1d583b39bSJohn Wren Kennedy#!/usr/bin/ksh -p 2d583b39bSJohn Wren Kennedy# 3d583b39bSJohn Wren Kennedy# CDDL HEADER START 4d583b39bSJohn Wren Kennedy# 5d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the 6d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License"). 7d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License. 8d583b39bSJohn Wren Kennedy# 9d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing. 11d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions 12d583b39bSJohn Wren Kennedy# and limitations under the License. 13d583b39bSJohn Wren Kennedy# 14d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each 15d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the 17d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying 18d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner] 19d583b39bSJohn Wren Kennedy# 20d583b39bSJohn Wren Kennedy# CDDL HEADER END 21d583b39bSJohn Wren Kennedy# 22d583b39bSJohn Wren Kennedy 23d583b39bSJohn Wren Kennedy# 24d583b39bSJohn Wren Kennedy# Copyright 2008 Sun Microsystems, Inc. All rights reserved. 25d583b39bSJohn Wren Kennedy# Use is subject to license terms. 26d583b39bSJohn Wren Kennedy# 27d583b39bSJohn Wren Kennedy 28d583b39bSJohn Wren Kennedy# 29d583b39bSJohn Wren Kennedy# Copyright (c) 2012 by Delphix. All rights reserved. 30d583b39bSJohn Wren Kennedy# 31d583b39bSJohn Wren Kennedy 32d583b39bSJohn Wren Kennedy 33d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib 34d583b39bSJohn Wren Kennedy 35d583b39bSJohn Wren Kennedy# 36d583b39bSJohn Wren Kennedy# DESCRIPTION: 37d583b39bSJohn Wren Kennedy# Verify chmod have correct behaviour on directories and files when 38d583b39bSJohn Wren Kennedy# filesystem has the different aclmode setting 39d583b39bSJohn Wren Kennedy# 40d583b39bSJohn Wren Kennedy# STRATEGY: 41d583b39bSJohn Wren Kennedy# 1. Loop super user and non-super user to run the test case. 42d583b39bSJohn Wren Kennedy# 2. Create basedir and a set of subdirectores and files within it. 43d583b39bSJohn Wren Kennedy# 3. Separately chmod basedir with different aclmode options, 44d583b39bSJohn Wren Kennedy# combine with the variable setting of aclmode: 45d583b39bSJohn Wren Kennedy# "discard", "groupmask", or "passthrough". 46d583b39bSJohn Wren Kennedy# 4. Verify each directories and files have the correct access control 47d583b39bSJohn Wren Kennedy# capability. 48d583b39bSJohn Wren Kennedy# 49d583b39bSJohn Wren Kennedy 50d583b39bSJohn Wren Kennedyverify_runnable "both" 51d583b39bSJohn Wren Kennedy 52d583b39bSJohn Wren Kennedyfunction cleanup 53d583b39bSJohn Wren Kennedy{ 54d583b39bSJohn Wren Kennedy # Cleanup tarfile & basedir. 55d583b39bSJohn Wren Kennedy 56d583b39bSJohn Wren Kennedy (( ${#cwd} != 0 )) && cd $cwd 57d583b39bSJohn Wren Kennedy 58d583b39bSJohn Wren Kennedy if [[ -f $TARFILE ]]; then 59d583b39bSJohn Wren Kennedy log_must $RM -f $TARFILE 60d583b39bSJohn Wren Kennedy fi 61d583b39bSJohn Wren Kennedy 62d583b39bSJohn Wren Kennedy if [[ -d $basedir ]]; then 63d583b39bSJohn Wren Kennedy log_must $RM -rf $basedir 64d583b39bSJohn Wren Kennedy fi 65d583b39bSJohn Wren Kennedy} 66d583b39bSJohn Wren Kennedy 67d583b39bSJohn Wren Kennedylog_assert "Verify chmod have correct behaviour to directory and file when " \ 68d583b39bSJohn Wren Kennedy "filesystem has the different aclmode setting." 