1d583b39bSJohn Wren Kennedy#!/bin/ksh -p 2d583b39bSJohn Wren Kennedy# 3d583b39bSJohn Wren Kennedy# CDDL HEADER START 4d583b39bSJohn Wren Kennedy# 5d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the 6d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License"). 7d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License. 8d583b39bSJohn Wren Kennedy# 9d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing. 11d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions 12d583b39bSJohn Wren Kennedy# and limitations under the License. 13d583b39bSJohn Wren Kennedy# 14d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each 15d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the 17d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying 18d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner] 19d583b39bSJohn Wren Kennedy# 20d583b39bSJohn Wren Kennedy# CDDL HEADER END 21d583b39bSJohn Wren Kennedy# 22d583b39bSJohn Wren Kennedy 23d583b39bSJohn Wren Kennedy# 24d583b39bSJohn Wren Kennedy# Copyright 2007 Sun Microsystems, Inc. All rights reserved. 25d583b39bSJohn Wren Kennedy# Use is subject to license terms. 26d583b39bSJohn Wren Kennedy# 27d583b39bSJohn Wren Kennedy 28d583b39bSJohn Wren Kennedy# 29*1d32ba66SJohn Wren Kennedy# Copyright (c) 2012, 2016 by Delphix. All rights reserved. 30d583b39bSJohn Wren Kennedy# 31d583b39bSJohn Wren Kennedy 32d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib 33d583b39bSJohn Wren Kennedy 34d583b39bSJohn Wren Kennedy# 35d583b39bSJohn Wren Kennedy# DESCRIPTION: 36d583b39bSJohn Wren Kennedy# Verify that explicit ACL setting to specified user or group will 37d583b39bSJohn Wren Kennedy# override existed access rule. 38d583b39bSJohn Wren Kennedy# 39d583b39bSJohn Wren Kennedy# STRATEGY: 40d583b39bSJohn Wren Kennedy# 1. Loop root and non-root user. 41d583b39bSJohn Wren Kennedy# 2. Loop the specified access one by one. 42d583b39bSJohn Wren Kennedy# 3. Loop verify explicit ACL set to specified user and group. 43d583b39bSJohn Wren Kennedy# 44d583b39bSJohn Wren Kennedy 45d583b39bSJohn Wren Kennedyverify_runnable "both" 46d583b39bSJohn Wren Kennedy 47d583b39bSJohn Wren Kennedyfunction check_access #log user node access rflag 48d583b39bSJohn Wren Kennedy{ 49d583b39bSJohn Wren Kennedy typeset log=$1 50d583b39bSJohn Wren Kennedy typeset user=$2 51d583b39bSJohn Wren Kennedy typeset node=$3 52d583b39bSJohn Wren Kennedy typeset access=$4 53d583b39bSJohn Wren Kennedy typeset rflag=$5 54d583b39bSJohn Wren Kennedy 55d583b39bSJohn Wren Kennedy if [[ $rflag == "allow" && $access == execute ]]; then 56d583b39bSJohn Wren Kennedy rwx_node $user $node $access 57d583b39bSJohn Wren Kennedy # 58d583b39bSJohn Wren Kennedy # When everyone@ were deny, this file can't execute. 59d583b39bSJohn Wren Kennedy # So,'cannot execute' means user has the permission to 60d583b39bSJohn Wren Kennedy # execute, just the file can't be execute. 61d583b39bSJohn Wren Kennedy # 62d583b39bSJohn Wren Kennedy if [[ $ZFS_ACL_ERR_STR == *"cannot execute"* ]]; then 63d583b39bSJohn Wren Kennedy log_note "SUCCESS: rwx_node $user $node $access" 64d583b39bSJohn Wren Kennedy else 65d583b39bSJohn Wren Kennedy log_fail "FAIL: rwx_node $user $node $access" 66d583b39bSJohn Wren Kennedy fi 67d583b39bSJohn Wren Kennedy else 68d583b39bSJohn Wren Kennedy $log rwx_node $user $node $access 69d583b39bSJohn Wren Kennedy fi 70d583b39bSJohn Wren Kennedy} 71d583b39bSJohn Wren Kennedy 72d583b39bSJohn Wren Kennedyfunction verify_explicit_ACL_rule #node access flag 73d583b39bSJohn Wren Kennedy{ 74d583b39bSJohn Wren Kennedy typeset node=$1 