1d583b39bSJohn Wren Kennedy#!/usr/bin/ksh -p 2d583b39bSJohn Wren Kennedy# 3d583b39bSJohn Wren Kennedy# CDDL HEADER START 4d583b39bSJohn Wren Kennedy# 5d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the 6d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License"). 7d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License. 8d583b39bSJohn Wren Kennedy# 9d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing. 11d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions 12d583b39bSJohn Wren Kennedy# and limitations under the License. 13d583b39bSJohn Wren Kennedy# 14d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each 15d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the 17d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying 18d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner] 19d583b39bSJohn Wren Kennedy# 20d583b39bSJohn Wren Kennedy# CDDL HEADER END 21d583b39bSJohn Wren Kennedy# 22d583b39bSJohn Wren Kennedy 23d583b39bSJohn Wren Kennedy# 24d583b39bSJohn Wren Kennedy# Copyright 2008 Sun Microsystems, Inc. All rights reserved. 25d583b39bSJohn Wren Kennedy# Use is subject to license terms. 26d583b39bSJohn Wren Kennedy# 27d583b39bSJohn Wren Kennedy 28d583b39bSJohn Wren Kennedy# 291d32ba66SJohn Wren Kennedy# Copyright (c) 2012, 2016 by Delphix. All rights reserved. 30232f5a2eSYuri Pankov# Copyright 2016 Nexenta Systems, Inc. 31d583b39bSJohn Wren Kennedy# 32d583b39bSJohn Wren Kennedy 33d583b39bSJohn Wren Kennedy 34d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib 35d583b39bSJohn Wren Kennedy 36d583b39bSJohn Wren Kennedy# DESCRIPTION: 37232f5a2eSYuri Pankov# Verify chmod have correct behaviour on directories and files when 38232f5a2eSYuri Pankov# filesystem has the different aclmode setting 39d583b39bSJohn Wren Kennedy# 40d583b39bSJohn Wren Kennedy# STRATEGY: 41232f5a2eSYuri Pankov# 1. Loop super user and non-super user to run the test case. 42232f5a2eSYuri Pankov# 2. Create basedir and a set of subdirectores and files within it. 43232f5a2eSYuri Pankov# 3. Separately chmod basedir with different aclmode options, 44232f5a2eSYuri Pankov# combine with the variable setting of aclmode: 45232f5a2eSYuri Pankov# "discard", "groupmask", or "passthrough". 46232f5a2eSYuri Pankov# 4. Verify each directories and files have the correct access control 47232f5a2eSYuri Pankov# capability. 48d583b39bSJohn Wren Kennedy 49d583b39bSJohn Wren Kennedyverify_runnable "both" 50d583b39bSJohn Wren Kennedy 51d583b39bSJohn Wren Kennedyfunction cleanup 52d583b39bSJohn Wren Kennedy{ 53d583b39bSJohn Wren Kennedy (( ${#cwd} != 0 )) && cd $cwd 54d583b39bSJohn Wren Kennedy 551d32ba66SJohn Wren Kennedy [[ -f $TARFILE ]] && log_must rm -f $TARFILE 561d32ba66SJohn Wren Kennedy [[ -d $basedir ]] && log_must rm -rf $basedir 57d583b39bSJohn Wren Kennedy} 58d583b39bSJohn Wren Kennedy 59232f5a2eSYuri Pankovlog_assert "Verify chmod have correct behaviour to directory and file when" \ 60232f5a2eSYuri Pankov "filesystem has the different aclmode setting" 61d583b39bSJohn Wren Kennedylog_onexit cleanup 62d583b39bSJohn Wren Kennedy 63232f5a2eSYuri