Index: head/etc/mtree/BSD.tests.dist =================================================================== --- head/etc/mtree/BSD.tests.dist +++ head/etc/mtree/BSD.tests.dist @@ -360,6 +360,8 @@ .. .. sys + acl + .. aio .. fifo Index: head/tests/sys/Makefile =================================================================== --- head/tests/sys/Makefile +++ head/tests/sys/Makefile @@ -4,6 +4,7 @@ TESTSDIR= ${TESTSBASE}/sys +TESTS_SUBDIRS+= acl TESTS_SUBDIRS+= aio TESTS_SUBDIRS+= fifo TESTS_SUBDIRS+= file Index: head/tests/sys/acl/00.sh =================================================================== --- head/tests/sys/acl/00.sh +++ head/tests/sys/acl/00.sh @@ -0,0 +1,88 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-posix.test on UFS filesystem. +# +# If any of the tests fails, here is how to debug it: go to +# the directory with problematic filesystem mounted on it, +# and do /path/to/test run /path/to/test tools-posix.test, e.g. +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test +# +# Output should be obvious. + +if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then + echo "1..0 # SKIP system does not have UFS ACL support" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..4" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 10m` +MNT=`mktemp -dt acltools` +newfs /dev/$MD > /dev/null +trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT +mount -o acls /dev/$MD $MNT +if [ $? -ne 0 ]; then + echo "not ok 1 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +cd $MNT + +# First, check whether we can crash the kernel by creating too many +# entries. For some reason this won't work in the test file. +touch xxx +i=0; +while :; do i=$(($i+1)); setfacl -m u:$i:rwx xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done +chmod 600 xxx +rm xxx +echo "ok 2" + +perl $TESTDIR/run $TESTDIR/tools-posix.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 3" +else + echo "not ok 3" +fi + +cd / + +echo "ok 4" Index: head/tests/sys/acl/01.sh =================================================================== --- head/tests/sys/acl/01.sh +++ head/tests/sys/acl/01.sh @@ -0,0 +1,87 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-nfs4.test on ZFS filesystem. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" +# +# If any of the tests fails, here is how to debug it: go to +# the directory with problematic filesystem mounted on it, +# and do /path/to/test run /path/to/test tools-nfs4.test, e.g. +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# Output should be obvious. + +if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then + echo "1..0 # SKIP system doesn't have ZFS loaded" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..4" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 64m` +MNT=`mktemp -dt acltools` +trap "cd /; zpool destroy -f acltools; rmdir $MNT; mdconfig -d -u $MD" EXIT +zpool create -m $MNT acltools /dev/$MD +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +cd $MNT + +# First, check whether we can crash the kernel by creating too many +# entries. For some reason this won't work in the test file. +touch xxx +setfacl -x2 xxx +while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done +chmod 600 xxx +rm xxx +echo "ok 2" + +perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 3" +else + echo "not ok 3" +fi + +echo "ok 4" Index: head/tests/sys/acl/02.sh =================================================================== --- head/tests/sys/acl/02.sh +++ head/tests/sys/acl/02.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-nfs4.test on UFS filesystem. +# +# If any of the tests fails, here is how to debug it: go to +# the directory with problematic filesystem mounted on it, +# and do /path/to/test run /path/to/test tools-nfs4.test, e.g. +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# Output should be obvious. + +if [ $(sysctl -n kern.features.ufs_acl 2>/dev/null || echo 0) -eq 0 ]; then + echo "1..0 # SKIP system does not have UFS ACL support" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..4" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 10m` +MNT=`mktemp -dt acltools` +newfs /dev/$MD > /dev/null +trap "cd /; umount -f $MNT; rmdir $MNT; mdconfig -d -u $MD" EXIT +mount -o nfsv4acls /dev/$MD $MNT +if [ $? -ne 0 ]; then + echo "not ok 1 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +cd $MNT + +# First, check whether we can crash the kernel by creating too many +# entries. For some reason this won't work in the test file. +touch xxx +setfacl -x2 xxx +while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done +chmod 600 xxx +rm xxx +echo "ok 2" + +if [ `sysctl -n vfs.acl_nfs4_old_semantics` = 0 ]; then + perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null +else + perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null +fi + +if [ $? -eq 0 ]; then + echo "ok 3" +else + echo "not ok 3" +fi + +cd / + +echo "ok 4" + Index: head/tests/sys/acl/03.sh =================================================================== --- head/tests/sys/acl/03.sh +++ head/tests/sys/acl/03.sh @@ -0,0 +1,117 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-crossfs.test between UFS without +# ACLs, UFS with POSIX.1e ACLs, and ZFS with NFSv4 ACLs. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" +# +# Output should be obvious. + +if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then + echo "1..0 # SKIP system doesn't have ZFS loaded" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..5" + +TESTDIR=$(dirname $(realpath $0)) +MNTROOT=`mktemp -dt acltools` + +# Set up the test filesystems. +MD1=`mdconfig -at swap -s 64m` +MNT1=$MNTROOT/nfs4 +mkdir $MNT1 +zpool create -m $MNT1 acltools /dev/$MD1 +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 1" + +MD2=`mdconfig -at swap -s 10m` +MNT2=$MNTROOT/posix +mkdir $MNT2 +newfs /dev/$MD2 > /dev/null +mount -o acls /dev/$MD2 $MNT2 +if [ $? -ne 0 ]; then + echo "not ok 2 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 2" + +MD3=`mdconfig -at swap -s 10m` +MNT3=$MNTROOT/none +mkdir $MNT3 +newfs /dev/$MD3 > /dev/null +mount /dev/$MD3 $MNT3 +if [ $? -ne 0 ]; then + echo "not ok 3 - mount failed." + echo 'Bail out!' + exit 1 +fi + +echo "ok 3" + +cd $MNTROOT + +perl $TESTDIR/run $TESTDIR/tools-crossfs.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 4" +else + echo "not ok 4" +fi + +cd / + +umount -f $MNT3 +rmdir $MNT3 +mdconfig -du $MD3 + +umount -f $MNT2 +rmdir $MNT2 +mdconfig -du $MD2 + +zpool destroy -f acltools +rmdir $MNT1 +mdconfig -du $MD1 + +rmdir $MNTROOT + +echo "ok 5" + Index: head/tests/sys/acl/04.sh =================================================================== --- head/tests/sys/acl/04.sh +++ head/tests/sys/acl/04.sh @@ -0,0 +1,73 @@ +#!/bin/sh +# +# Copyright (c) 2011 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a wrapper script to run tools-nfs4-trivial.test on ZFS filesystem. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" + +if ! sysctl vfs.zfs.version.spa >/dev/null 2>&1; then + echo "1..0 # SKIP system doesn't have ZFS loaded" + exit 0 +fi +if [ $(id -u) -ne 0 ]; then + echo "1..0 # SKIP you must be root" + exit 0 +fi + +echo "1..3" + +TESTDIR=$(dirname $(realpath $0)) + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 64m` +MNT=`mktemp -dt acltools` +zpool create -m $MNT acltools /dev/$MD +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + exit 1 +fi + +echo "ok 1" + +cd $MNT + +perl $TESTDIR/run $TESTDIR/tools-nfs4-trivial.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 2" +else + echo "not ok 2" +fi + +cd / +zpool destroy -f acltools +rmdir $MNT +mdconfig -du $MD + +echo "ok 3" Index: head/tests/sys/acl/Makefile =================================================================== --- head/tests/sys/acl/Makefile +++ head/tests/sys/acl/Makefile @@ -0,0 +1,29 @@ +# $FreeBSD$ + +TESTSDIR= ${TESTSBASE}/sys/acl + +BINDIR= ${TESTSDIR} + +FILES+= tools-crossfs.test +FILES+= tools-nfs4.test +FILES+= tools-nfs4-psarc.test +FILES+= tools-nfs4-trivial.test +FILES+= tools-posix.test + +SCRIPTS+= run + +TAP_TESTS_SH+= 00 +TAP_TESTS_SH+= 01 +TAP_TESTS_SH+= 02 +TAP_TESTS_SH+= 03 +TAP_TESTS_SH+= 04 + +.for t in ${TAP_TESTS_SH} +TEST_METADATA.$t+= required_user="root" +.endfor + +.for t in 01 03 04 +TEST_METADATA.