75d583b39bSJohn Wren Kennedy typeset access=$2 76d583b39bSJohn Wren Kennedy typeset flag=$3 77d583b39bSJohn Wren Kennedy typeset log rlog rflag 78d583b39bSJohn Wren Kennedy 79d583b39bSJohn Wren Kennedy # Get the expect log check 80d583b39bSJohn Wren Kennedy if [[ $flag == allow ]]; then 81d583b39bSJohn Wren Kennedy log=log_mustnot 82d583b39bSJohn Wren Kennedy rlog=log_must 83d583b39bSJohn Wren Kennedy rflag=deny 84d583b39bSJohn Wren Kennedy else 85d583b39bSJohn Wren Kennedy log=log_must 86d583b39bSJohn Wren Kennedy rlog=log_mustnot 87d583b39bSJohn Wren Kennedy rflag=allow 88d583b39bSJohn Wren Kennedy fi 89d583b39bSJohn Wren Kennedy 90*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A+everyone@:$access:$flag $node 91*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A+user:$ZFS_ACL_OTHER1:$access:$rflag $node 92d583b39bSJohn Wren Kennedy check_access $log $ZFS_ACL_OTHER1 $node $access $rflag 93*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 94d583b39bSJohn Wren Kennedy 95d583b39bSJohn Wren Kennedy log_must usr_exec \ 96*1d32ba66SJohn Wren Kennedy chmod A+group:$ZFS_ACL_OTHER_GROUP:$access:$rflag $node 97d583b39bSJohn Wren Kennedy check_access $log $ZFS_ACL_OTHER1 $node $access $rflag 98d583b39bSJohn Wren Kennedy check_access $log $ZFS_ACL_OTHER2 $node $access $rflag 99*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 100*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 101d583b39bSJohn Wren Kennedy 102d583b39bSJohn Wren Kennedy log_must usr_exec \ 103*1d32ba66SJohn Wren Kennedy chmod A+group:$ZFS_ACL_OTHER_GROUP:$access:$flag $node 104*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A+user:$ZFS_ACL_OTHER1:$access:$rflag $node 105d583b39bSJohn Wren Kennedy $log rwx_node $ZFS_ACL_OTHER1 $node $access 106d583b39bSJohn Wren Kennedy $rlog rwx_node $ZFS_ACL_OTHER2 $node $access 107*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 108*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod A0- $node 109d583b39bSJohn Wren Kennedy} 110d583b39bSJohn Wren Kennedy 111d583b39bSJohn Wren Kennedylog_assert "Verify that explicit ACL setting to specified user or group will" \ 112d583b39bSJohn Wren Kennedy "override existed access rule." 113d583b39bSJohn Wren Kennedylog_onexit cleanup 114d583b39bSJohn Wren Kennedy 115d583b39bSJohn Wren Kennedyset -A a_access "read_data" "write_data" "execute" 116d583b39bSJohn Wren Kennedyset -A a_flag "allow" "deny" 117d583b39bSJohn Wren Kennedytypeset node 118d583b39bSJohn Wren Kennedy 119d583b39bSJohn Wren Kennedyfor user in root $ZFS_ACL_STAFF1; do 120d583b39bSJohn Wren Kennedy log_must set_cur_usr $user 121d583b39bSJohn Wren Kennedy 122*1d32ba66SJohn Wren Kennedy log_must usr_exec touch $testfile 123*1d32ba66SJohn Wren Kennedy log_must usr_exec mkdir $testdir 124*1d32ba66SJohn Wren Kennedy log_must usr_exec chmod 755 $testfile $testdir 125d583b39bSJohn Wren Kennedy 126d583b39bSJohn Wren Kennedy for node in $testfile $testdir; do 127d583b39bSJohn Wren Kennedy for access in ${a_access[@]}; do 128d583b39bSJohn Wren Kennedy for flag in ${a_flag[@]}; do 129d583b39bSJohn Wren Kennedy verify_explicit_ACL_rule $node $access $flag 130d583b39bSJohn Wren Kennedy done 131d583b39bSJohn Wren Kennedy done 132d583b39bSJohn Wren Kennedy done 133d583b39bSJohn Wren Kennedy 134*1d32ba66SJohn Wren Kennedy log_must usr_exec rm -rf $testfile $testdir 135d583b39bSJohn Wren Kennedydone 136d583b39bSJohn Wren Kennedy 137d583b39bSJohn Wren Kennedylog_pass "Explicit ACL setting to specified user or group will override " \ 138d583b39bSJohn Wren Kennedy "existed access rule passed." 139