Pankovset -A aclmode_flag "discard" "groupmask" "passthrough" 64232f5a2eSYuri Pankov 65232f5a2eSYuri Pankovset -A ace_prefix \ 66232f5a2eSYuri Pankov "user:$ZFS_ACL_OTHER1" \ 67232f5a2eSYuri Pankov "user:$ZFS_ACL_OTHER2" \ 68232f5a2eSYuri Pankov "group:$ZFS_ACL_STAFF_GROUP" \ 69232f5a2eSYuri Pankov "group:$ZFS_ACL_OTHER_GROUP" 70232f5a2eSYuri Pankov 71232f5a2eSYuri Pankovset -A argv "000" "444" "644" "777" "755" "231" "562" "413" 72232f5a2eSYuri Pankov 73232f5a2eSYuri Pankovset -A ace_file_preset \ 74232f5a2eSYuri Pankov "read_data" \ 75232f5a2eSYuri Pankov "write_data" \ 76232f5a2eSYuri Pankov "append_data" \ 77232f5a2eSYuri Pankov "execute" \ 78232f5a2eSYuri Pankov "read_data/write_data" \ 79232f5a2eSYuri Pankov "read_data/write_data/append_data" \ 80232f5a2eSYuri Pankov "write_data/append_data" \ 81232f5a2eSYuri Pankov "read_data/execute" \ 82232f5a2eSYuri Pankov "write_data/append_data/execute" \ 83232f5a2eSYuri Pankov "read_data/write_data/append_data/execute" 84232f5a2eSYuri Pankov 85232f5a2eSYuri Pankov# Define the base directory and file 86d583b39bSJohn Wren Kennedybasedir=$TESTDIR/basedir; ofile=$basedir/ofile; odir=$basedir/odir 87d583b39bSJohn Wren Kennedynfile=$basedir/nfile; ndir=$basedir/ndir 88d583b39bSJohn Wren Kennedy 89d583b39bSJohn Wren KennedyTARFILE=$TESTDIR/tarfile 90d583b39bSJohn Wren Kennedy 91d583b39bSJohn Wren Kennedy# Verify all the node have expected correct access control 92d583b39bSJohn Wren Kennedyallnodes="$nfile $ndir" 93d583b39bSJohn Wren Kennedy 94d583b39bSJohn Wren Kennedy# According to the original bits, the input ACE access and ACE type, return the 95d583b39bSJohn Wren Kennedy# expect bits after 'chmod A0{+|=}'. 96d583b39bSJohn Wren Kennedy# 97d583b39bSJohn Wren Kennedy# $1 isdir indicate if the target is a directory 98d583b39bSJohn Wren Kennedy# $2 bits which was make up of three bit 'rwx' 99d583b39bSJohn Wren Kennedy# $3 bits_limit which was make up of three bit 'rwx' 100d583b39bSJohn Wren Kennedy# $4 ACE access which is read_data, write_data or execute 101d583b39bSJohn Wren Kennedy# $5 ctrl which is to determine allow or deny according to owner/group bit 102d583b39bSJohn Wren Kennedyfunction cal_bits # isdir bits bits_limit acl_access ctrl 103d583b39bSJohn Wren Kennedy{ 104d583b39bSJohn Wren Kennedy typeset -i isdir=$1 105d583b39bSJohn Wren Kennedy typeset -i bits=$2 106d583b39bSJohn Wren Kennedy typeset -i bits_limit=$3 107d583b39bSJohn Wren Kennedy typeset acl_access=$4 108d583b39bSJohn Wren Kennedy typeset -i ctrl=${5:-0} 109d583b39bSJohn Wren Kennedy typeset flagr=0 flagw=0 flagx=0 110d583b39bSJohn Wren Kennedy typeset tmpstr 111d583b39bSJohn Wren Kennedy 112d583b39bSJohn Wren Kennedy if (( ctrl == 0 )); then 113d583b39bSJohn Wren Kennedy if (( (( bits & 4 )) != 0 )); then 114d583b39bSJohn Wren Kennedy flagr=1 115d583b39bSJohn Wren Kennedy fi 116d583b39bSJohn Wren Kennedy if (( (( bits & 2 )) != 0 )); then 117d583b39bSJohn Wren Kennedy flagw=1 118d583b39bSJohn Wren Kennedy fi 119d583b39bSJohn Wren Kennedy if (( (( bits & 1 )) != 0 )); then 120d583b39bSJohn Wren Kennedy flagx=1 121d583b39bSJohn Wren