69d583b39bSJohn Wren Kennedylog_onexit cleanup 70d583b39bSJohn Wren Kennedy 71d583b39bSJohn Wren Kennedy# Define aclmode flag 72d583b39bSJohn Wren Kennedyset -A aclmode_flag discard groupmask passthrough 73d583b39bSJohn Wren Kennedy 74d583b39bSJohn Wren Kennedyset -A ace_prefix "user:$ZFS_ACL_OTHER1" \ 75d583b39bSJohn Wren Kennedy "user:$ZFS_ACL_OTHER2" \ 76d583b39bSJohn Wren Kennedy "group:$ZFS_ACL_STAFF_GROUP" \ 77d583b39bSJohn Wren Kennedy "group:$ZFS_ACL_OTHER_GROUP" 78d583b39bSJohn Wren Kennedy 79d583b39bSJohn Wren Kennedyset -A argv "000" "444" "644" "777" "755" "231" "562" "413" 80d583b39bSJohn Wren Kennedy 81d583b39bSJohn Wren Kennedyset -A ace_file_preset "read_data" \ 82d583b39bSJohn Wren Kennedy "write_data" \ 83d583b39bSJohn Wren Kennedy "append_data" \ 84d583b39bSJohn Wren Kennedy "execute" \ 85d583b39bSJohn Wren Kennedy "read_data/write_data" \ 86d583b39bSJohn Wren Kennedy "read_data/write_data/append_data" \ 87d583b39bSJohn Wren Kennedy "write_data/append_data" \ 88d583b39bSJohn Wren Kennedy "read_data/execute" \ 89d583b39bSJohn Wren Kennedy "write_data/append_data/execute" \ 90d583b39bSJohn Wren Kennedy "read_data/write_data/append_data/execute" 91d583b39bSJohn Wren Kennedy 92d583b39bSJohn Wren Kennedy# Defile the based directory and file 93d583b39bSJohn Wren Kennedybasedir=$TESTDIR/basedir; ofile=$basedir/ofile; odir=$basedir/odir 94d583b39bSJohn Wren Kennedynfile=$basedir/nfile; ndir=$basedir/ndir 95d583b39bSJohn Wren Kennedy 96d583b39bSJohn Wren KennedyTARFILE=$TESTDIR/tarfile 97d583b39bSJohn Wren Kennedy 98d583b39bSJohn Wren Kennedy# Verify all the node have expected correct access control 99d583b39bSJohn Wren Kennedyallnodes="$nfile $ndir" 100d583b39bSJohn Wren Kennedy 101d583b39bSJohn Wren Kennedy# 102d583b39bSJohn Wren Kennedy# According to the original bits, the input ACE access and ACE type, return the 103d583b39bSJohn Wren Kennedy# expect bits after 'chmod A0{+|=}'. 104d583b39bSJohn Wren Kennedy# 105d583b39bSJohn Wren Kennedy# $1 isdir indicate if the target is a directory 106d583b39bSJohn Wren Kennedy# $2 bits which was make up of three bit 'rwx' 107d583b39bSJohn Wren Kennedy# $3 bits_limit which was make up of three bit 'rwx' 108d583b39bSJohn Wren Kennedy# $4 ACE access which is read_data, write_data or execute 109d583b39bSJohn Wren Kennedy# $5 ctrl which is to determine allow or deny according to owner/group bit 110d583b39bSJohn Wren Kennedy# 111d583b39bSJohn Wren Kennedyfunction cal_bits # isdir bits bits_limit acl_access ctrl 112d583b39bSJohn Wren Kennedy{ 113d583b39bSJohn Wren Kennedy typeset -i isdir=$1 114d583b39bSJohn Wren Kennedy typeset -i bits=$2 115d583b39bSJohn Wren Kennedy typeset -i bits_limit=$3 116d583b39bSJohn Wren Kennedy typeset acl_access=$4 117d583b39bSJohn Wren Kennedy typeset -i ctrl=${5:-0} 118d583b39bSJohn Wren Kennedy typeset flagr=0 flagw=0 flagx=0 119d583b39bSJohn Wren Kennedy typeset tmpstr 120d583b39bSJohn Wren Kennedy 121d583b39bSJohn Wren Kennedy if (( ctrl == 0 )); then 122d583b39bSJohn Wren Kennedy if (( (( bits & 4 )) != 0 )); then 123d583b39bSJohn Wren Kennedy flagr=1 124d583b39bSJohn Wren Kennedy fi 125d583b39bSJohn Wren Kennedy if (( (( bits & 2 )) != 0 )); then 126d583b39bSJohn Wren Kennedy flagw=1 127d583b39bSJohn Wren Kennedy fi 128d583b39bSJohn Wren Kennedy if (( (( bits & 1 )) != 0 )); then 129d583b39bSJohn Wren Kennedy flagx=1 130d583b39bSJohn Wren Kennedy fi 131d583b39bSJohn Wren Kennedy else 132d583b39bSJohn Wren Kennedy #Determine ACE as per owner/group bit 133d583b39bSJohn