGY:
40#	1. Loop root and non-root user.
41#	2. Loop the specified access one by one.
42#	3. Loop verify explicit ACL set to specified user and group.
43#
44
45verify_runnable "both"
46
47function check_access #log user node access rflag
48{
49	typeset log=$1
50	typeset user=$2
51	typeset node=$3
52	typeset access=$4
53	typeset rflag=$5
54
55	if [[ $rflag == "allow" && $access == execute ]]; then
56		rwx_node $user $node $access
57		#
58		# When everyone@ were deny, this file can't execute.
59		# So,'cannot execute' means user has the permission to
60		# execute, just the file can't be execute.
61		#
62		if [[ $ZFS_ACL_ERR_STR == *"cannot execute"* ]]; then
63			log_note "SUCCESS: rwx_node $user $node $access"
64		else
65			log_fail "FAIL: rwx_node $user $node $access"
66		fi
67	else
68		$log rwx_node $user $node $access
69	fi
70}
71
72function verify_explicit_ACL_rule #node access flag
73{
74	typeset node=$1
75	typeset access=$2
76	typeset flag=$3
77	typeset log rlog rflag
78
79	# Get the expect log check
80	if [[ $flag == allow ]]; then
81		log=log_mustnot
82		rlog=log_must
83		rflag=deny
84	else
85		log=log_must
86		rlog=log_mustnot
87		rflag=allow
88	fi
89
90	log_must usr_exec chmod A+everyone@:$access:$flag $node
91	log_must usr_exec chmod A+user:$ZFS_ACL_OTHER1:$access:$rflag $node
92	check_access $log $ZFS_ACL_OTHER1 $node $access $rflag
93	log_must usr_exec chmod A0- $node
94
95	log_must usr_exec \
96		chmod A+group:$ZFS_ACL_OTHER_GROUP:$access:$rflag $node
97	check_access $log $ZFS_ACL_OTHER1 $node $access $rflag
98	check_access $log $ZFS_ACL_OTHER2 $node $access $rflag
99	log_must usr_exec chmod A0- $node
100	log_must usr_exec chmod A0- $node
101
102	log_must usr_exec \
103		chmod A+group:$ZFS_ACL_OTHER_GROUP:$access:$flag $node
104	log_must usr_exec chmod A+user:$ZFS_ACL_OTHER1:$access:$rflag $node
105	$log rwx_node $ZFS_ACL_OTHER1 $node $access
106	$rlog rwx_node $ZFS_ACL_OTHER2 $node $access
107	log_must usr_exec chmod A0- $node
108	log_must usr_exec chmod A0- $node
109}
110
111log_assert "Verify that explicit ACL setting to specified user or group will" \
112	"override existed access rule."
113log_onexit cleanup
114
115set -A a_access "read_data" "write_data" "execute"
116set -A a_flag "allow" "deny"
117typeset node
118
119for user in root $ZFS_ACL_STAFF1; do
120	log_must set_cur_usr $user
121
122	log_must usr_exec touch $testfile
123	log_must usr_exec mkdir $testdir
124	log_must usr_exec chmod 755 $testfile $testdir
125
126	for node in $testfile $testdir; do
127		for access in ${a_access[@]}; do
128			for flag in ${a_flag[@]}; do
129				verify_explicit_ACL_rule $node $access $flag
130			done
131		done
132	done
133
134	log_must usr_exec rm -rf $testfile $testdir
135done
136
137log_pass "Explicit ACL setting to specified user or group will override " \
138	"existed access rule passed."
139