Kennedy fi 122d583b39bSJohn Wren Kennedy else 123232f5a2eSYuri Pankov # Determine ACE as per owner/group bit 124d583b39bSJohn Wren Kennedy flagr=1 125d583b39bSJohn Wren Kennedy flagw=1 126d583b39bSJohn Wren Kennedy flagx=1 127d583b39bSJohn Wren Kennedy 128d583b39bSJohn Wren Kennedy if (( ((bits & 4)) != 0 )) && \ 129d583b39bSJohn Wren Kennedy (( ((bits_limit & 4)) != 0 )); then 130d583b39bSJohn Wren Kennedy flagr=0 131d583b39bSJohn Wren Kennedy fi 132d583b39bSJohn Wren Kennedy if (( ((bits & 2)) != 0 )) && \ 133d583b39bSJohn Wren Kennedy (( ((bits_limit & 2)) != 0 )); then 134d583b39bSJohn Wren Kennedy flagw=0 135d583b39bSJohn Wren Kennedy fi 136d583b39bSJohn Wren Kennedy if (( ((bits & 1)) != 0 )) && \ 137d583b39bSJohn Wren Kennedy (( ((bits_limit & 1)) != 0 )); then 138d583b39bSJohn Wren Kennedy flagx=0 139d583b39bSJohn Wren Kennedy fi 140d583b39bSJohn Wren Kennedy fi 141232f5a2eSYuri Pankov 142d583b39bSJohn Wren Kennedy if ((flagr != 0)); then 143d583b39bSJohn Wren Kennedy if [[ $acl_access == *"read_data"* ]]; then 1449af60fb0SToomas Soome if ((isdir != 0)); then 1459af60fb0SToomas Soome tmpstr=${tmpstr}/list_directory 146d583b39bSJohn Wren Kennedy fi 1479af60fb0SToomas Soome tmpstr=${tmpstr}/read_data 148d583b39bSJohn Wren Kennedy fi 149d583b39bSJohn Wren Kennedy fi 150d583b39bSJohn Wren Kennedy 151d583b39bSJohn Wren Kennedy if ((flagw != 0)); then 1529af60fb0SToomas Soome if [[ $acl_access == *"write_data"* ]]; then 1539af60fb0SToomas Soome if ((isdir != 0)); then 154*33978c4bSToomas Soome tmpstr=${tmpstr}/add_file 155d583b39bSJohn Wren Kennedy fi 1569af60fb0SToomas Soome tmpstr=${tmpstr}/write_data 1579af60fb0SToomas Soome fi 1589af60fb0SToomas Soome if [[ $acl_access == *"append_data"* ]]; then 1599af60fb0SToomas Soome if ((isdir != 0)); then 1609af60fb0SToomas Soome tmpstr=${tmpstr}/add_subdirectory 161d583b39bSJohn Wren Kennedy fi 1629af60fb0SToomas Soome tmpstr=${tmpstr}/append_data 163d583b39bSJohn Wren Kennedy fi 164d583b39bSJohn Wren Kennedy fi 165232f5a2eSYuri Pankov 166d583b39bSJohn Wren Kennedy if ((flagx != 0)); then 167d583b39bSJohn Wren Kennedy if [[ $acl_access == *"execute"* ]]; then 1689af60fb0SToomas Soome tmpstr=${tmpstr}/execute 169d583b39bSJohn Wren Kennedy fi 170d583b39bSJohn Wren Kennedy fi 171d583b39bSJohn Wren Kennedy 172d583b39bSJohn Wren Kennedy tmpstr=${tmpstr#/} 173d583b39bSJohn Wren Kennedy 1741d32ba66SJohn Wren Kennedy echo "$tmpstr" 175d583b39bSJohn Wren Kennedy} 176d583b39bSJohn Wren Kennedy 177d583b39bSJohn Wren Kennedy# 178d583b39bSJohn Wren Kennedy# To translate an ace if the node is dir 179d583b39bSJohn Wren Kennedy# 180d583b39bSJohn Wren Kennedy# $1 isdir indicate if the target is a directory 181d583b39bSJohn Wren Kennedy# $2 acl to be translated 182d583b39bSJohn Wren Kennedy# 183d583b39bSJohn Wren Kennedyfunction translate_acl # isdir acl 184d583b39bSJohn Wren Kennedy{ 185d583b39bSJohn Wren Kennedy typeset -i isdir=$1 186d583b39bSJohn Wren Kennedy typeset acl=$2 187d583b39bSJohn Wren Kennedy typeset who prefix acltemp action 188d583b39bSJohn Wren Kennedy 189d583b39bSJohn Wren Kennedy if ((isdir != 0)); then 190d583b39bSJohn Wren Kennedy who=${acl%%:*} 191d583b39bSJohn Wren Kennedy prefix=$who 192d583b39bSJohn Wren Kennedy acltemp=${acl#*:} 193d583b39bSJohn Wren Kennedy acltemp=${acltemp%%:*} 194d583b39bSJohn Wren Kennedy prefix=$prefix:$acltemp 195d583b39bSJohn Wren Kennedy action=${acl##*:} 196d583b39bSJohn Wren Kennedy acl=$prefix:$(cal_bits $isdir 7 7 $acl 0):$action 197d583b39bSJohn Wren Kennedy fi 1981d32ba66SJohn Wren Kennedy echo "$acl" 199d583b39bSJohn Wren Kennedy} 200d583b39bSJohn Wren Kennedy 201d583b39bSJohn Wren Kennedy# 202d583b39bSJohn Wren Kennedy# To verify if a new ACL is generated as result of 203d583b39bSJohn Wren Kennedy# chmod operation. 204d583b39bSJohn Wren Kennedy# 205d583b39bSJohn Wren Kennedy# $1 bit indicates whether owner/group bit 206d583b39bSJohn Wren Kennedy# $2 newmode indicates the mode changed using chmod 207d583b39bSJohn Wren Kennedy# $3 isdir indicate if the target is a directory 208d583b39bSJohn Wren Kennedy# 209d583b39bSJohn Wren Kennedyfunction check_new_acl # bit newmode isdir 210d583b39bSJohn Wren Kennedy{ 211d583b39bSJohn Wren Kennedy typeset bits=$1 212d583b39bSJohn Wren Kennedy typeset mode=$2 213d583b39bSJohn Wren Kennedy typeset -i isdir=$3 214d583b39bSJohn Wren Kennedy typeset new_acl 215d583b39bSJohn Wren Kennedy typeset gbit 216d583b39bSJohn Wren Kennedy typeset ebit 217d583b39bSJohn Wren Kennedy typeset str=":" 218232f5a2eSYuri Pankov typeset dc="" 219232f5a2eSYuri Pankov 22001ff4119SYuri Pankov gbit=${mode:1:1} 22101ff4119SYuri Pankov ebit=${mode:2:1} 222d583b39bSJohn Wren Kennedy if (( ((bits & 4)) == 0 )); then 223d583b39bSJohn Wren Kennedy if (( ((gbit & 4)) != 0 || \ 224d583b39bSJohn Wren Kennedy ((ebit & 4)) != 0 )); then 225d583b39bSJohn Wren Kennedy if ((isdir == 0)); then 226d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}read_data 227d583b39bSJohn Wren Kennedy else 228d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}list_directory/read_data 229d583b39bSJohn Wren Kennedy fi 230d583b39bSJohn Wren Kennedy str="/" 231d583b39bSJohn Wren Kennedy fi 232d583b39bSJohn Wren Kennedy fi 233d583b39bSJohn Wren Kennedy if (( ((bits & 2)) == 0 )); then 234d583b39bSJohn Wren Kennedy if (( ((gbit & 2)) != 0 || \ 235d583b39bSJohn Wren Kennedy ((ebit & 2)) != 0 )); then 236d583b39bSJohn Wren Kennedy if ((isdir == 0)); then 237d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}write_data/append_data 238d583b39bSJohn Wren Kennedy else 239d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}add_file/write_data/ 240d583b39bSJohn Wren Kennedy new_acl=${new_acl}add_subdirectory/append_data 241232f5a2eSYuri Pankov dc="/delete_child" 242d583b39bSJohn Wren Kennedy fi 243d583b39bSJohn Wren Kennedy str="/" 244d583b39bSJohn Wren Kennedy fi 245d583b39bSJohn Wren Kennedy fi 246d583b39bSJohn Wren Kennedy if (( ((bits & 1)) == 0 )); then 247d583b39bSJohn Wren Kennedy if (( ((gbit & 1)) != 0 || \ 248d583b39bSJohn Wren Kennedy ((ebit & 1)) != 0 )); then 249d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}execute 250d583b39bSJohn Wren Kennedy fi 251d583b39bSJohn Wren Kennedy fi 