Wren Kennedy flagr=1 134d583b39bSJohn Wren Kennedy flagw=1 135d583b39bSJohn Wren Kennedy flagx=1 136d583b39bSJohn Wren Kennedy 137d583b39bSJohn Wren Kennedy if (( ((bits & 4)) != 0 )) && \ 138d583b39bSJohn Wren Kennedy (( ((bits_limit & 4)) != 0 )); then 139d583b39bSJohn Wren Kennedy flagr=0 140d583b39bSJohn Wren Kennedy fi 141d583b39bSJohn Wren Kennedy if (( ((bits & 2)) != 0 )) && \ 142d583b39bSJohn Wren Kennedy (( ((bits_limit & 2)) != 0 )); then 143d583b39bSJohn Wren Kennedy flagw=0 144d583b39bSJohn Wren Kennedy fi 145d583b39bSJohn Wren Kennedy if (( ((bits & 1)) != 0 )) && \ 146d583b39bSJohn Wren Kennedy (( ((bits_limit & 1)) != 0 )); then 147d583b39bSJohn Wren Kennedy flagx=0 148d583b39bSJohn Wren Kennedy fi 149d583b39bSJohn Wren Kennedy fi 150d583b39bSJohn Wren Kennedy if ((flagr != 0)); then 151d583b39bSJohn Wren Kennedy if [[ $acl_access == *"read_data"* ]]; then 152d583b39bSJohn Wren Kennedy if [[ $acl_access == *"allow"* && $passthrough == 0 ]]; then 153d583b39bSJohn Wren Kennedy tmpstr=${tmpstr} 154d583b39bSJohn Wren Kennedy else 155d583b39bSJohn Wren Kennedy if ((isdir == 0)); then 156d583b39bSJohn Wren Kennedy tmpstr=${tmpstr}/read_data 157d583b39bSJohn Wren Kennedy else 158d583b39bSJohn Wren Kennedy tmpstr=${tmpstr}/list_directory/read_data 159d583b39bSJohn Wren Kennedy fi 160d583b39bSJohn Wren Kennedy fi 161d583b39bSJohn Wren Kennedy fi 162d583b39bSJohn Wren Kennedy fi 163d583b39bSJohn Wren Kennedy 164d583b39bSJohn Wren Kennedy if ((flagw != 0)); then 165d583b39bSJohn Wren Kennedy if [[ $acl_access == *"allow"* && $passthrough == 0 ]]; then 166d583b39bSJohn Wren Kennedy tmpstr=${tmpstr} 167d583b39bSJohn Wren Kennedy else 168d583b39bSJohn Wren Kennedy if [[ $acl_access == *"write_data"* ]]; then 169d583b39bSJohn Wren Kennedy if ((isdir == 0)); then 170d583b39bSJohn Wren Kennedy tmpstr=${tmpstr}/write_data 171d583b39bSJohn Wren Kennedy else 172d583b39bSJohn Wren Kennedy tmpstr=${tmpstr}/add_file/write_data 173d583b39bSJohn Wren Kennedy fi 174d583b39bSJohn Wren Kennedy fi 175d583b39bSJohn Wren Kennedy if [[ $acl_access == *"append_data"* ]]; then 176d583b39bSJohn Wren Kennedy if ((isdir == 0)); then 177d583b39bSJohn Wren Kennedy tmpstr=${tmpstr}/append_data 178d583b39bSJohn Wren Kennedy else 179d583b39bSJohn Wren Kennedy tmpstr=${tmpstr}/add_subdirectory/append_data 180d583b39bSJohn Wren Kennedy fi 181d583b39bSJohn Wren Kennedy fi 182d583b39bSJohn Wren Kennedy fi 183d583b39bSJohn Wren Kennedy fi 184d583b39bSJohn Wren Kennedy if ((flagx != 0)); then 185d583b39bSJohn Wren Kennedy if [[ $acl_access == *"execute"* ]]; then 186d583b39bSJohn Wren Kennedy if [[ $acl_access == *"allow"* && $passthrough == 0 ]]; then 187d583b39bSJohn Wren Kennedy tmpstr=${tmpstr} 188d583b39bSJohn Wren Kennedy else 189d583b39bSJohn Wren Kennedy tmpstr=${tmpstr}/execute 190d583b39bSJohn Wren Kennedy fi 191d583b39bSJohn Wren Kennedy fi 192d583b39bSJohn Wren Kennedy fi 193d583b39bSJohn Wren Kennedy 194d583b39bSJohn Wren Kennedy tmpstr=${tmpstr#/} 195d583b39bSJohn Wren Kennedy 196d583b39bSJohn Wren Kennedy $ECHO "$tmpstr" 197d583b39bSJohn Wren Kennedy} 198d583b39bSJohn Wren Kennedy 199d583b39bSJohn Wren Kennedy# 200d583b39bSJohn Wren Kennedy# To translate an ace if the node is dir 201d583b39bSJohn Wren Kennedy# 202d583b39bSJohn Wren Kennedy# $1 isdir indicate if the target is a directory 203d583b39bSJohn Wren Kennedy# $2 acl to be translated 204d583b39bSJohn Wren