$t+= required_programs="/sbin/zpool" +.endfor + +.include Index: head/tests/sys/acl/aclfuzzer.sh =================================================================== --- head/tests/sys/acl/aclfuzzer.sh +++ head/tests/sys/acl/aclfuzzer.sh @@ -0,0 +1,225 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is an NFSv4 ACL fuzzer. It expects to be run by non-root in a scratch +# directory on a filesystem with NFSv4 ACLs support. Output it generates +# is expected to be fed to /usr/src/tools/regression/acltools/run script. + +NUMBER_OF_COMMANDS=300 + +run_command() +{ + echo "\$ $1" + eval $1 2>&1 | sed 's/^/> /' +} + +rnd_from_0_to() +{ + max=`expr $1 + 1` + rnd=`jot -r 1` + rnd=`expr $rnd % $max` + + echo $rnd +} + +rnd_path() +{ + rnd=`rnd_from_0_to 3` + case $rnd in + 0) echo "$TMP/aaa" ;; + 1) echo "$TMP/bbb" ;; + 2) echo "$TMP/aaa/ccc" ;; + 3) echo "$TMP/bbb/ddd" ;; + esac +} + +f_prepend_random_acl_on() +{ + rnd=`rnd_from_0_to 4` + case $rnd in + 0) u="owner@" ;; + 1) u="group@" ;; + 2) u="everyone@" ;; + 3) u="u:1138" ;; + 4) u="g:1138" ;; + esac + + p="" + while :; do + rnd=`rnd_from_0_to 30` + if [ -n "$p" -a $rnd -ge 14 ]; then + break; + fi + + case $rnd in + 0) p="${p}r" ;; + 1) p="${p}w" ;; + 2) p="${p}x" ;; + 3) p="${p}p" ;; + 4) p="${p}d" ;; + 5) p="${p}D" ;; + 6) p="${p}a" ;; + 7) p="${p}A" ;; + 8) p="${p}R" ;; + 9) p="${p}W" ;; + 10) p="${p}R" ;; + 11) p="${p}c" ;; + 12) p="${p}C" ;; + 13) p="${p}o" ;; + 14) p="${p}s" ;; + esac + done + + f="" + while :; do + rnd=`rnd_from_0_to 10` + if [ $rnd -ge 6 ]; then + break; + fi + + case $rnd in + 0) f="${f}f" ;; + 1) f="${f}d" ;; + 2) f="${f}n" ;; + 3) f="${f}i" ;; + esac + done + + rnd=`rnd_from_0_to 1` + case $rnd in + 0) x="allow" ;; + 1) x="deny" ;; + esac + + acl="$u:$p:$f:$x" + + file=`rnd_path` + run_command "setfacl -a0 $acl $file" +} + +f_getfacl() +{ + file=`rnd_path` + run_command "getfacl -qn $file" +} + +f_ls_mode() +{ + file=`rnd_path` + run_command "ls -al $file | sed -n '2p' | cut -d' ' -f1" +} + +f_chmod() +{ + b1=`rnd_from_0_to 7` + b2=`rnd_from_0_to 7` + b3=`rnd_from_0_to 7` + b4=`rnd_from_0_to 7` + file=`rnd_path` + + run_command "chmod $b1$b2$b3$b4 $file $2" +} + +f_touch() +{ + file=`rnd_path` + run_command "touch $file" +} + +f_rm() +{ + file=`rnd_path` + run_command "rm -f $file" +} + +f_mkdir() +{ + file=`rnd_path` + run_command "mkdir $file" +} + +f_rmdir() +{ + file=`rnd_path` + run_command "rmdir $file" +} + +f_mv() +{ + from=`rnd_path` + to=`rnd_path` + run_command "mv -f $from $to" +} + +# XXX: To be implemented: chown(8), setting times with touch(1). + +switch_to_random_user() +{ + # XXX: To be implemented. +} + +execute_random_command() +{ + rnd=`rnd_from_0_to 20` + + case $rnd in + 0|10|11|12|13|15) cmd=f_prepend_random_acl_on ;; + 1) cmd=f_getfacl ;; + 2) cmd=f_ls_mode ;; + 3) cmd=f_chmod ;; + 4|18|19) cmd=f_touch ;; + 5) cmd=f_rm ;; + 6|16|17) cmd=f_mkdir ;; + 7) cmd=f_rmdir ;; + 8) cmd=f_mv ;; + esac + + $cmd "XXX" +} + +echo "# Fuzzing; will stop after $NUMBER_OF_COMMANDS commands." +TMP="aclfuzzer_`dd if=/dev/random bs=1k count=1 2>/dev/null | openssl md5`" + +run_command "whoami" +umask 022 +run_command "umask 022" +run_command "mkdir $TMP" + +i=0; +while [ "$i" -lt "$NUMBER_OF_COMMANDS" ]; do + switch_to_random_user + execute_random_command + i=`expr $i + 1` +done + +run_command "find $TMP -exec setfacl -a0 everyone@:rxd:allow {} \;" +run_command "rm -rfv $TMP" + +echo "# Fuzzed, thank you." + Index: head/tests/sys/acl/mktrivial.sh =================================================================== --- head/tests/sys/acl/mktrivial.sh +++ head/tests/sys/acl/mktrivial.sh @@ -0,0 +1,53 @@ +#!/bin/sh +# +# Copyright (c) 2010 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This shell script generates an input file for the "run" script, used +# to verify generation of trivial ACLs. + +echo "$ touch f" +touch f + +for s in `jot 7 0 7`; do + for u in `jot 7 0 7`; do + for g in `jot 7 0 7`; do + for o in `jot 7 0 7`; do + echo "$ chmod 0$s$u$g$o f" + chmod "0$s$u$g$o" f + echo "$ ls -l f | cut -d' ' -f1" + ls -l f | cut -d' ' -f1 | sed 's/^/> /' + echo "$ getfacl -q f" + getfacl -q f | sed 's/^/> /' + done + done + done +done + +echo "$ rm f" +rm f + Index: head/tests/sys/acl/run =================================================================== --- head/tests/sys/acl/run +++ head/tests/sys/acl/run @@ -0,0 +1,329 @@ +#!/usr/bin/perl -w -U + +# Copyright (c) 2007, 2008 Andreas Gruenbacher. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions, and the following disclaimer, +# without modification, immediately at the beginning of the file. +# 2. The name of the author may not be used to endorse or promote products +# derived from this software without specific prior written permission. +# +# Alternatively, this software may be distributed under the terms of the +# GNU Public License ("GPL"). +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# +# Possible improvements: +# +# - distinguish stdout and stderr output +# - add environment variable like assignments +# - run up to a specific line +# - resume at a specific line +# + +use strict; +use FileHandle; +use Getopt::Std; +use POSIX qw(isatty setuid getcwd); +use vars qw($opt_l $opt_v); + +no warnings qw(taint); + +$opt_l = ~0; # a really huge number +getopts('l:v'); + +my ($OK, $FAILED) = ("ok", "failed"); +if (isatty(fileno(STDOUT))) { + $OK = "\033[32m" . $OK . "\033[m"; + $FAILED = "\033[31m\033[1m" . $FAILED . "\033[m"; +} + +sub exec_test($$); +sub process_test($$$$); + +my ($prog, $in, $out) = ([], [], []); +my $prog_line = 0; +my ($tests, $failed) = (0,0); +my $lineno; +my $width = ($ENV{COLUMNS} || 80) >> 1; + +for (;;) { + my $line = <>; $lineno++; + if (defined $line) { + # Substitute %VAR and %{VAR} with environment variables. + $line =~ s[%(\w+)][$ENV{$1}]eg; + $line =~ s[%{(\w+)}][$ENV{$1}]eg; + } + if (defined $line) { + if ($line =~ s/^\s*< ?//) { + push @$in, $line; + } elsif ($line =~ s/^\s*> ?//) { + push @$out, $line; + } else { + process_test($prog, $prog_line, $in, $out); + last if $prog_line >= $opt_l; + + $prog = []; + $prog_line = 0; + } + if ($line =~ s/^\s*\$ ?//) { + $prog = [ map { s/\\(.)/$1/g; $_ } split /(? @$result) ? @$out : @$result; + for (my $n=0; $n < $nmax; $n++) { + my $use_re; + if (defined $out->[$n] && $out->[$n] =~ /^~ /) { + $use_re = 1; + $out->[$n] =~ s/^~ //g; + } + + if (!defined($out->[$n]) || !defined($result->[$n]) || + (!$use_re && $result->[$n] ne $out->[$n]) || + ( $use_re && $result->[$n] !~ /^$out->[$n]/)) { + push @good, ($use_re ? '!~' : '!='); + } + else { + push @good, ($use_re ? '=~' : '=='); + } + } + my $good = !(grep /!/, @good); + $tests++; + $failed++ unless $good; + print $good ? $OK : $FAILED, "\n"; + if (!$good || $opt_v) { + for (my $n=0; $n < $nmax; $n++) { + my $l = defined($out->[$n]) ? $out->[$n] : "~"; + chomp $l; + my $r = defined($result->[$n]) ? $result->[$n] : "~"; + chomp $r; + print sprintf("%-" . ($width-3) . "s %s %s\n", + $r, $good[$n], $l); + } + } +} + + +sub su($) { + my ($user) = @_; + + $user ||= "root"; + + my ($login, $pass, $uid, $gid) = getpwnam($user) + or return [ "su: user $user does not exist\n" ]; + my @groups = (); + my $fh = new FileHandle("/etc/group") + or return [ "opening /etc/group: $!\n" ]; + while (<$fh>) { + chomp; + my ($group, $passwd, $gid, $users) = split /:/; + foreach my $u (split /,/, $users) { + push @groups, $gid + if ($user eq $u); + } + } + $fh->close; + + my $groups = join(" ", ($gid, $gid, @groups)); + #print STDERR "[[$groups]]\n"; + $! = 0; # reset errno + $> = 0; + $( = $gid; + $) = $groups; + if ($!) { + return [ "su: $!\n" ]; + } + if ($uid != 0) { + $> = $uid; + #$< = $uid; + if ($!) { + return [ "su: $prog->[1]: $!\n" ]; + } + } + #print STDERR "[($>,$<)($(,$))]"; + return []; +} + + +sub sg($) { + my ($group) = @_; + + my $gid = getgrnam($group) + or return [ "sg: group $group does not exist\n" ]; + my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $)); + + #print STDERR "<<", join("/", keys %groups), ">>\n"; + my $groups = join(" ", ($gid, $gid, keys %groups)); + #print STDERR "[[$groups]]\n"; + $! = 0; # reset errno + if ($> != 0) { + my $uid = $>; + $> = 0; + $( = $gid; + $) = $groups; + $> = $uid; + } else { + $( = $gid; + $) = $groups; + } + if ($!) { + return [ "sg: $!\n" ]; + } + print STDERR "[($>,$<)($(,$))]"; + return []; +} + + +sub exec_test($$) { + my ($prog, $in) = @_; + local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2); + my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/); + + if ($prog->[0] eq "umask") { + umask oct $prog->[1]; + return []; + } elsif ($prog->[0] eq "cd") { + if (!chdir $prog->[1]) { + return [ "chdir: $prog->[1]: $!\n" ]; + } + $ENV{PWD} = getcwd; + return []; + } elsif ($prog->[0] eq "su") { + return su($prog->[1]); + } elsif ($prog->[0] eq "sg") { + return sg($prog->[1]); + } elsif ($prog->[0] eq "export") { + my ($name, $value) = split /=/, $prog->[1]; + # FIXME: need to evaluate $value, so that things like this will work: + # export dir=$PWD/dir + $ENV{$name} = $value; + return []; + } elsif ($prog->[0] eq "unset") { + delete $ENV{$prog->[1]}; + return []; + } + + pipe *IN2, *OUT + or die "Can't create pipe for reading: $!"; + open *IN_DUP, "<&STDIN" + or *IN_DUP = undef; + open *STDIN, "<&IN2" + or die "Can't duplicate pipe for reading: $!"; + close *IN2; + + open *OUT_DUP, ">&STDOUT" + or die "Can't duplicate STDOUT: $!"; + pipe *IN, *OUT2 + or die "Can't create pipe for writing: $!"; + open *STDOUT, ">&OUT2" + or die "Can't duplicate pipe for writing: $!"; + close *OUT2; + + *STDOUT->autoflush(); + *OUT->autoflush(); + + $SIG{CHLD} = 'IGNORE'; + + if (fork()) { + # Server + if (*IN_DUP) { + open *STDIN, "<&IN_DUP" + or die "Can't duplicate STDIN: $!"; + close *IN_DUP + or die "Can't close STDIN duplicate: $!"; + } + open *STDOUT, ">&OUT_DUP" + or die "Can't duplicate STDOUT: $!"; + close *OUT_DUP + or die "Can't close STDOUT duplicate: $!"; + + foreach my $line (@$in) { + #print "> $line"; + print OUT $line; + } + close *OUT + or die "Can't close pipe for writing: $!"; + + my $result = []; + while () { + #print "< $_"; + if ($needs_shell) { + s#^/bin/sh: line \d+: ##; + } + push @$result, $_; + } + return $result; + } else { + # Client + $< = $>; + close IN + or die "Can't close read end for input pipe: $!"; + close OUT + or die "Can't close write end for output pipe: $!"; + close OUT_DUP + or die "Can't close STDOUT duplicate: $!"; + local *ERR_DUP; + open ERR_DUP, ">&STDERR" + or die "Can't duplicate STDERR: $!"; + open STDERR, ">&STDOUT" + or die "Can't join STDOUT and STDERR: $!"; + + if ($needs_shell) { + exec ('/bin/sh', '-c', join(" ", @$prog)); + } else { + exec @$prog; + } + print STDERR $prog->[0], ": $!