252232f5a2eSYuri Pankov new_acl=${new_acl}${dc} 2531d32ba66SJohn Wren Kennedy echo "$new_acl" 254d583b39bSJohn Wren Kennedy} 255d583b39bSJohn Wren Kennedy 256d583b39bSJohn Wren Kennedyfunction build_new_acl # newmode isdir 257d583b39bSJohn Wren Kennedy{ 258d583b39bSJohn Wren Kennedy typeset newmode=$1 259d583b39bSJohn Wren Kennedy typeset isdir=$2 260d583b39bSJohn Wren Kennedy typeset expect 261d583b39bSJohn Wren Kennedy if ((flag == 0)); then 262d583b39bSJohn Wren Kennedy prefix="owner@" 26301ff4119SYuri Pankov bit=${newmode:0:1} 264d583b39bSJohn Wren Kennedy status=$(check_new_acl $bit $newmode $isdir) 265d583b39bSJohn Wren Kennedy 266d583b39bSJohn Wren Kennedy else 267d583b39bSJohn Wren Kennedy prefix="group@" 26801ff4119SYuri Pankov bit=${newmode:1:1} 269d583b39bSJohn Wren Kennedy status=$(check_new_acl $bit $newmode $isdir) 270d583b39bSJohn Wren Kennedy fi 271d583b39bSJohn Wren Kennedy expect=$prefix$status:deny 2721d32ba66SJohn Wren Kennedy echo $expect 273d583b39bSJohn Wren Kennedy} 274d583b39bSJohn Wren Kennedy 275d583b39bSJohn Wren Kennedy# According to inherited flag, verify subdirectories and files within it has 276d583b39bSJohn Wren Kennedy# correct inherited access control. 277d583b39bSJohn Wren Kennedyfunction verify_aclmode # <aclmode> <node> <newmode> 278d583b39bSJohn Wren Kennedy{ 279d583b39bSJohn Wren Kennedy # Define the nodes which will be affected by inherit. 280d583b39bSJohn Wren Kennedy typeset aclmode=$1 281d583b39bSJohn Wren Kennedy typeset node=$2 282d583b39bSJohn Wren Kennedy typeset newmode=$3 283d583b39bSJohn Wren Kennedy 284d583b39bSJohn Wren Kennedy # count: the ACE item to fetch 285d583b39bSJohn Wren Kennedy # passcnt: counter, if it achieves to maxnumber, 286d583b39bSJohn Wren Kennedy # then no additional ACE should apply. 287d583b39bSJohn Wren Kennedy 2889af60fb0SToomas Soome typeset -i count=0 passcnt=0 289d583b39bSJohn Wren Kennedy typeset -i bits=0 obits=0 bits_owner=0 isdir=0 290d583b39bSJohn Wren Kennedy typeset -i total_acl 291d583b39bSJohn Wren Kennedy typeset -i acl_count=$(count_ACE $node) 292d583b39bSJohn Wren Kennedy 293d583b39bSJohn Wren Kennedy ((total_acl = maxnumber + 3)) 294d583b39bSJohn Wren Kennedy 295d583b39bSJohn Wren Kennedy if [[ -d $node ]]; then 296d583b39bSJohn Wren Kennedy ((isdir = 1)) 297d583b39bSJohn Wren Kennedy fi 298d583b39bSJohn Wren Kennedy 299d583b39bSJohn Wren Kennedy ((i = maxnumber - 1)) 300d583b39bSJohn Wren Kennedy count=0 301d583b39bSJohn Wren Kennedy passcnt=0 302d583b39bSJohn Wren Kennedy flag=0 303d583b39bSJohn Wren Kennedy while ((i >= 0)); do 304d583b39bSJohn Wren Kennedy expect1=${acls[$i]} 305d583b39bSJohn Wren Kennedy passthrough=0 306d583b39bSJohn Wren Kennedy # 307d583b39bSJohn Wren Kennedy # aclmode=passthrough, 308d583b39bSJohn Wren Kennedy # no changes will be made to the ACL other than 309d583b39bSJohn Wren Kennedy # generating the necessary ACL entries to represent 310d583b39bSJohn Wren Kennedy # the new mode of the file or directory. 