Kennedy# 205d583b39bSJohn Wren Kennedyfunction translate_acl # isdir acl 206d583b39bSJohn Wren Kennedy{ 207d583b39bSJohn Wren Kennedy typeset -i isdir=$1 208d583b39bSJohn Wren Kennedy typeset acl=$2 209d583b39bSJohn Wren Kennedy typeset who prefix acltemp action 210d583b39bSJohn Wren Kennedy 211d583b39bSJohn Wren Kennedy if ((isdir != 0)); then 212d583b39bSJohn Wren Kennedy who=${acl%%:*} 213d583b39bSJohn Wren Kennedy prefix=$who 214d583b39bSJohn Wren Kennedy acltemp=${acl#*:} 215d583b39bSJohn Wren Kennedy acltemp=${acltemp%%:*} 216d583b39bSJohn Wren Kennedy prefix=$prefix:$acltemp 217d583b39bSJohn Wren Kennedy action=${acl##*:} 218d583b39bSJohn Wren Kennedy acl=$prefix:$(cal_bits $isdir 7 7 $acl 0):$action 219d583b39bSJohn Wren Kennedy fi 220d583b39bSJohn Wren Kennedy $ECHO "$acl" 221d583b39bSJohn Wren Kennedy} 222d583b39bSJohn Wren Kennedy 223d583b39bSJohn Wren Kennedy# 224d583b39bSJohn Wren Kennedy# To verify if a new ACL is generated as result of 225d583b39bSJohn Wren Kennedy# chmod operation. 226d583b39bSJohn Wren Kennedy# 227d583b39bSJohn Wren Kennedy# $1 bit indicates whether owner/group bit 228d583b39bSJohn Wren Kennedy# $2 newmode indicates the mode changed using chmod 229d583b39bSJohn Wren Kennedy# $3 isdir indicate if the target is a directory 230d583b39bSJohn Wren Kennedy# 231d583b39bSJohn Wren Kennedyfunction check_new_acl # bit newmode isdir 232d583b39bSJohn Wren Kennedy{ 233d583b39bSJohn Wren Kennedy typeset bits=$1 234d583b39bSJohn Wren Kennedy typeset mode=$2 235d583b39bSJohn Wren Kennedy typeset -i isdir=$3 236d583b39bSJohn Wren Kennedy typeset new_acl 237d583b39bSJohn Wren Kennedy typeset gbit 238d583b39bSJohn Wren Kennedy typeset ebit 239d583b39bSJohn Wren Kennedy typeset str=":" 240*01ff4119SYuri Pankov gbit=${mode:1:1} 241*01ff4119SYuri Pankov ebit=${mode:2:1} 242d583b39bSJohn Wren Kennedy if (( ((bits & 4)) == 0 )); then 243d583b39bSJohn Wren Kennedy if (( ((gbit & 4)) != 0 || \ 244d583b39bSJohn Wren Kennedy ((ebit & 4)) != 0 )); then 245d583b39bSJohn Wren Kennedy if ((isdir == 0)); then 246d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}read_data 247d583b39bSJohn Wren Kennedy else 248d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}list_directory/read_data 249d583b39bSJohn Wren Kennedy fi 250d583b39bSJohn Wren Kennedy str="/" 251d583b39bSJohn Wren Kennedy fi 252d583b39bSJohn Wren Kennedy fi 253d583b39bSJohn Wren Kennedy if (( ((bits & 2)) == 0 )); then 254d583b39bSJohn Wren Kennedy if (( ((gbit & 2)) != 0 || \ 255d583b39bSJohn Wren Kennedy ((ebit & 2)) != 0 )); then 256d583b39bSJohn Wren Kennedy if ((isdir == 0)); then 257d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}write_data/append_data 258d583b39bSJohn Wren Kennedy else 259d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}add_file/write_data/ 260d583b39bSJohn Wren Kennedy new_acl=${new_acl}add_subdirectory/append_data 261d583b39bSJohn Wren Kennedy fi 262d583b39bSJohn Wren Kennedy str="/" 263d583b39bSJohn Wren Kennedy fi 264d583b39bSJohn Wren Kennedy fi 265d583b39bSJohn Wren Kennedy if (( ((bits & 1)) == 0 )); then 266d583b39bSJohn Wren Kennedy if (( ((gbit & 1)) != 0 || \ 267d583b39bSJohn Wren Kennedy ((ebit & 1)) != 0 )); then 268d583b39bSJohn Wren Kennedy new_acl=${new_acl}${str}execute 269d583b39bSJohn Wren Kennedy fi 270d583b39bSJohn Wren Kennedy fi 271d583b39bSJohn Wren Kennedy $ECHO "$new_acl" 272d583b39bSJohn Wren Kennedy} 273d583b39bSJohn