acl/nontrivial/zfs_acl_chmod_rwx_004_pos.ksh

d583b39bSJohn Wren Kennedy#!/bin/ksh -p
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# CDDL HEADER START
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# The contents of this file are subject to the terms of the
d583b39bSJohn Wren Kennedy# Common Development and Distribution License (the "License").
d583b39bSJohn Wren Kennedy# You may not use this file except in compliance with the License.
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
d583b39bSJohn Wren Kennedy# or http://www.opensolaris.org/os/licensing.
d583b39bSJohn Wren Kennedy# See the License for the specific language governing permissions
d583b39bSJohn Wren Kennedy# and limitations under the License.
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each
d583b39bSJohn Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
d583b39bSJohn Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the
d583b39bSJohn Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying
d583b39bSJohn Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner]
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# CDDL HEADER END
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
d583b39bSJohn Wren Kennedy# Use is subject to license terms.
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy#
*1d32ba66SJohn Wren Kennedy# Copyright (c) 2012, 2016 by Delphix. All rights reserved.
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# DESCRIPTION:
d583b39bSJohn Wren Kennedy#	Verify that explicit ACL setting to specified user or group will
d583b39bSJohn Wren Kennedy#	override existed access rule.
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy# STRATEGY:
d583b39bSJohn Wren Kennedy#	1. Loop root and non-root user.
d583b39bSJohn Wren Kennedy#	2. Loop the specified access one by one.
d583b39bSJohn Wren Kennedy#	3. Loop verify explicit ACL set to specified user and group.
d583b39bSJohn Wren Kennedy#
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedyverify_runnable "both"
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedyfunction check_access #log user node access rflag
d583b39bSJohn Wren Kennedy{
d583b39bSJohn Wren Kennedy	typeset log=$1
d583b39bSJohn Wren Kennedy	typeset user=$2
d583b39bSJohn Wren Kennedy	typeset node=$3
d583b39bSJohn Wren Kennedy	typeset access=$4
d583b39bSJohn Wren Kennedy	typeset rflag=$5
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy	if [[ $rflag == "allow" && $access == execute ]]; then
d583b39bSJohn Wren Kennedy		rwx_node $user $node $access
d583b39bSJohn Wren Kennedy		#
d583b39bSJohn Wren Kennedy		# When everyone@ were deny, this file can't execute.
d583b39bSJohn Wren Kennedy		# So,'cannot execute' means user has the permission to
d583b39bSJohn Wren Kennedy		# execute, just the file can't be execute.
d583b39bSJohn Wren Kennedy		#
d583b39bSJohn Wren Kennedy		if [[ $ZFS_ACL_ERR_STR == *"cannot execute"* ]]; then
d583b39bSJohn Wren Kennedy			log_note "SUCCESS: rwx_node $user $node $access"
d583b39bSJohn Wren Kennedy		else
d583b39bSJohn Wren Kennedy			log_fail "FAIL: rwx_node $user $node $access"
d583b39bSJohn Wren Kennedy		fi
d583b39bSJohn Wren Kennedy	else
d583b39bSJohn Wren Kennedy		$log rwx_node $user $node $access
d583b39bSJohn Wren Kennedy	fi
d583b39bSJohn Wren Kennedy}
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedyfunction verify_explicit_ACL_rule #node access flag
d583b39bSJohn Wren Kennedy{
d583b39bSJohn Wren Kennedy	typeset node=$1
d583b39bSJohn Wren Kennedy	typeset access=$2
d583b39bSJohn Wren Kennedy	typeset flag=$3
d583b39bSJohn Wren Kennedy	typeset log rlog rflag
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy	# Get the expect log check
d583b39bSJohn Wren Kennedy	if [[ $flag == allow ]]; then
d583b39bSJohn Wren Kennedy		log=log_mustnot
d583b39bSJohn Wren Kennedy		rlog=log_must
d583b39bSJohn Wren Kennedy		rflag=deny
d583b39bSJohn Wren Kennedy	else
d583b39bSJohn Wren Kennedy		log=log_must
d583b39bSJohn Wren Kennedy		rlog=log_mustnot
d583b39bSJohn Wren Kennedy		rflag=allow
d583b39bSJohn Wren Kennedy	fi
d583b39bSJohn Wren Kennedy
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A+everyone@:$access:$flag $node
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A+user:$ZFS_ACL_OTHER1:$access:$rflag $node
d583b39bSJohn Wren Kennedy	check_access $log $ZFS_ACL_OTHER1 $node $access $rflag
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A0- $node
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy	log_must usr_exec \
*1d32ba66SJohn Wren Kennedy		chmod A+group:$ZFS_ACL_OTHER_GROUP:$access:$rflag $node
d583b39bSJohn Wren Kennedy	check_access $log $ZFS_ACL_OTHER1 $node $access $rflag
d583b39bSJohn Wren Kennedy	check_access $log $ZFS_ACL_OTHER2 $node $access $rflag
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A0- $node
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A0- $node
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy	log_must usr_exec \
*1d32ba66SJohn Wren Kennedy		chmod A+group:$ZFS_ACL_OTHER_GROUP:$access:$flag $node
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A+user:$ZFS_ACL_OTHER1:$access:$rflag $node
d583b39bSJohn Wren Kennedy	$log rwx_node $ZFS_ACL_OTHER1 $node $access
d583b39bSJohn Wren Kennedy	$rlog rwx_node $ZFS_ACL_OTHER2 $node $access
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A0- $node
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod A0- $node
d583b39bSJohn Wren Kennedy}
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedylog_assert "Verify that explicit ACL setting to specified user or group will" \
d583b39bSJohn Wren Kennedy	"override existed access rule."
d583b39bSJohn Wren Kennedylog_onexit cleanup
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedyset -A a_access "read_data" "write_data" "execute"
d583b39bSJohn Wren Kennedyset -A a_flag "allow" "deny"
d583b39bSJohn Wren Kennedytypeset node
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedyfor user in root $ZFS_ACL_STAFF1; do
d583b39bSJohn Wren Kennedy	log_must set_cur_usr $user
d583b39bSJohn Wren Kennedy
*1d32ba66SJohn Wren Kennedy	log_must usr_exec touch $testfile
*1d32ba66SJohn Wren Kennedy	log_must usr_exec mkdir $testdir
*1d32ba66SJohn Wren Kennedy	log_must usr_exec chmod 755 $testfile $testdir
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedy	for node in $testfile $testdir; do
d583b39bSJohn Wren Kennedy		for access in ${a_access[@]}; do
d583b39bSJohn Wren Kennedy			for flag in ${a_flag[@]}; do
d583b39bSJohn Wren Kennedy				verify_explicit_ACL_rule $node $access $flag
d583b39bSJohn Wren Kennedy			done
d583b39bSJohn Wren Kennedy		done
d583b39bSJohn Wren Kennedy	done
d583b39bSJohn Wren Kennedy
*1d32ba66SJohn Wren Kennedy	log_must usr_exec rm -rf $testfile $testdir
d583b39bSJohn Wren Kennedydone
d583b39bSJohn Wren Kennedy
d583b39bSJohn Wren Kennedylog_pass "Explicit ACL setting to specified user or group will override " \
d583b39bSJohn Wren Kennedy	"existed access rule passed."