311d583b39bSJohn Wren Kennedy # 312d583b39bSJohn Wren Kennedy # aclmode=discard, 313d583b39bSJohn Wren Kennedy # delete all ACL entries that don't represent 314d583b39bSJohn Wren Kennedy # the mode of the file. 315d583b39bSJohn Wren Kennedy # 316d583b39bSJohn Wren Kennedy # aclmode=groupmask, 317d583b39bSJohn Wren Kennedy # reduce user or group permissions. The permissions are 318d583b39bSJohn Wren Kennedy # reduced, such that they are no greater than the group 319d583b39bSJohn Wren Kennedy # permission bits, unless it is a user entry that has the 320d583b39bSJohn Wren Kennedy # same UID as the owner of the file or directory. 321d583b39bSJohn Wren Kennedy # Then, the ACL permissions are reduced so that they are 322d583b39bSJohn Wren Kennedy # no greater than owner permission bits. 323d583b39bSJohn Wren Kennedy # 324d583b39bSJohn Wren Kennedy 325d583b39bSJohn Wren Kennedy case $aclmode in 326232f5a2eSYuri Pankov passthrough) 327232f5a2eSYuri Pankov if ((acl_count > total_acl)); then 328232f5a2eSYuri Pankov expect1=$(build_new_acl $newmode $isdir) 329232f5a2eSYuri Pankov flag=1 330232f5a2eSYuri Pankov ((total_acl = total_acl + 1)) 331232f5a2eSYuri Pankov ((i = i + 1)) 332232f5a2eSYuri Pankov else 333232f5a2eSYuri Pankov passthrough=1 334232f5a2eSYuri Pankov expect1=$(translate_acl $isdir $expect1) 335232f5a2eSYuri Pankov fi 336232f5a2eSYuri Pankov ;; 337232f5a2eSYuri Pankov groupmask) 338232f5a2eSYuri Pankov if ((acl_count > total_acl)); then 339232f5a2eSYuri Pankov expect1=$(build_new_acl $newmode $isdir) 340232f5a2eSYuri Pankov flag=1 341232f5a2eSYuri Pankov ((total_acl = total_acl + 1)) 342232f5a2eSYuri Pankov ((i = i + 1)) 343232f5a2eSYuri Pankov elif [[ $expect1 == *":allow"* ]]; then 344232f5a2eSYuri Pankov who=${expect1%%:*} 345232f5a2eSYuri Pankov aclaction=${expect1##*:} 346232f5a2eSYuri Pankov prefix=$who 347232f5a2eSYuri Pankov acltemp="" 348232f5a2eSYuri Pankov reduce=0 349232f5a2eSYuri Pankov # To determine the mask bits 350232f5a2eSYuri Pankov # according to the entry type. 351232f5a2eSYuri Pankov # 352232f5a2eSYuri Pankov case $who in 353232f5a2eSYuri Pankov owner@) 354232f5a2eSYuri Pankov pos=0 355232f5a2eSYuri Pankov ;; 356232f5a2eSYuri Pankov group@) 357232f5a2eSYuri Pankov pos=1 358232f5a2eSYuri Pankov ;; 359232f5a2eSYuri Pankov everyone@) 360232f5a2eSYuri Pankov pos=2 361232f5a2eSYuri Pankov ;; 362232f5a2eSYuri Pankov user) 363232f5a2eSYuri Pankov acltemp=${expect1#*:} 364232f5a2eSYuri Pankov acltemp=${acltemp%%:*} 365232f5a2eSYuri Pankov owner=$(get_owner $node) 366232f5a2eSYuri Pankov group=$(get_group $node) 367232f5a2eSYuri Pankov if [[ $acltemp == $owner ]]; then 368232f5a2eSYuri Pankov pos=0 369232f5a2eSYuri Pankov else 370232f5a2eSYuri Pankov pos=1 371232f5a2eSYuri Pankov fi 372232f5a2eSYuri Pankov prefix=$prefix:$acltemp 373232f5a2eSYuri Pankov ;; 374232f5a2eSYuri Pankov group) 375232f5a2eSYuri Pankov acltemp=${expect1#*:} 376232f5a2eSYuri Pankov acltemp=${acltemp%%:*} 377232f5a2eSYuri Pankov pos=1 378232f5a2eSYuri Pankov prefix=$prefix:$acltemp 379232f5a2eSYuri Pankov reduce=1 380232f5a2eSYuri Pankov ;; 381232f5a2eSYuri Pankov esac 382232f5a2eSYuri Pankov 383232f5a2eSYuri Pankov obits=${newmode:$pos:1} 384232f5a2eSYuri Pankov ((bits = $obits)) 385232f5a2eSYuri Pankov # permission should be no greater than the 386232f5a2eSYuri Pankov # group permission bits 387232f5a2eSYuri Pankov if ((reduce != 0)); then 388232f5a2eSYuri Pankov ((bits &= ${newmode:1:1})) 389d583b39bSJohn Wren Kennedy # The ACL permissions are reduced so 390d583b39bSJohn Wren Kennedy # that they are no greater than owner 391d583b39bSJohn Wren Kennedy # permission bits. 392232f5a2eSYuri Pankov ((bits_owner = ${newmode:0:1})) 393232f5a2eSYuri Pankov ((bits &= $bits_owner)) 394232f5a2eSYuri Pankov fi 395d583b39bSJohn Wren Kennedy 396232f5a2eSYuri Pankov if ((bits < obits)) && [[ -n $acltemp ]]; then 397232f5a2eSYuri Pankov expect2=$prefix: 398232f5a2eSYuri Pankov new_bit=$(cal_bits $isdir $obits \ 3999af60fb0SToomas Soome $bits_owner $expect1 0) 400232f5a2eSYuri Pankov expect2=${expect2}${new_bit}:allow 401d583b39bSJohn Wren Kennedy else 402232f5a2eSYuri Pankov expect2=$prefix: 403232f5a2eSYuri Pankov new_bit=$(cal_bits $isdir $obits \ 4049af60fb0SToomas Soome $obits $expect1 0) 405232f5a2eSYuri Pankov expect2=${expect2}${new_bit}:allow 406d583b39bSJohn Wren Kennedy fi 407232f5a2eSYuri Pankov 408232f5a2eSYuri Pankov priv=$(cal_bits $isdir $obits $bits_owner \ 409232f5a2eSYuri Pankov $expect2 0) 410232f5a2eSYuri Pankov expect1=$prefix:$priv:$aclaction 411232f5a2eSYuri Pankov else 412232f5a2eSYuri Pankov expect1=$(translate_acl $isdir $expect1) 413232f5a2eSYuri Pankov fi 414232f5a2eSYuri Pankov ;; 415232f5a2eSYuri Pankov discard) 416232f5a2eSYuri Pankov passcnt=maxnumber 417232f5a2eSYuri Pankov break 418232f5a2eSYuri Pankov ;; 419d583b39bSJohn Wren Kennedy esac 420d583b39bSJohn Wren Kennedy 4219af60fb0SToomas Soome # Get the first ACE to do comparison 4229af60fb0SToomas Soome aclcur=$(get_ACE $node $count) 4239af60fb0SToomas Soome aclcur=${aclcur#$count:} 4249af60fb0SToomas Soome if [[ -n $expect1 && $expect1 != $aclcur ]]; then 4259af60fb0SToomas Soome ls -vd $node 4269af60fb0SToomas Soome log_fail "$aclmode $i #$count " \ 4279af60fb0SToomas Soome "ACE: $aclcur, expect to be " \ 4289af60fb0SToomas Soome "$expect1" 429d583b39bSJohn Wren Kennedy fi 4309af60fb0SToomas Soome ((count = count + 1)) 431d583b39bSJohn Wren Kennedy ((i = i - 1)) 432d583b39bSJohn Wren Kennedy done 433d583b39bSJohn Wren Kennedy 434d583b39bSJohn Wren Kennedy # 435d583b39bSJohn Wren Kennedy # If there's no any ACE be checked, it should be identify as 436d583b39bSJohn Wren Kennedy # an normal file/dir, verify it. 437d583b39bSJohn Wren Kennedy # 438d583b39bSJohn Wren Kennedy if ((passcnt == maxnumber)); then 439d583b39bSJohn Wren Kennedy if [[ -d $node ]]; then 440d583b39bSJohn Wren Kennedy compare_acls $node $odir 441d583b39bSJohn Wren Kennedy elif [[ -f $node ]]; then 442d583b39bSJohn Wren Kennedy compare_acls $node $ofile 443d583b39bSJohn Wren Kennedy fi 444d583b39bSJohn Wren Kennedy 445d583b39bSJohn Wren Kennedy if [[ $? -ne 0 ]]; then 4461d32ba66SJohn Wren Kennedy ls -vd $node 447d583b39bSJohn Wren Kennedy log_fail "Unexpect acl: $node, $aclmode ($newmode)" 448d583b39bSJohn Wren Kennedy fi 449d583b39bSJohn Wren Kennedy fi 450d583b39bSJohn