Wren Kennedy 274d583b39bSJohn Wren Kennedyfunction build_new_acl # newmode isdir 275d583b39bSJohn Wren Kennedy{ 276d583b39bSJohn Wren Kennedy typeset newmode=$1 277d583b39bSJohn Wren Kennedy typeset isdir=$2 278d583b39bSJohn Wren Kennedy typeset expect 279d583b39bSJohn Wren Kennedy if ((flag == 0)); then 280d583b39bSJohn Wren Kennedy prefix="owner@" 281*01ff4119SYuri Pankov bit=${newmode:0:1} 282d583b39bSJohn Wren Kennedy status=$(check_new_acl $bit $newmode $isdir) 283d583b39bSJohn Wren Kennedy 284d583b39bSJohn Wren Kennedy else 285d583b39bSJohn Wren Kennedy prefix="group@" 286*01ff4119SYuri Pankov bit=${newmode:1:1} 287d583b39bSJohn Wren Kennedy status=$(check_new_acl $bit $newmode $isdir) 288d583b39bSJohn Wren Kennedy fi 289d583b39bSJohn Wren Kennedy expect=$prefix$status:deny 290d583b39bSJohn Wren Kennedy $ECHO $expect 291d583b39bSJohn Wren Kennedy} 292d583b39bSJohn Wren Kennedy 293d583b39bSJohn Wren Kennedy# 294d583b39bSJohn Wren Kennedy# According to inherited flag, verify subdirectories and files within it has 295d583b39bSJohn Wren Kennedy# correct inherited access control. 296d583b39bSJohn Wren Kennedy# 297d583b39bSJohn Wren Kennedyfunction verify_aclmode # <aclmode> <node> <newmode> 298d583b39bSJohn Wren Kennedy{ 299d583b39bSJohn Wren Kennedy # Define the nodes which will be affected by inherit. 300d583b39bSJohn Wren Kennedy typeset aclmode=$1 301d583b39bSJohn Wren Kennedy typeset node=$2 302d583b39bSJohn Wren Kennedy typeset newmode=$3 303d583b39bSJohn Wren Kennedy 304d583b39bSJohn Wren Kennedy # count: the ACE item to fetch 305d583b39bSJohn Wren Kennedy # pass: to mark if the current ACE should apply to the target 306d583b39bSJohn Wren Kennedy # passcnt: counter, if it achieves to maxnumber, 307d583b39bSJohn Wren Kennedy # then no additional ACE should apply. 308d583b39bSJohn Wren Kennedy 309d583b39bSJohn Wren Kennedy typeset -i count=0 pass=0 passcnt=0 310d583b39bSJohn Wren Kennedy typeset -i bits=0 obits=0 bits_owner=0 isdir=0 311d583b39bSJohn Wren Kennedy typeset -i total_acl 312d583b39bSJohn Wren Kennedy typeset -i acl_count=$(count_ACE $node) 313d583b39bSJohn Wren Kennedy 314d583b39bSJohn Wren Kennedy ((total_acl = maxnumber + 3)) 315d583b39bSJohn Wren Kennedy 316d583b39bSJohn Wren Kennedy if [[ -d $node ]]; then 317d583b39bSJohn Wren Kennedy ((isdir = 1)) 318d583b39bSJohn Wren Kennedy fi 319d583b39bSJohn Wren Kennedy 320d583b39bSJohn Wren Kennedy ((i = maxnumber - 1)) 321d583b39bSJohn Wren Kennedy count=0 322d583b39bSJohn Wren Kennedy passcnt=0 323d583b39bSJohn Wren Kennedy flag=0 324d583b39bSJohn Wren Kennedy while ((i >= 0)); do 325d583b39bSJohn Wren Kennedy pass=0 326d583b39bSJohn Wren Kennedy expect1=${acls[$i]} 327d583b39bSJohn Wren Kennedy passthrough=0 328d583b39bSJohn Wren Kennedy # 329d583b39bSJohn Wren Kennedy # aclmode=passthrough, 330d583b39bSJohn Wren Kennedy # no changes will be made to the ACL other than 331d583b39bSJohn Wren Kennedy # generating the necessary ACL entries to represent 332d583b39bSJohn Wren Kennedy # the new mode of the file or directory. 333d583b39bSJohn Wren Kennedy # 334d583b39bSJohn Wren Kennedy # aclmode=discard, 335d583b39bSJohn Wren Kennedy # delete all ACL entries that don't represent 336d583b39bSJohn Wren Kennedy # the mode of the file. 337d583b39bSJohn Wren Kennedy # 338d583b39bSJohn Wren Kennedy # aclmode=groupmask, 339d583b39bSJohn Wren Kennedy # reduce user or group permissions. The permissions are 340d583b39bSJohn Wren Kennedy # reduced, such that they are no greater than the group 341d583b39bSJohn Wren Kennedy # permission bits, unless it is a user entry that has the 342d583b39bSJohn Wren Kennedy # same UID as the owner of the file or directory. 