\n"; + exit; + } +} + Index: head/tests/sys/acl/tools-crossfs.test =================================================================== --- head/tests/sys/acl/tools-crossfs.test +++ head/tests/sys/acl/tools-crossfs.test @@ -0,0 +1,323 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test intended to verify that cp(1) and mv(1) +# do the right thing with respect to ACLs. Run it as root using +# ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# You need to have three subdirectories, named nfs4, posix and none, +# with filesystems with NFSv4 ACLs, POSIX.1e ACLs and no ACLs enabled, +# respectively, mounted on them, in your current directory. +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +$ touch nfs4/xxx +$ getfacl -nq nfs4/xxx +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ touch posix/xxx +$ getfacl -nq posix/xxx +> user::rw- +> group::r-- +> other::r-- + +# mv with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ chmod 456 posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--r-xrw- +$ setfacl -m u:42:x,g:43:w posix/xxx +$ mv posix/xxx posix/yyy +$ getfacl -nq posix/yyy +> user::r-- +> user:42:--x +> group::r-x +> group:43:-w- +> mask::rwx +> other::rw- +$ ls -l posix/yyy | cut -d' ' -f1 +> -r--rwxrw-+ + +# mv from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ chmod 345 posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> --wxrwxr-x+ +$ mv posix/xxx none/xxx +> mv: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> --wxrwxr-x + +# mv from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ chmod 456 posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--rwxrw-+ +$ mv posix/yyy nfs4/xxx +> mv: failed to set acl entries for nfs4/xxx: Invalid argument +$ getfacl -nq nfs4/xxx +> owner@:-wxp----------:-------:deny +> owner@:r-----aARWcCos:-------:allow +> group@:rwxp--a-R-c--s:-------:allow +> everyone@:rw-p--a-R-c--s:-------:allow +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r--rwxrw- + +# mv with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ mv nfs4/xxx nfs4/yyy +$ getfacl -nq nfs4/yyy +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -rw-r--r--+ + +# mv from NFSv4 to POSIX.1e without any ACLs. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 456 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r--r-xrw- +$ mv nfs4/xxx posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--r-xrw- + +# mv from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 345 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x+ +$ mv nfs4/xxx none/xxx +> mv: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> --wxr--r-x + +# mv from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 345 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x+ +$ mv nfs4/xxx posix/xxx +> mv: failed to set acl entries for posix/xxx: Invalid argument +$ ls -l posix/xxx | cut -d' ' -f1 +> --wxr--r-x + +# cp with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx posix/yyy +$ ls -l posix/yyy | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ getfacl -nq posix/xxx +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx posix/yyy +$ getfacl -nq posix/yyy +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +$ ls -l posix/yyy | cut -d' ' -f1 +> -rw-rwxr--+ + +# cp from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx none/xxx +$ ls -l none/xxx | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx none/xxx +> cp: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> -rw-rwxr-- + +# cp from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx nfs4/xxx +> cp: failed to set acl entries for nfs4/xxx: Invalid argument +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -rw-rwxr-- + +# cp with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx nfs4/yyy +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -r-xr----x + +# cp -p with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ cp -p nfs4/xxx nfs4/yyy +$ getfacl -nq nfs4/yyy +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:allow +> owner@:-w-p----------:-------:deny +> group@:-wxp----------:-------:deny +> owner@:r-x---aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:-wxp--a-R-c--s:-------:allow +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -r-xr---wx+ + +# cp from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx none/xxx +$ ls -l none/xxx | cut -d' ' -f1 +> -r-xr----x + +# cp -p from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp -p nfs4/xxx none/xxx +> cp: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> -r-xr---wx + +# cp from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r-xr----x + +# cp -p from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp -p nfs4/xxx posix/xxx +> cp: failed to set acl entries for posix/xxx: Invalid argument +$ ls -l posix/xxx | cut -d' ' -f1 +> -r-xr---wx Index: head/tests/sys/acl/tools-nfs4-psarc.test =================================================================== --- head/tests/sys/acl/tools-nfs4-psarc.test +++ head/tests/sys/acl/tools-nfs4-psarc.test @@ -0,0 +1,562 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029 +# semantics. Run it as root using ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Smoke test for getfacl(1). +$ touch xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ getfacl -q xxx +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +# Check verbose mode formatting. +$ getfacl -v xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow +> group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow +> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow + +# Test setfacl -a. +$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test user and group name resolving. +$ rm xxx +$ touch xxx +$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> user:root:-----------C--:-------:allow +> group:daemon:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Check whether ls correctly marks files with "+". +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +# Test removing entries by number. +$ setfacl -x 1 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -m. +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -m everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test getfacl -i. +$ getfacl -i xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:rw-p--aARWcCos:-------:allow +> user:root:-----------C--:-------:allow:0 +> group:daemon:----------c---:-------:deny:1 +> everyone@:r-----a-R-c--s:-------:allow + +# Make sure cp without any flags does not copy copy the ACL. +$ cp xxx yyy +$ ls -l yyy | cut -d' ' -f1 +> -rw-r--r-- + +# Make sure it does with the "-p" flag. +$ rm yyy +$ cp -p xxx yyy +$ getfacl -n yyy +> # file: yyy +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm yyy + +# Test removing entries by... by example? +$ setfacl -x everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -b. +$ setfacl -b xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +# Check setfacl(1) and getfacl(1) with multiple files. +$ touch xxx yyy zzz + +$ ls -l xxx yyy zzz | cut -d' ' -f1 +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r--+ +> -rw-r--r--+ +> -rw-r--r--+ + +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ setfacl -b nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ rm xxx yyy zzz + +# Test applying mode to an ACL. +$ touch xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ ls -l xxx | cut -d' ' -f1 +> -rw------- + +$ rm xxx +$ touch xxx +$ chown 42 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 42 +> # group: wheel +> owner@:rw-p--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw------- + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 124 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> owner@:rw-p----------:-------:deny +> group@:r-------------:-------:deny +> owner@:--x---aARWcCos:-------:allow +> group@:-w-p--a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> ---x-w-r-- + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 412 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> owner@:-wxp----------:-------:deny +> group@:-w-p----------:-------:deny +> owner@:r-----aARWcCos:-------:allow +> group@:--x---a-R-c--s:-------:allow +> everyone@:-w-p--a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -r----x-w- + +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-----:allow +> group:43:-w--D---------:-d-----:deny +> group@:-----da-------:-------:allow +> group:44:rw-p-da-------:-------:allow +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:-w-p--a-R-c--s:f-i----:allow + +$ chmod 777 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> owner@:rwxp--aARWcCos:-------:allow +> group@:rwxp--a-R-c--s:-------:allow +> everyone@:rwxp--a-R-c--s:-------:allow + +# Test applying ACL to mode. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 u:42:rwx:fi:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> drwxr-xr-x+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr----x---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr---wx---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +# Test inheritance. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd +$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd +$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd +$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd +$ getfacl -qn ddd +> user:41:-w-----A------:f--n---:allow +> group:41:r-----a-------:-din---:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-n---:deny +> group:43:-w---------C--:f-in---:deny +> user:43:rwxp----------:-------:allow +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:r-x---a-R-c--s:-------:allow + +$ cd ddd +$ touch xxx +$ getfacl -qn xxx +> user:41:--------------:------I:allow +> user:42:--------------:------I:allow +> user:42:r-------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ rm xxx +$ umask 077 +$ touch xxx +$ getfacl -qn xxx +> user:41:--------------:------I:allow +> user:42:--------------:------I:allow +> user:42:--------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:rw-p--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ rm xxx +$ umask 770 +$ touch xxx +$ getfacl -qn xxx +> owner@:rw-p----------:-------:deny +> group@:rw-p----------:-------:deny +> user:41:--------------:------I:allow +> user:42:--------------:------I:allow +> user:42:--------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:rw-p--a-R-c--s:-------:allow + +$ rm xxx +$ umask 707 +$ touch xxx +$ getfacl -qn xxx +> owner@:rw-p----------:-------:deny +> user:41:-w------------:------I:allow +> user:42:--------------:------I:allow +> user:42:r-------------:------I:allow +> group:43:-w---------C--:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:rw-p--a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ umask 077 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:------a-------:------I:allow +> user:42:-----------Co-:f-i---I:allow +> user:42:r-x-----------:f-i---I:allow +> group:42:-w--D---------:------I:deny +> owner@:rwxp--aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 770 +$ mkdir yyy +$ getfacl -qn yyy +> owner@:rwxp----------:-------:deny +> group@:rwxp----------:-------:deny +> group:41:------a-------:------I:allow +> user:42:-----------Co-:f-i---I:allow +> user:42:r-x-----------:f-i---I:allow +> group:42:-w--D---------:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:------a-R-c--s:-------:allow +> everyone@:rwxp--a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 707 +$ mkdir yyy +$ getfacl -qn yyy +> owner@:rwxp----------:-------:deny +> group:41:r-----a-------:------I:allow +> user:42:-----------Co-:f-i---I:allow +> user:42:r-x-----------:f-i---I:allow +> group:42:-w--D---------:------I:deny +> owner@:------aARWcCos:-------:allow +> group@:rwxp--a-R-c--s:-------:allow +> everyone@:------a-R-c--s:-------:allow + +# There is some complication regarding how write_acl and write_owner flags +# get inherited. Make sure we got it right. +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:allow . +$ setfacl -a0 u:43:Co:d:allow . +$ setfacl -a0 u:44:Co:fd:allow . +$ setfacl -a0 u:45:Co:fi:allow . +$ setfacl -a0 u:46:Co:di:allow . +$ setfacl -a0 u:47:Co:fdi:allow . +$ setfacl -a0 u:48:Co:fn:allow . +$ setfacl -a0 u:49:Co:dn:allow . +$ setfacl -a0 u:50:Co:fdn:allow . +$ setfacl -a0 u:51:Co:fni:allow . +$ setfacl -a0 u:52:Co:dni:allow . +$ setfacl -a0 u:53:Co:fdni:allow . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:--------------:------I:allow +> user:51:--------------:------I:allow +> user:50:--------------:------I:allow +> user:48:--------------:------I:allow +> user:47:--------------:------I:allow +> user:45:--------------:------I:allow +> user:44:--------------:------I:allow +> user:42:--------------:------I:allow +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:--------------:------I:allow +> user:52:--------------:------I:allow +> user:50:--------------:------I:allow +> user:49:--------------:------I:allow +> user:47:--------------:fd----I:allow +> user:46:--------------:-d----I:allow +> user:45:-----------Co-:f-i---I:allow +> user:44:--------------:fd----I:allow +> user:43:--------------:-d----I:allow +> user:42:-----------Co-:f-i---I:allow +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:r-x---a-R-c--s:-------:allow + +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:deny . +$ setfacl -a0 u:43:Co:d:deny . +$ setfacl -a0 u:44:Co:fd:deny . +$ setfacl -a0 u:45:Co:fi:deny . +$ setfacl -a0 u:46:Co:di:deny . +$ setfacl -a0 u:47:Co:fdi:deny . +$ setfacl -a0 u:48:Co:fn:deny . +$ setfacl -a0 u:49:Co:dn:deny . +$ setfacl -a0 u:50:Co:fdn:deny . +$ setfacl -a0 u:51:Co:fni:deny . +$ setfacl -a0 u:52:Co:dni:deny . +$ setfacl -a0 u:53:Co:fdni:deny . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:-----------Co-:------I:deny +> user:51:-----------Co-:------I:deny +> user:50:-----------Co-:------I:deny +> user:48:-----------Co-:------I:deny +> user:47:-----------Co-:------I:deny +> user:45:-----------Co-:------I:deny +> user:44:-----------Co-:------I:deny +> user:42:-----------Co-:------I:deny +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:-----------Co-:------I:deny +> user:52:-----------Co-:------I:deny +> user:50:-----------Co-:------I:deny +> user:49:-----------Co-:------I:deny +> user:47:-----------Co-:fd----I:deny +> user:46:-----------Co-:-d----I:deny +> user:45:-----------Co-:f-i---I:deny +> user:44:-----------Co-:fd----I:deny +> user:43:-----------Co-:-d----I:deny +> user:42:-----------Co-:f-i---I:deny +> owner@:rwxp--aARWcCos:-------:allow +> group@:r-x---a-R-c--s:-------:allow +> everyone@:r-x---a-R-c--s:-------:allow + +$ rmdir yyy +$ rm xxx +$ cd .. +$ rmdir ddd + +$ rm xxx + Index: head/tests/sys/acl/tools-nfs4-trivial.test =================================================================== --- head/tests/sys/acl/tools-nfs4-trivial.test +++ head/tests/sys/acl/tools-nfs4-trivial.test @@ -0,0 +1,82 @@ +# Copyright (c) 2011 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for acl_is_trivial_np(3). Run it as root on ZFS. +# Note that this does not work on UFS with NFSv4 ACLs enabled - UFS recognizes +# both kind of trivial ACLs and replaces it by the default one. +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Check whether ls(1) correctly recognizes PSARC/2010/029-style trivial ACLs. +$ touch xxx + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +$ getfacl -q xxx +> owner@:rw-p--aARWcCos:-------:allow +> group@:r-----a-R-c--s:-------:allow +> everyone@:r-----a-R-c--s:-------:allow + +# Check whether ls(1) correctly recognizes draft-style trivial ACLs. +$ rm xxx +$ touch xxx +$ setfacl -a0 owner@:x:deny,owner@:rwpAWCo:allow,group@:wxp:deny,group@:r:allow,everyone@:wxpAWCo:deny,everyone@:raRcs:allow xxx +$ setfacl -x5 xxx +$ setfacl -x5 xxx +$ setfacl -x5 xxx + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +$ getfacl -q xxx +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Make sure ls(1) actually can recognize something as non-trivial. +$ setfacl -x0 xxx + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +$ getfacl -q xxx +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm xxx + Index: head/tests/sys/acl/tools-nfs4.test =================================================================== --- head/tests/sys/acl/tools-nfs4.test +++ head/tests/sys/acl/tools-nfs4.test @@ -0,0 +1,828 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for NFSv4 ACL functionality. Run it as root +# using ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Smoke test for getfacl(1). +$ touch xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ getfacl -q xxx +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Check verbose mode formatting. +$ getfacl -v xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:execute::deny +> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow +> group@:write_data/execute/append_data::deny +> group@:read_data::allow +> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny +> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow + +# Test setfacl -a. +$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test user and group name resolving. +$ rm xxx +$ touch xxx +$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:root:-----------C--:-------:allow +> group:daemon:----------c---:-------:deny +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Check whether ls correctly marks files with "+". +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +# Test removing entries by number. +$ setfacl -x 4 xxx +$ setfacl -x 4 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -m. +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -m everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:--------------:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test getfacl -i. +$ getfacl -i xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:root:-----------C--:-------:allow:0 +> group:daemon:----------c---:-------:deny:1 +> everyone@:--------------:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Make sure cp without any flags does not copy copy the ACL. +$ cp xxx yyy +$ ls -l yyy | cut -d' ' -f1 +> -rw-r--r-- + +# Make sure it does with the "-p" flag. +$ rm yyy +$ cp -p xxx yyy +$ getfacl -n yyy +> # file: yyy +> # owner: root +> # group: wheel +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> everyone@:--------------:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:--------------:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm yyy + +# Test removing entries by... by example? +$ setfacl -x everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> user:0:-----------C--:-------:allow +> group:1:----------c---:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +# Test setfacl -b. +$ setfacl -b xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +# Check setfacl(1) and getfacl(1) with multiple files. +$ touch xxx yyy zzz + +$ ls -l xxx yyy zzz | cut -d' ' -f1 +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r--+ +> -rw-r--r--+ +> -rw-r--r--+ + +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow +> +> user:42:--x-----------:-------:allow +> group:43:-w------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ setfacl -b nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ rm xxx yyy zzz + +# Test applying mode to an ACL. +$ touch xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--x-----------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw-------+ + +$ rm xxx +$ touch