Wren Kennedy} 451d583b39bSJohn Wren Kennedy 452d583b39bSJohn Wren Kennedy 453d583b39bSJohn Wren Kennedy 454d583b39bSJohn Wren Kennedytypeset -i maxnumber=0 455d583b39bSJohn Wren Kennedytypeset acl 456d583b39bSJohn Wren Kennedytypeset target 457d583b39bSJohn Wren Kennedytypeset -i passthrough=0 458d583b39bSJohn Wren Kennedytypeset -i flag=0 459d583b39bSJohn Wren Kennedy 4601a6cb65eSToomas Soomecd $TESTDIR 461d583b39bSJohn Wren Kennedyfor mode in "${aclmode_flag[@]}"; do 4621d32ba66SJohn Wren Kennedy log_must zfs set aclmode=$mode $TESTPOOL/$TESTFS 463d583b39bSJohn Wren Kennedy 464d583b39bSJohn Wren Kennedy for user in root $ZFS_ACL_STAFF1; do 465d583b39bSJohn Wren Kennedy log_must set_cur_usr $user 466d583b39bSJohn Wren Kennedy 4671d32ba66SJohn Wren Kennedy log_must usr_exec mkdir $basedir 468d583b39bSJohn Wren Kennedy 4691d32ba66SJohn Wren Kennedy log_must usr_exec mkdir $odir 4701d32ba66SJohn Wren Kennedy log_must usr_exec touch $ofile 4711d32ba66SJohn Wren Kennedy log_must usr_exec mkdir $ndir 4721d32ba66SJohn Wren Kennedy log_must usr_exec touch $nfile 473d583b39bSJohn Wren Kennedy 474d583b39bSJohn Wren Kennedy for obj in $allnodes; do 475d583b39bSJohn Wren Kennedy maxnumber=0 476d583b39bSJohn Wren Kennedy for preset in "${ace_file_preset[@]}"; do 477d583b39bSJohn Wren Kennedy for prefix in "${ace_prefix[@]}"; do 478d583b39bSJohn Wren Kennedy acl=$prefix:$preset 479d583b39bSJohn Wren Kennedy 480d583b39bSJohn Wren Kennedy case $((maxnumber % 2)) in 481232f5a2eSYuri Pankov 0) 482232f5a2eSYuri Pankov acl=$acl:deny 483232f5a2eSYuri Pankov ;; 484232f5a2eSYuri Pankov 1) 485232f5a2eSYuri Pankov acl=$acl:allow 486232f5a2eSYuri Pankov ;; 487d583b39bSJohn Wren Kennedy esac 488d583b39bSJohn Wren Kennedy 4891d32ba66SJohn Wren Kennedy log_must usr_exec chmod A+$acl $obj 490d583b39bSJohn Wren Kennedy acls[$maxnumber]=$acl 491d583b39bSJohn Wren Kennedy 492d583b39bSJohn Wren Kennedy ((maxnumber = maxnumber + 1)) 493d583b39bSJohn Wren Kennedy done 494d583b39bSJohn Wren Kennedy done 495d583b39bSJohn Wren Kennedy # Archive the file and directory 4961a6cb65eSToomas Soome log_must tar cpf@ $TARFILE ${basedir#$TESTDIR/} 497d583b39bSJohn Wren Kennedy 498d583b39bSJohn Wren Kennedy if [[ -d $obj ]]; then 499d583b39bSJohn Wren Kennedy target=$odir 500d583b39bSJohn Wren Kennedy elif [[ -f $obj ]]; then 501d583b39bSJohn Wren Kennedy target=$ofile 502d583b39bSJohn Wren Kennedy fi 503d583b39bSJohn Wren Kennedy for newmode in "${argv[@]}"; do 5041d32ba66SJohn Wren Kennedy log_must usr_exec chmod $newmode $obj 5051d32ba66SJohn Wren Kennedy log_must usr_exec chmod $newmode $target 506d583b39bSJohn Wren Kennedy log_must verify_aclmode $mode $obj $newmode 5071d32ba66SJohn Wren Kennedy log_must tar xpf@ $TARFILE 508d583b39bSJohn Wren Kennedy done 509d583b39bSJohn Wren Kennedy done 510d583b39bSJohn Wren Kennedy 5111d32ba66SJohn Wren Kennedy log_must usr_exec rm -rf $basedir $TARFILE 512d583b39bSJohn Wren Kennedy done 513d583b39bSJohn Wren Kennedydone 514d583b39bSJohn Wren Kennedy 515232f5a2eSYuri Pankovlog_pass "Verify chmod behaviour co-op with aclmode setting passed" 516