343d583b39bSJohn Wren Kennedy # Then, the ACL permissions are reduced so that they are 344d583b39bSJohn Wren Kennedy # no greater than owner permission bits. 345d583b39bSJohn Wren Kennedy # 346d583b39bSJohn Wren Kennedy 347d583b39bSJohn Wren Kennedy case $aclmode in 348d583b39bSJohn Wren Kennedy passthrough) 349d583b39bSJohn Wren Kennedy if ((acl_count > total_acl)); then 350d583b39bSJohn Wren Kennedy expect1=$(build_new_acl $newmode $isdir) 351d583b39bSJohn Wren Kennedy flag=1 352d583b39bSJohn Wren Kennedy ((total_acl = total_acl + 1)) 353d583b39bSJohn Wren Kennedy ((i = i + 1)) 354d583b39bSJohn Wren Kennedy else 355d583b39bSJohn Wren Kennedy passthrough=1 356d583b39bSJohn Wren Kennedy expect1=$(translate_acl $isdir $expect1) 357d583b39bSJohn Wren Kennedy fi 358d583b39bSJohn Wren Kennedy ;; 359d583b39bSJohn Wren Kennedy groupmask) 360d583b39bSJohn Wren Kennedy if ((acl_count > total_acl)); then 361d583b39bSJohn Wren Kennedy expect1=$(build_new_acl $newmode $isdir) 362d583b39bSJohn Wren Kennedy flag=1 363d583b39bSJohn Wren Kennedy ((total_acl = total_acl + 1)) 364d583b39bSJohn Wren Kennedy ((i = i + 1)) 365d583b39bSJohn Wren Kennedy 366d583b39bSJohn Wren Kennedy elif [[ $expect1 == *":allow"* ]]; then 367d583b39bSJohn Wren Kennedy who=${expect1%%:*} 368d583b39bSJohn Wren Kennedy aclaction=${expect1##*:} 369d583b39bSJohn Wren Kennedy prefix=$who 370d583b39bSJohn Wren Kennedy acltemp="" 371d583b39bSJohn Wren Kennedy reduce=0 372d583b39bSJohn Wren Kennedy # 373d583b39bSJohn Wren Kennedy # To determine the mask bits 374d583b39bSJohn Wren Kennedy # according to the entry type. 375d583b39bSJohn Wren Kennedy # 376d583b39bSJohn Wren Kennedy case $who in 377d583b39bSJohn Wren Kennedy owner@) 378*01ff4119SYuri Pankov pos=0 379d583b39bSJohn Wren Kennedy ;; 380d583b39bSJohn Wren Kennedy group@) 381*01ff4119SYuri Pankov pos=1 382d583b39bSJohn Wren Kennedy ;; 383d583b39bSJohn Wren Kennedy everyone@) 384*01ff4119SYuri Pankov pos=2 385d583b39bSJohn Wren Kennedy ;; 386d583b39bSJohn Wren Kennedy user) 387d583b39bSJohn Wren Kennedy acltemp=${expect1#*:} 388d583b39bSJohn Wren Kennedy acltemp=${acltemp%%:*} 389d583b39bSJohn Wren Kennedy owner=$(get_owner $node) 390d583b39bSJohn Wren Kennedy group=$(get_group $node) 391d583b39bSJohn Wren Kennedy if [[ $acltemp == \ 392d583b39bSJohn Wren Kennedy $owner ]]; then 393*01ff4119SYuri Pankov pos=0 394d583b39bSJohn Wren Kennedy else 395*01ff4119SYuri Pankov pos=1 396d583b39bSJohn Wren Kennedy fi 397d583b39bSJohn Wren Kennedy prefix=$prefix:$acltemp 398d583b39bSJohn Wren Kennedy ;; 399d583b39bSJohn Wren Kennedy group) 400d583b39bSJohn Wren Kennedy acltemp=${expect1#*:} 401d583b39bSJohn Wren Kennedy acltemp=${acltemp%%:*} 402*01ff4119SYuri Pankov pos=1 403d583b39bSJohn Wren Kennedy prefix=$prefix:$acltemp 404d583b39bSJohn Wren Kennedy reduce=1 405d583b39bSJohn Wren Kennedy ;; 406d583b39bSJohn Wren Kennedy esac 407*01ff4119SYuri Pankov obits=${newmode:$pos:1} 408d583b39bSJohn Wren Kennedy ((bits = $obits)) 409d583b39bSJohn Wren Kennedy # 410*01ff4119SYuri Pankov # permission should be no greater than the 411d583b39bSJohn Wren Kennedy # group permission bits 412d583b39bSJohn Wren Kennedy # 413d583b39bSJohn Wren Kennedy if ((reduce != 0)); then 414*01ff4119SYuri Pankov ((bits &= ${newmode:1:1})) 415d583b39bSJohn Wren Kennedy # The ACL permissions are reduced so 416d583b39bSJohn Wren Kennedy # that they are no greater than owner 417d583b39bSJohn Wren Kennedy # permission bits. 418d583b39bSJohn Wren Kennedy 419*01ff4119SYuri Pankov ((bits_owner = ${newmode:0:1})) 420d583b39bSJohn Wren Kennedy ((bits &= $bits_owner)) 421d583b39bSJohn Wren Kennedy fi 422d583b39bSJohn Wren Kennedy 423d583b39bSJohn Wren Kennedy if ((bits < obits)) && \ 424d583b39bSJohn Wren Kennedy [[ -n $acltemp ]]; then 425d583b39bSJohn Wren Kennedy expect2=$prefix: 426d583b39bSJohn Wren Kennedy new_bit=$(cal_bits $isdir $obits $bits_owner $expect1 1) 427d583b39bSJohn Wren Kennedy expect2=${expect2}${new_bit}:allow 428d583b39bSJohn Wren Kennedy else 429d583b39bSJohn Wren Kennedy expect2=$prefix: 430d583b39bSJohn Wren Kennedy new_bit=$(cal_bits $isdir $obits $obits $expect1 1) 431d583b39bSJohn Wren Kennedy expect2=${expect2}${new_bit}:allow 432d583b39bSJohn Wren Kennedy fi 433d583b39bSJohn Wren Kennedy priv=$(cal_bits $isdir $obits $bits_owner $expect2 0) 434d583b39bSJohn Wren Kennedy expect1=$prefix:$priv:$aclaction 435d583b39bSJohn Wren Kennedy else 436d583b39bSJohn Wren Kennedy expect1=$(translate_acl $isdir $expect1) 437d583b39bSJohn Wren Kennedy fi 438d583b39bSJohn Wren Kennedy ;; 439d583b39bSJohn Wren Kennedy discard) 440d583b39bSJohn Wren Kennedy passcnt=maxnumber 441d583b39bSJohn Wren Kennedy break 442d583b39bSJohn Wren Kennedy ;; 443d583b39bSJohn Wren Kennedy esac 444d583b39bSJohn Wren Kennedy 445d583b39bSJohn Wren Kennedy if ((pass == 0)) ; then 446d583b39bSJohn Wren Kennedy # Get the first ACE to do comparison 447d583b39bSJohn Wren Kennedy 448d583b39bSJohn Wren Kennedy aclcur=$(get_ACE $node $count) 449d583b39bSJohn Wren Kennedy aclcur=${aclcur#$count:} 450d583b39bSJohn Wren Kennedy if [[ -n $expect1 && $expect1 != $aclcur ]]; then 451d583b39bSJohn Wren Kennedy $LS -vd $node 452d583b39bSJohn Wren Kennedy log_fail "$aclmode $i #$count " \ 453d583b39bSJohn Wren Kennedy "ACE: $aclcur, expect to be " \ 454d583b39bSJohn Wren Kennedy "$expect1" 455d583b39bSJohn Wren Kennedy fi 456d583b39bSJohn Wren Kennedy ((count = count + 1)) 457d583b39bSJohn Wren Kennedy fi 458d583b39bSJohn Wren Kennedy ((i = i - 1)) 459d583b39bSJohn Wren Kennedy done 460d583b39bSJohn Wren Kennedy 461d583b39bSJohn Wren Kennedy # 462d583b39bSJohn Wren Kennedy # If there's no any ACE be checked, it should be identify as 463d583b39bSJohn Wren Kennedy # an normal file/dir, verify it. 464d583b39bSJohn Wren Kennedy # 465d583b39bSJohn Wren Kennedy if ((passcnt == maxnumber)); then 466d583b39bSJohn Wren Kennedy if [[ -d $node ]]; then 467d583b39bSJohn Wren Kennedy compare_acls $node $odir 468d583b39bSJohn Wren Kennedy elif [[ -f $node ]]; then 469d583b39bSJohn Wren Kennedy compare_acls $node $ofile 470d583b39bSJohn Wren Kennedy fi 471d583b39bSJohn Wren Kennedy 472d583b39bSJohn Wren Kennedy if [[ $? -ne 0 ]]; then 473d583b39bSJohn Wren Kennedy $LS -vd $node 474d583b39bSJohn Wren Kennedy log_fail "Unexpect acl: $node, $aclmode ($newmode)" 475d583b39bSJohn Wren Kennedy fi 476d583b39bSJohn Wren Kennedy fi 477d583b39bSJohn Wren Kennedy} 478d583b39bSJohn Wren Kennedy 479d583b39bSJohn Wren Kennedy 480d583b39bSJohn Wren Kennedy 481d583b39bSJohn Wren Kennedytypeset -i maxnumber=0 482d583b39bSJohn Wren Kennedytypeset acl 483d583b39bSJohn Wren Kennedytypeset target 484d583b39bSJohn Wren Kennedytypeset -i passthrough=0 485d583b39bSJohn Wren Kennedytypeset -i flag=0 486d583b39bSJohn Wren Kennedycwd=$PWD 487d583b39bSJohn Wren Kennedycd $TESTDIR 488d583b39bSJohn Wren Kennedy 489d583b39bSJohn Wren Kennedyfor mode in "${aclmode_flag[@]}"; do 490d583b39bSJohn Wren Kennedy 491d583b39bSJohn Wren Kennedy # 492d583b39bSJohn Wren Kennedy # Set different value of aclmode 493d583b39bSJohn Wren Kennedy # 494d583b39bSJohn Wren Kennedy 495d583b39bSJohn Wren Kennedy log_must $ZFS set aclmode=$mode $TESTPOOL/$TESTFS 496d583b39bSJohn Wren Kennedy 497d583b39bSJohn Wren Kennedy for user in root $ZFS_ACL_STAFF1; do 498d583b39bSJohn Wren Kennedy log_must set_cur_usr $user 499d583b39bSJohn Wren Kennedy 500d583b39bSJohn Wren Kennedy log_must usr_exec $MKDIR $basedir 501d583b39bSJohn Wren Kennedy 502d583b39bSJohn Wren Kennedy log_must usr_exec $MKDIR $odir 503d583b39bSJohn Wren Kennedy log_must usr_exec $TOUCH $ofile 504d583b39bSJohn Wren Kennedy log_must usr_exec $MKDIR $ndir 505d583b39bSJohn Wren Kennedy log_must usr_exec $TOUCH $nfile 506d583b39bSJohn Wren Kennedy 507d583b39bSJohn Wren Kennedy for obj in $allnodes; do 508d583b39bSJohn Wren Kennedy maxnumber=0 509d583b39bSJohn Wren Kennedy for preset in "${ace_file_preset[@]}"; do 510d583b39bSJohn Wren Kennedy for prefix in "${ace_prefix[@]}"; do 511d583b39bSJohn Wren Kennedy acl=$prefix:$preset 512d583b39bSJohn Wren Kennedy 513d583b39bSJohn Wren Kennedy case $((maxnumber % 2)) in 514d583b39bSJohn Wren Kennedy 0) 515d583b39bSJohn Wren Kennedy acl=$acl:deny 516d583b39bSJohn Wren Kennedy ;; 517d583b39bSJohn Wren Kennedy 1) 518d583b39bSJohn Wren Kennedy acl=$acl:allow 519d583b39bSJohn Wren Kennedy ;; 520d583b39bSJohn Wren Kennedy esac 521d583b39bSJohn Wren Kennedy 522d583b39bSJohn Wren Kennedy # 523d583b39bSJohn Wren Kennedy # Place on the target should succeed. 524d583b39bSJohn Wren Kennedy # 525d583b39bSJohn Wren Kennedy log_must usr_exec $CHMOD A+$acl $obj 526d583b39bSJohn Wren Kennedy acls[$maxnumber]=$acl 527d583b39bSJohn Wren Kennedy 528d583b39bSJohn Wren Kennedy ((maxnumber = maxnumber + 1)) 529d583b39bSJohn Wren Kennedy done 530d583b39bSJohn Wren Kennedy done 531d583b39bSJohn Wren Kennedy # Archive the file and directory 532d583b39bSJohn Wren Kennedy log_must $TAR cpf@ $TARFILE $basedir 533d583b39bSJohn Wren Kennedy 534d583b39bSJohn Wren Kennedy if [[ -d $obj ]]; then 535d583b39bSJohn Wren Kennedy target=$odir 536d583b39bSJohn Wren Kennedy elif [[ -f $obj ]]; then 537d583b39bSJohn Wren Kennedy target=$ofile 538d583b39bSJohn Wren Kennedy fi 539d583b39bSJohn Wren Kennedy for newmode in "${argv[@]}"; do 540d583b39bSJohn Wren Kennedy log_must usr_exec $CHMOD $newmode $obj 541d583b39bSJohn Wren Kennedy log_must usr_exec $CHMOD $newmode $target 542d583b39bSJohn Wren Kennedy log_must verify_aclmode $mode $obj $newmode 543d583b39bSJohn Wren Kennedy 544d583b39bSJohn Wren Kennedy # Restore the tar archive 545d583b39bSJohn Wren Kennedy log_must $TAR xpf@ $TARFILE 546d583b39bSJohn Wren Kennedy done 547d583b39bSJohn Wren Kennedy done 548d583b39bSJohn Wren Kennedy 549d583b39bSJohn Wren Kennedy log_must usr_exec $RM -rf $basedir $TARFILE 550d583b39bSJohn Wren Kennedy done 551d583b39bSJohn Wren Kennedydone 552d583b39bSJohn Wren Kennedy 553d583b39bSJohn Wren Kennedylog_pass "Verify chmod behaviour co-op with aclmode setting passed." 554