xxx +$ chown 42 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 42 +> # group: wheel +> user:42:--------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--x-----------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw-------+ + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 124 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--x-----------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:rw-p----------:-------:deny +> owner@:--x----A-W-Co-:-------:allow +> group@:r-x-----------:-------:deny +> group@:-w-p----------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> ---x-w-r--+ + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 412 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-------------:-------:allow +> user:43:-w------------:-------:deny +> user:43:-w------------:-------:allow +> user:44:--------------:-------:deny +> user:44:--x-----------:-------:allow +> owner@:-wxp----------:-------:deny +> owner@:r------A-W-Co-:-------:allow +> group@:rw-p----------:-------:deny +> group@:--x-----------:-------:allow +> everyone@:r-x----A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:-------:allow +$ ls -l xxx | cut -d' ' -f1 +> -r----x-w-+ + +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-----:allow +> group:43:-w--D---------:-d-----:deny +> group@:-----da-------:-------:allow +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +$ chmod 777 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:--------------:-------:deny +> group:42:-w--D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:--------------:-------:deny +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:rwxp----------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:rwxp--a-R-c--s:-------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chmod 124 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:--------------:-------:deny +> group:42:----D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:r-------------:-------:deny +> group:44:r----da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:rw-p----------:-------:deny +> owner@:--x----A-W-Co-:-------:allow +> group@:r-x-----------:-------:deny +> group@:-w-p----------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chmod 412 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-------------:-------:deny +> user:42:r-x-----------:-------:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:-w------------:-------:deny +> group:42:-w--D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:rw-p----------:-------:deny +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:-wxp----------:-------:deny +> owner@:r------A-W-Co-:-------:allow +> group@:rw-p----------:-------:deny +> group@:--x-----------:-------:allow +> everyone@:r-x----A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:-------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chown 42 ddd +$ chmod 412 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: 42 +> # group: wheel +> user:42:--x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-di----:allow +> group:42:-w------------:-------:deny +> group:42:-w--D---------:-------:allow +> group:43:-w--D---------:-di----:deny +> group:43:-w--D---------:-------:deny +> group@:-----da-------:-------:allow +> group:44:rw-p----------:-------:deny +> group:44:rw-p-da-------:-------:allow +> owner@:--------------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:f-i----:allow +> owner@:-wxp----------:-------:deny +> owner@:r------A-W-Co-:-------:allow +> group@:rw-p----------:-------:deny +> group@:--x-----------:-------:allow +> everyone@:r-x----A-W-Co-:-------:deny +> everyone@:-w-p--a-R-c--s:-------:allow + +# Test applying ACL to mode. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 u:42:rwx:fi:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> drwxr-xr-x+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr----x---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr---wx---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +# Test inheritance. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd +$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd +$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd +$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd +$ getfacl -qn ddd +> user:41:-w-----A------:f--n---:allow +> group:41:r-----a-------:-din---:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-d-n---:deny +> group:43:-w---------C--:f-in---:deny +> user:43:rwxp----------:-------:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:r-x---a-R-c--s:-------:allow + +$ cd ddd +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:--x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rm xxx +$ umask 077 +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:r-x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +$ rm xxx +$ umask 770 +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:r-x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:--x----A-W-Co-:-------:deny +> everyone@:rw-p--a-R-c--s:-------:allow + +$ rm xxx +$ umask 707 +$ touch xxx +$ getfacl -qn xxx +> user:41:--------------:-------:deny +> user:41:-w-----A------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> user:42:--x-----------:-------:deny +> user:42:r-x-----------:-------:allow +> group:43:-w---------C--:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--x-----------:-------:deny +> group@:rw-p----------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +$ umask 077 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:r-------------:-------:deny +> group:41:r-----a-------:-------:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-------:deny +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 770 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:r-------------:-------:deny +> group:41:r-----a-------:-------:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:rwxp----------:-------:deny +> group@:--------------:-------:allow +> everyone@:-------A-W-Co-:-------:deny +> everyone@:rwxp--a-R-c--s:-------:allow + +$ rmdir yyy +$ umask 707 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:--------------:-------:deny +> group:41:------a-------:-------:allow +> user:42:-----------Co-:f-i----:allow +> user:42:r-x-----------:f-i----:allow +> group:42:-w--D---------:-------:deny +> owner@:rwxp----------:-------:deny +> owner@:-------A-W-Co-:-------:allow +> group@:--------------:-------:deny +> group@:rwxp----------:-------:allow +> everyone@:rwxp---A-W-Co-:-------:deny +> everyone@:------a-R-c--s:-------:allow + +# There is some complication regarding how write_acl and write_owner flags +# get inherited. Make sure we got it right. +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:allow . +$ setfacl -a0 u:43:Co:d:allow . +$ setfacl -a0 u:44:Co:fd:allow . +$ setfacl -a0 u:45:Co:fi:allow . +$ setfacl -a0 u:46:Co:di:allow . +$ setfacl -a0 u:47:Co:fdi:allow . +$ setfacl -a0 u:48:Co:fn:allow . +$ setfacl -a0 u:49:Co:dn:allow . +$ setfacl -a0 u:50:Co:fdn:allow . +$ setfacl -a0 u:51:Co:fni:allow . +$ setfacl -a0 u:52:Co:dni:allow . +$ setfacl -a0 u:53:Co:fdni:allow . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:--------------:-------:deny +> user:53:--------------:-------:allow +> user:51:--------------:-------:deny +> user:51:--------------:-------:allow +> user:50:--------------:-------:deny +> user:50:--------------:-------:allow +> user:48:--------------:-------:deny +> user:48:--------------:-------:allow +> user:47:--------------:-------:deny +> user:47:--------------:-------:allow +> user:45:--------------:-------:deny +> user:45:--------------:-------:allow +> user:44:--------------:-------:deny +> user:44:--------------:-------:allow +> user:42:--------------:-------:deny +> user:42:--------------:-------:allow +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:--------------:-------:deny +> user:53:--------------:-------:allow +> user:52:--------------:-------:deny +> user:52:--------------:-------:allow +> user:50:--------------:-------:deny +> user:50:--------------:-------:allow +> user:49:--------------:-------:deny +> user:49:--------------:-------:allow +> user:47:-----------Co-:fdi----:allow +> user:47:--------------:-------:deny +> user:47:--------------:-------:allow +> user:46:-----------Co-:-di----:allow +> user:46:--------------:-------:deny +> user:46:--------------:-------:allow +> user:45:-----------Co-:f-i----:allow +> user:44:-----------Co-:fdi----:allow +> user:44:--------------:-------:deny +> user:44:--------------:-------:allow +> user:43:-----------Co-:-di----:allow +> user:43:--------------:-------:deny +> user:43:--------------:-------:allow +> user:42:-----------Co-:f-i----:allow +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:r-x---a-R-c--s:-------:allow + +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:deny . +$ setfacl -a0 u:43:Co:d:deny . +$ setfacl -a0 u:44:Co:fd:deny . +$ setfacl -a0 u:45:Co:fi:deny . +$ setfacl -a0 u:46:Co:di:deny . +$ setfacl -a0 u:47:Co:fdi:deny . +$ setfacl -a0 u:48:Co:fn:deny . +$ setfacl -a0 u:49:Co:dn:deny . +$ setfacl -a0 u:50:Co:fdn:deny . +$ setfacl -a0 u:51:Co:fni:deny . +$ setfacl -a0 u:52:Co:dni:deny . +$ setfacl -a0 u:53:Co:fdni:deny . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:-----------Co-:-------:deny +> user:51:-----------Co-:-------:deny +> user:50:-----------Co-:-------:deny +> user:48:-----------Co-:-------:deny +> user:47:-----------Co-:-------:deny +> user:45:-----------Co-:-------:deny +> user:44:-----------Co-:-------:deny +> user:42:-----------Co-:-------:deny +> owner@:--x-----------:-------:deny +> owner@:rw-p---A-W-Co-:-------:allow +> group@:-wxp----------:-------:deny +> group@:r-------------:-------:allow +> everyone@:-wxp---A-W-Co-:-------:deny +> everyone@:r-----a-R-c--s:-------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:-----------Co-:-------:deny +> user:52:-----------Co-:-------:deny +> user:50:-----------Co-:-------:deny +> user:49:-----------Co-:-------:deny +> user:47:-----------Co-:fdi----:deny +> user:47:-----------Co-:-------:deny +> user:46:-----------Co-:-di----:deny +> user:46:-----------Co-:-------:deny +> user:45:-----------Co-:f-i----:deny +> user:44:-----------Co-:fdi----:deny +> user:44:-----------Co-:-------:deny +> user:43:-----------Co-:-di----:deny +> user:43:-----------Co-:-------:deny +> user:42:-----------Co-:f-i----:deny +> owner@:--------------:-------:deny +> owner@:rwxp---A-W-Co-:-------:allow +> group@:-w-p----------:-------:deny +> group@:r-x-----------:-------:allow +> everyone@:-w-p---A-W-Co-:-------:deny +> everyone@:r-x---a-R-c--s:-------:allow + +$ rmdir yyy +$ rm xxx +$ cd .. +$ rmdir ddd + +$ rm xxx + Index: head/tests/sys/acl/tools-posix.test =================================================================== --- head/tests/sys/acl/tools-posix.test +++ head/tests/sys/acl/tools-posix.test @@ -0,0 +1,453 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +# This is a tools-level test for POSIX.1e ACL functionality. Run it as root +# using ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Smoke test for getfacl(1). +$ touch xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> other::r-- + +$ getfacl -q xxx +> user::rw- +> group::r-- +> other::r-- + +$ setfacl -m u:42:r,g:43:w xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +# Check whether ls correctly marks files with "+". +$ ls -l xxx | cut -d' ' -f1 +> -rw-rw-r--+ + +# Same as above, but for symlinks. +$ ln -s xxx lll +$ getfacl -h lll +> # file: lll +> # owner: root +> # group: wheel +> user::rwx +> group::r-x +> other::r-x + +$ getfacl -qh lll +> user::rwx +> group::r-x +> other::r-x + +$ getfacl -q lll +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ setfacl -hm u:44:x,g:45:w lll +$ getfacl -h lll +> # file: lll +> # owner: root +> # group: wheel +> user::rwx +> user:44:--x +> group::r-x +> group:45:-w- +> mask::rwx +> other::r-x + +$ ls -l lll | cut -d' ' -f1 +> lrwxrwxr-x+ + +# Check whether the original file is left untouched. +$ ls -l xxx | cut -d' ' -f1 +> -rw-rw-r--+ + +$ rm lll + +# Test removing entries. +$ setfacl -x user:42: xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ setfacl -m u:42:r xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +# Test removing entries by number. +$ setfacl -x 1 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ setfacl -m g:43:r xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:r-- +> mask::r-- +> other::r-- + +# Make sure cp without any flags does not copy the ACL. +$ cp xxx yyy +$ ls -l yyy | cut -d' ' -f1 +> -rw-r--r-- + +# Make sure it does with the "-p" flag. +$ rm yyy +$ cp -p xxx yyy +$ getfacl -n yyy +> # file: yyy +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:r-- +> mask::r-- +> other::r-- + +$ rm yyy + +# Test removing entries by... by example? +$ setfacl -m u:42:r,g:43:w xxx +$ setfacl -x u:42: xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +# Test setfacl -b. +$ setfacl -b xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> mask::r-- +> other::r-- + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +$ setfacl -nb xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> other::r-- + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +# Check setfacl(1) and getfacl(1) with multiple files. +$ touch xxx yyy zzz + +$ ls -l xxx yyy zzz | cut -d' ' -f1 +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ setfacl -m u:42:x,g:43:w nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-rwxr--+ +> -rw-rwxr--+ +> -rw-rwxr--+ + +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +> +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +> +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- + +$ setfacl -b nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r--+ +> -rw-r--r--+ +> -rw-r--r--+ + +$ setfacl -bn nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ rm xxx yyy zzz + +# Check whether chmod actually does what it should do. +$ touch xxx +$ setfacl -m u:42:rwx,g:43:rwx xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> user:42:rwx # effective: --- +> group::r-- # effective: --- +> group:43:rwx # effective: --- +> mask::--- +> other::--- + +$ chmod 060 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::--- +> user:42:rwx # effective: rw- +> group::r-- +> group:43:rwx # effective: rw- +> mask::rw- +> other::--- + +# Test default ACLs. +$ umask 022 +$ mkdir ddd +$ getfacl -qn ddd +> user::rwx +> group::r-x +> other::r-x + +$ ls -l | grep ddd | cut -d' ' -f1 +> drwxr-xr-x + +$ getfacl -dq ddd +$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd +$ getfacl -dqn ddd +> user::rwx +> group::r-x +> mask::rwx +> other::r-x + +# No change - ls(1) output doesn't take into account default ACLs. +$ ls -l | grep ddd | cut -d' ' -f1 +> drwxr-xr-x + +$ setfacl -dm g:42:rwx,u:42:r ddd +$ setfacl -dm g::w ddd +$ getfacl -dqn ddd +> user::rwx +> user:42:r-- +> group::-w- +> group:42:rwx +> mask::rwx +> other::r-x + +$ setfacl -dx group:42: ddd +$ getfacl -dqn ddd +> user::rwx +> user:42:r-- +> group::-w- +> mask::rw- +> other::r-x + +$ ls -l | grep ddd | cut -d' ' -f1 +> drwxr-xr-x + +$ rmdir ddd +$ rm xxx + +# Test inheritance. +$ mkdir ddd + +$ touch ddd/xxx +$ getfacl -q ddd/xxx +> user::rw- +> group::r-- +> other::r-- + +$ mkdir ddd/ddd +$ getfacl -q ddd/ddd +> user::rwx +> group::r-x +> other::r-x + +$ rmdir ddd/ddd +$ rm ddd/xxx + +$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd +$ setfacl -dm g:42:rwx,u:43:r ddd +$ getfacl -dq ddd +> user::rwx +> user:43:r-- +> group::r-x +> group:42:rwx +> mask::rwx +> other::r-x + +$ touch ddd/xxx +$ getfacl -q ddd/xxx +> user::rw- +> user:43:r-- +> group::r-x # effective: r-- +> group:42:rwx # effective: r-- +> mask::r-- +> other::r-- + +$ mkdir ddd/ddd +$ getfacl -q ddd/ddd +> user::rwx +> user:43:r-- +> group::r-x +> group:42:rwx # effective: r-x +> mask::r-x +> other::r-x + +$ rmdir ddd/ddd +$ rm ddd/xxx +$ rmdir ddd + +# Test if we deal properly with fifos. +$ mkfifo fff +$ ls -l fff | cut -d' ' -f1 +> prw-r--r-- + +$ setfacl -m u:42:r,g:43:w fff +$ getfacl fff +> # file: fff +> # owner: root +> # group: wheel +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +$ ls -l fff | cut -d' ' -f1 +> prw-rw-r--+ + +$ setfacl -bn fff +$ getfacl fff +> # file: fff +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> other::r-- + +$ ls -l fff | cut -d' ' -f1 +> prw-r--r-- + +$ rm fff + +# Test if we deal properly with device files. +$ mknod bbb b 1 1 +$ setfacl -m u:42:r,g:43:w bbb +> setfacl: bbb: acl_get_file() failed: Operation not supported +$ ls -l bbb | cut -d' ' -f1 +> brw-r--r-- + +$ rm bbb + +$ mknod ccc c 1 1 +$ setfacl -m u:42:r,g:43:w ccc +> setfacl: ccc: acl_get_file() failed: Operation not supported +$ ls -l ccc | cut -d' ' -f1 +> crw-r--r-- + +$ rm ccc Index: head/tools/regression/acltools/00.t =================================================================== --- head/tools/regression/acltools/00.t +++ head/tools/regression/acltools/00.t @@ -1,85 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a wrapper script to run tools-posix.test on UFS filesystem. -# -# If any of the tests fails, here is how to debug it: go to -# the directory with problematic filesystem mounted on it, -# and do /path/to/test run /path/to/test tools-posix.test, e.g. -# -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test -# -# Output should be obvious. - -echo "1..4" - -if [ `whoami` != "root" ]; then - echo "not ok 1 - you need to be root to run this test." - exit 1 -fi - -TESTDIR=$(dirname $(realpath $0)) - -# Set up the test filesystem. -MD=`mdconfig -at swap -s 10m` -MNT=`mktemp -dt acltools` -newfs /dev/$MD > /dev/null -mount -o acls /dev/$MD $MNT -if [ $? -ne 0 ]; then - echo "not ok 1 - mount failed." - exit 1 -fi - -echo "ok 1" - -cd $MNT - -# First, check whether we can crash the kernel by creating too many -# entries. For some reason this won't work in the test file. -touch xxx -i=0; -while :; do i=$(($i+1)); setfacl -m u:$i:rwx xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done -chmod 600 xxx -rm xxx -echo "ok 2" - -perl $TESTDIR/run $TESTDIR/tools-posix.test > /dev/null - -if [ $? -eq 0 ]; then - echo "ok 3" -else - echo "not ok 3" -fi - -cd / -umount -f $MNT -rmdir $MNT -mdconfig -du $MD - -echo "ok 4" Index: head/tools/regression/acltools/01.t =================================================================== --- head/tools/regression/acltools/01.t +++ head/tools/regression/acltools/01.t @@ -1,86 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a wrapper script to run tools-nfs4.test on ZFS filesystem. -# -# WARNING: It uses hardcoded ZFS pool name "acltools" -# -# If any of the tests fails, here is how to debug it: go to -# the directory with problematic filesystem mounted on it, -# and do /path/to/test run /path/to/test tools-nfs4.test, e.g. -# -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test -# -# Output should be obvious. - -echo "1..4" - -if [ `whoami` != "root" ]; then - echo "not ok 1 - you need to be root to run this test." - exit 1 -fi - -TESTDIR=$(dirname $(realpath $0)) - -# Set up the test filesystem. -MD=`mdconfig -at swap -s 64m` -MNT=`mktemp -dt acltools` -zpool create -m $MNT acltools /dev/$MD -if [ $? -ne 0 ]; then - echo "not ok 1 - 'zpool create' failed." - exit 1 -fi - -echo "ok 1" - -cd $MNT - -# First, check whether we can crash the kernel by creating too many -# entries. For some reason this won't work in the test file. -touch xxx -setfacl -x2 xxx -while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done -chmod 600 xxx -rm xxx -echo "ok 2" - -perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null - -if [ $? -eq 0 ]; then - echo "ok 3" -else - echo "not ok 3" -fi - -cd / -zpool destroy -f acltools -rmdir $MNT -mdconfig -du $MD - -echo "ok 4" Index: head/tools/regression/acltools/02.t =================================================================== --- head/tools/regression/acltools/02.t +++ head/tools/regression/acltools/02.t @@ -1,90 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a wrapper script to run tools-nfs4.test on UFS filesystem. -# -# If any of the tests fails, here is how to debug it: go to -# the directory with problematic filesystem mounted on it, -# and do /path/to/test run /path/to/test tools-nfs4.test, e.g. -# -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test -# -# Output should be obvious. - -echo "1..4" - -if [ `whoami` != "root" ]; then - echo "not ok 1 - you need to be root to run this test." - exit 1 -fi - -TESTDIR=$(dirname $(realpath $0)) - -# Set up the test filesystem. -MD=`mdconfig -at swap -s 10m` -MNT=`mktemp -dt acltools` -newfs /dev/$MD > /dev/null -mount -o nfsv4acls /dev/$MD $MNT -if [ $? -ne 0 ]; then - echo "not ok 1 - mount failed." - exit 1 -fi - -echo "ok 1" - -cd $MNT - -# First, check whether we can crash the kernel by creating too many -# entries. For some reason this won't work in the test file. -touch xxx -setfacl -x2 xxx -while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done -chmod 600 xxx -rm xxx -echo "ok 2" - -if [ `sysctl -n vfs.acl_nfs4_old_semantics` = 0 ]; then - perl $TESTDIR/run $TESTDIR/tools-nfs4-psarc.test > /dev/null -else - perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null -fi - -if [ $? -eq 0 ]; then - echo "ok 3" -else - echo "not ok 3" -fi - -cd / -umount -f $MNT -rmdir $MNT -mdconfig -du $MD - -echo "ok 4" - Index: head/tools/regression/acltools/03.t =================================================================== --- head/tools/regression/acltools/03.t +++ head/tools/regression/acltools/03.t @@ -1,110 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a wrapper script to run tools-crossfs.test between UFS without -# ACLs, UFS with POSIX.1e ACLs, and ZFS with NFSv4 ACLs. -# -# WARNING: It uses hardcoded ZFS pool name "acltools" -# -# Output should be obvious. - -echo "1..5" - -if [ `whoami` != "root" ]; then - echo "not ok 1 - you need to be root to run this test." - exit 1 -fi - -TESTDIR=$(dirname $(realpath $0)) -MNTROOT=`mktemp -dt acltools` - -# Set up the test filesystems. -MD1=`mdconfig -at swap -s 64m` -MNT1=$MNTROOT/nfs4 -mkdir $MNT1 -zpool create -m $MNT1 acltools /dev/$MD1 -if [ $? -ne 0 ]; then - echo "not ok 1 - 'zpool create' failed." - exit 1 -fi - -echo "ok 1" - -MD2=`mdconfig -at swap -s 10m` -MNT2=$MNTROOT/posix -mkdir $MNT2 -newfs /dev/$MD2 > /dev/null -mount -o acls /dev/$MD2 $MNT2 -if [ $? -ne 0 ]; then - echo "not ok 2 - mount failed." - exit 1 -fi - -echo "ok 2" - -MD3=`mdconfig -at swap -s 10m` -MNT3=$MNTROOT/none -mkdir $MNT3 -newfs /dev/$MD3 > /dev/null -mount /dev/$MD3 $MNT3 -if [ $? -ne 0 ]; then - echo "not ok 3 - mount failed." - exit 1 -fi - -echo "ok 3" - -cd $MNTROOT - -perl $TESTDIR/run $TESTDIR/tools-crossfs.test > /dev/null - -if [ $? -eq 0 ]; then - echo "ok 4" -else - echo "not ok 4" -fi - -cd / - -umount -f $MNT3 -rmdir $MNT3 -mdconfig -du $MD3 - -umount -f $MNT2 -rmdir $MNT2 -mdconfig -du $MD2 - -zpool destroy -f acltools -rmdir $MNT1 -mdconfig -du $MD1 - -rmdir $MNTROOT - -echo "ok 5" - Index: head/tools/regression/acltools/04.t =================================================================== --- head/tools/regression/acltools/04.t +++ head/tools/regression/acltools/04.t @@ -1,69 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2011 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a wrapper script to run tools-nfs4-trivial.test on ZFS filesystem. -# -# WARNING: It uses hardcoded ZFS pool name "acltools" - -echo "1..3" - -if [ `whoami` != "root" ]; then - echo "not ok 1 - you need to be root to run this test." - exit 1 -fi - -TESTDIR=$(dirname $(realpath $0)) - -# Set up the test filesystem. -MD=`mdconfig -at swap -s 64m` -MNT=`mktemp -dt acltools` -zpool create -m $MNT acltools /dev/$MD -if [ $? -ne 0 ]; then - echo "not ok 1 - 'zpool create' failed." - exit 1 -fi - -echo "ok 1" - -cd $MNT - -perl $TESTDIR/run $TESTDIR/tools-nfs4-trivial.test > /dev/null - -if [ $? -eq 0 ]; then - echo "ok 2" -else - echo "not ok 2" -fi - -cd / -zpool destroy -f acltools -rmdir $MNT -mdconfig -du $MD - -echo "ok 3" Index: head/tools/regression/acltools/aclfuzzer.sh =================================================================== --- head/tools/regression/acltools/aclfuzzer.sh +++ head/tools/regression/acltools/aclfuzzer.sh @@ -1,225 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is an NFSv4 ACL fuzzer. It expects to be run by non-root in a scratch -# directory on a filesystem with NFSv4 ACLs support. Output it generates -# is expected to be fed to /usr/src/tools/regression/acltools/run script. - -NUMBER_OF_COMMANDS=300 - -run_command() -{ - echo "\$ $1" - eval $1 2>&1 | sed 's/^/> /' -} - -rnd_from_0_to() -{ - max=`expr $1 + 1` - rnd=`jot -r 1` - rnd=`expr $rnd % $max` - - echo $rnd -} - -rnd_path() -{ - rnd=`rnd_from_0_to 3` - case $rnd in - 0) echo "$TMP/aaa" ;; - 1) echo "$TMP/bbb" ;; - 2) echo "$TMP/aaa/ccc" ;; - 3) echo "$TMP/bbb/ddd" ;; - esac -} - -f_prepend_random_acl_on() -{ - rnd=`rnd_from_0_to 4` - case $rnd in - 0) u="owner@" ;; - 1) u="group@" ;; - 2) u="everyone@" ;; - 3) u="u:1138" ;; - 4) u="g:1138" ;; - esac - - p="" - while :; do - rnd=`rnd_from_0_to 30` - if [ -n "$p" -a $rnd -ge 14 ]; then - break; - fi - - case $rnd in - 0) p="${p}r" ;; - 1) p="${p}w" ;; - 2) p="${p}x" ;; - 3) p="${p}p" ;; - 4) p="${p}d" ;; - 5) p="${p}D" ;; - 6) p="${p}a" ;; - 7) p="${p}A" ;; - 8) p="${p}R" ;; - 9) p="${p}W" ;; - 10) p="${p}R" ;; - 11) p="${p}c" ;; - 12) p="${p}C" ;; - 13) p="${p}o" ;; - 14) p="${p}s" ;; - esac - done - - f="" - while :; do - rnd=`rnd_from_0_to 10` - if [ $rnd -ge 6 ]; then - break; - fi - - case $rnd in - 0) f="${f}f" ;; - 1) f="${f}d" ;; - 2) f="${f}n" ;; - 3) f="${f}i" ;; - esac - done - - rnd=`rnd_from_0_to 1` - case $rnd in - 0) x="allow" ;; - 1) x="deny" ;; - esac - - acl="$u:$p:$f:$x" - - file=`rnd_path` - run_command "setfacl -a0 $acl $file" -} - -f_getfacl() -{ - file=`rnd_path` - run_command "getfacl -qn $file" -} - -f_ls_mode() -{ - file=`rnd_path` - run_command "ls -al $file | sed -n '2p' | cut -d' ' -f1" -} - -f_chmod() -{ - b1=`rnd_from_0_to 7` - b2=`rnd_from_0_to 7` - b3=`rnd_from_0_to 7` - b4=`rnd_from_0_to 7` - file=`rnd_path` - - run_command "chmod $b1$b2$b3$b4 $file $2" -} - -f_touch() -{ - file=`rnd_path` - run_command "touch $file" -} - -f_rm() -{ - file=`rnd_path` - run_command "rm -f $file" -} - -f_mkdir() -{ - file=`rnd_path` - run_command "mkdir $file" -} - -f_rmdir() -{ - file=`rnd_path` - run_command "rmdir $file" -} - -f_mv() -{ - from=`rnd_path` - to=`rnd_path` - run_command "mv -f $from $to" -} - -# XXX: To be implemented: chown(8), setting times with touch(1). - -switch_to_random_user() -{ - # XXX: To be implemented. -} - -execute_random_command() -{ - rnd=`rnd_from_0_to 20` - - case $rnd in - 0|10|11|12|13|15) cmd=f_prepend_random_acl_on ;; - 1) cmd=f_getfacl ;; - 2) cmd=f_ls_mode ;; - 3) cmd=f_chmod ;; - 4|18|19) cmd=f_touch ;; - 5) cmd=f_rm ;; - 6|16|17) cmd=f_mkdir ;; - 7) cmd=f_rmdir ;; - 8) cmd=f_mv ;; - esac - - $cmd "XXX" -} - -echo "# Fuzzing; will stop after $NUMBER_OF_COMMANDS commands." -TMP="aclfuzzer_`dd if=/dev/random bs=1k count=1 2>/dev/null | openssl md5`" - -run_command "whoami" -umask 022 -run_command "umask 022" -run_command "mkdir $TMP" - -i=0; -while [ "$i" -lt "$NUMBER_OF_COMMANDS" ]; do - switch_to_random_user - execute_random_command - i=`expr $i + 1` -done - -run_command "find $TMP -exec setfacl -a0 everyone@:rxd:allow {} \;" -run_command "rm -rfv $TMP" - -echo "# Fuzzed, thank you." - Index: head/tools/regression/acltools/mktrivial.sh =================================================================== --- head/tools/regression/acltools/mktrivial.sh +++ head/tools/regression/acltools/mktrivial.sh @@ -1,53 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2010 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This shell script generates an input file for the "run" script, used -# to verify generation of trivial ACLs. - -echo "$ touch f" -touch f - -for s in `jot 7 0 7`; do - for u in `jot 7 0 7`; do - for g in `jot 7 0 7`; do - for o in `jot 7 0 7`; do - echo "$ chmod 0$s$u$g$o f" - chmod "0$s$u$g$o" f - echo "$ ls -l f | cut -d' ' -f1" - ls -l f | cut -d' ' -f1 | sed 's/^/> /' - echo "$ getfacl -q f" - getfacl -q f | sed 's/^/> /' - done - done - done -done - -echo "$ rm f" -rm f - Index: head/tools/regression/acltools/run =================================================================== --- head/tools/regression/acltools/run +++ head/tools/regression/acltools/run @@ -1,329 +0,0 @@ -#!/usr/bin/perl -w -U - -# Copyright (c) 2007, 2008 Andreas Gruenbacher. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions, and the following disclaimer, -# without modification, immediately at the beginning of the file. -# 2. The name of the author may not be used to endorse or promote products -# derived from this software without specific prior written permission. -# -# Alternatively, this software may be distributed under the terms of the -# GNU Public License ("GPL"). -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR -# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# -# Possible improvements: -# -# - distinguish stdout and stderr output -# - add environment variable like assignments -# - run up to a specific line -# - resume at a specific line -# - -use strict; -use FileHandle; -use Getopt::Std; -use POSIX qw(isatty setuid getcwd); -use vars qw($opt_l $opt_v); - -no warnings qw(taint); - -$opt_l = ~0; # a really huge number -getopts('l:v'); - -my ($OK, $FAILED) = ("ok", "failed"); -if (isatty(fileno(STDOUT))) { - $OK = "\033[32m" . $OK . "\033[m"; - $FAILED = "\033[31m\033[1m" . $FAILED . "\033[m"; -} - -sub exec_test($$); -sub process_test($$$$); - -my ($prog, $in, $out) = ([], [], []); -my $prog_line = 0; -my ($tests, $failed) = (0,0); -my $lineno; -my $width = ($ENV{COLUMNS} || 80) >> 1; - -for (;;) { - my $line = <>; $lineno++; - if (defined $line) { - # Substitute %VAR and %{VAR} with environment variables. - $line =~ s[%(\w+)][$ENV{$1}]eg; - $line =~ s[%{(\w+)}][$ENV{$1}]eg; - } - if (defined $line) { - if ($line =~ s/^\s*< ?//) { - push @$in, $line; - } elsif ($line =~ s/^\s*> ?//) { - push @$out, $line; - } else { - process_test($prog, $prog_line, $in, $out); - last if $prog_line >= $opt_l; - - $prog = []; - $prog_line = 0; - } - if ($line =~ s/^\s*\$ ?//) { - $prog = [ map { s/\\(.)/$1/g; $_ } split /(? @$result) ? @$out : @$result; - for (my $n=0; $n < $nmax; $n++) { - my $use_re; - if (defined $out->[$n] && $out->[$n] =~ /^~ /) { - $use_re = 1; - $out->[$n] =~ s/^~ //g; - } - - if (!defined($out->[$n]) || !defined($result->[$n]) || - (!$use_re && $result->[$n] ne $out->[$n]) || - ( $use_re && $result->[$n] !~ /^$out->[$n]/)) { - push @good, ($use_re ? '!~' : '!='); - } - else { - push @good, ($use_re ? '=~' : '=='); - } - } - my $good = !(grep /!/, @good); - $tests++; - $failed++ unless $good; - print $good ? $OK : $FAILED, "\n"; - if (!$good || $opt_v) { - for (my $n=0; $n < $nmax; $n++) { - my $l = defined($out->[$n]) ? $out->[$n] : "~"; - chomp $l; - my $r = defined($result->[$n]) ? $result->[$n] : "~"; - chomp $r; - print sprintf("%-" . ($width-3) . "s %s %s\n", - $r, $good[$n], $l); - } - } -} - - -sub su($) { - my ($user) = @_; - - $user ||= "root"; - - my ($login, $pass, $uid, $gid) = getpwnam($user) - or return [ "su: user $user does not exist\n" ]; - my @groups = (); - my $fh = new FileHandle("/etc/group") - or return [ "opening /etc/group: $!\n" ]; - while (<$fh>) { - chomp; - my ($group, $passwd, $gid, $users) = split /:/; - foreach my $u (split /,/, $users) { - push @groups, $gid - if ($user eq $u); - } - } - $fh->close; - - my $groups = join(" ", ($gid, $gid, @groups)); - #print STDERR "[[$groups]]\n"; - $! = 0; # reset errno - $> = 0; - $( = $gid; - $) = $groups; - if ($!) { - return [ "su: $!\n" ]; - } - if ($uid != 0) { - $> = $uid; - #$< = $uid; - if ($!) { - return [ "su: $prog->[1]: $!\n" ]; - } - } - #print STDERR "[($>,$<)($(,$))]"; - return []; -} - - -sub sg($) { - my ($group) = @_; - - my $gid = getgrnam($group) - or return [ "sg: group $group does not exist\n" ]; - my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $)); - - #print STDERR "<<", join("/", keys %groups), ">>\n"; - my $groups = join(" ", ($gid, $gid, keys %groups)); - #print STDERR "[[$groups]]\n"; - $! = 0; # reset errno - if ($> != 0) { - my $uid = $>; - $> = 0; - $( = $gid; - $) = $groups; - $> = $uid; - } else { - $( = $gid; - $) = $groups; - } - if ($!) { - return [ "sg: $!\n" ]; - } - print STDERR "[($>,$<)($(,$))]"; - return []; -} - - -sub exec_test($$) { - my ($prog, $in) = @_; - local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2); - my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/); - - if ($prog->[0] eq "umask") { - umask oct $prog->[1]; - return []; - } elsif ($prog->[0] eq "cd") { - if (!chdir $prog->[1]) { - return [ "chdir: $prog->[1]: $!\n" ]; - } - $ENV{PWD} = getcwd; - return []; - } elsif ($prog->[0] eq "su") { - return su($prog->[1]); - } elsif ($prog->[0] eq "sg") { - return sg($prog->[1]); - } elsif ($prog->[0] eq "export") { - my ($name, $value) = split /=/, $prog->[1]; - # FIXME: need to evaluate $value, so that things like this will work: - # export dir=$PWD/dir - $ENV{$name} = $value; - return []; - } elsif ($prog->[0] eq "unset") { - delete $ENV{$prog->[1]}; - return []; - } - - pipe *IN2, *OUT - or die "Can't create pipe for reading: $!"; - open *IN_DUP, "<&STDIN" - or *IN_DUP = undef; - open *STDIN, "<&IN2" - or die "Can't duplicate pipe for reading: $!"; - close *IN2; - - open *OUT_DUP, ">&STDOUT" - or die "Can't duplicate STDOUT: $!"; - pipe *IN, *OUT2 - or die "Can't create pipe for writing: $!"; - open *STDOUT, ">&OUT2" - or die "Can't duplicate pipe for writing: $!"; - close *OUT2; - - *STDOUT->autoflush(); - *OUT->autoflush(); - - $SIG{CHLD} = 'IGNORE'; - - if (fork()) { - # Server - if (*IN_DUP) { - open *STDIN, "<&IN_DUP" - or die "Can't duplicate STDIN: $!"; - close *IN_DUP - or die "Can't close STDIN duplicate: $!"; - } - open *STDOUT, ">&OUT_DUP" - or die "Can't duplicate STDOUT: $!"; - close *OUT_DUP - or die "Can't close STDOUT duplicate: $!"; - - foreach my $line (@$in) { - #print "> $line"; - print OUT $line; - } - close *OUT - or die "Can't close pipe for writing: $!"; - - my $result = []; - while () { - #print "< $_"; - if ($needs_shell) { - s#^/bin/sh: line \d+: ##; - } - push @$result, $_; - } - return $result; - } else { - # Client - $< = $>; - close IN - or die "Can't close read end for input pipe: $!"; - close OUT - or die "Can't close write end for output pipe: $!"; - close OUT_DUP - or die "Can't close STDOUT duplicate: $!"; - local *ERR_DUP; - open ERR_DUP, ">&STDERR" - or die "Can't duplicate STDERR: $!"; - open STDERR, ">&STDOUT" - or die "Can't join STDOUT and STDERR: $!"; - - if ($needs_shell) { - exec ('/bin/sh', '-c', join(" ", @$prog)); - } else { - exec @$prog; - } - print STDERR $prog->[0], ": $!\n"; - exit; - } -} - Index: head/tools/regression/acltools/tools-crossfs.test =================================================================== --- head/tools/regression/acltools/tools-crossfs.test +++ head/tools/regression/acltools/tools-crossfs.test @@ -1,323 +0,0 @@ -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a tools-level test intended to verify that cp(1) and mv(1) -# do the right thing with respect to ACLs. Run it as root using -# ACL-enabled kernel: -# -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test -# -# You need to have three subdirectories, named nfs4, posix and none, -# with filesystems with NFSv4 ACLs, POSIX.1e ACLs and no ACLs enabled, -# respectively, mounted on them, in your current directory. -# -# WARNING: Creates files in unsafe way. - -$ whoami -> root -$ umask 022 - -$ touch nfs4/xxx -$ getfacl -nq nfs4/xxx -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -$ touch posix/xxx -$ getfacl -nq posix/xxx -> user::rw- -> group::r-- -> other::r-- - -# mv with POSIX.1e ACLs. -$ rm -f posix/xxx -$ rm -f posix/yyy -$ touch posix/xxx -$ chmod 456 posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -r--r-xrw- -$ setfacl -m u:42:x,g:43:w posix/xxx -$ mv posix/xxx posix/yyy -$ getfacl -nq posix/yyy -> user::r-- -> user:42:--x -> group::r-x -> group:43:-w- -> mask::rwx -> other::rw- -$ ls -l posix/yyy | cut -d' ' -f1 -> -r--rwxrw-+ - -# mv from POSIX.1e to none. -$ rm -f posix/xxx -$ rm -f none/xxx -$ touch posix/xxx -$ chmod 345 posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> --wxrwxr-x+ -$ mv posix/xxx none/xxx -> mv: failed to set acl entries for none/xxx: Operation not supported -$ ls -l none/xxx | cut -d' ' -f1 -> --wxrwxr-x - -# mv from POSIX.1e to NFSv4. -$ rm -f posix/xxx -$ rm -f nfs4/xxx -$ touch posix/xxx -$ chmod 456 posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -r--rwxrw-+ -$ mv posix/yyy nfs4/xxx -> mv: failed to set acl entries for nfs4/xxx: Invalid argument -$ getfacl -nq nfs4/xxx -> owner@:-wxp----------:-------:deny -> owner@:r-----aARWcCos:-------:allow -> group@:rwxp--a-R-c--s:-------:allow -> everyone@:rw-p--a-R-c--s:-------:allow -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -r--rwxrw- - -# mv with NFSv4 ACLs. -$ rm -f nfs4/xxx -$ rm -f nfs4/yyy -$ touch nfs4/xxx -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ mv nfs4/xxx nfs4/yyy -$ getfacl -nq nfs4/yyy -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow -$ ls -l nfs4/yyy | cut -d' ' -f1 -> -rw-r--r--+ - -# mv from NFSv4 to POSIX.1e without any ACLs. -$ rm -f nfs4/xxx -$ rm -f posix/xxx -$ touch nfs4/xxx -$ chmod 456 nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -r--r-xrw- -$ mv nfs4/xxx posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -r--r-xrw- - -# mv from NFSv4 to none. -$ rm -f nfs4/xxx -$ rm -f none/xxx -$ touch nfs4/xxx -$ chmod 345 nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> --wxr--r-x -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> --wxr--r-x+ -$ mv nfs4/xxx none/xxx -> mv: failed to set acl entries for none/xxx: Operation not supported -$ ls -l none/xxx | cut -d' ' -f1 -> --wxr--r-x - -# mv from NFSv4 to POSIX.1e. -$ rm -f nfs4/xxx -$ rm -f posix/xxx -$ touch nfs4/xxx -$ chmod 345 nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> --wxr--r-x -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> --wxr--r-x+ -$ mv nfs4/xxx posix/xxx -> mv: failed to set acl entries for posix/xxx: Invalid argument -$ ls -l posix/xxx | cut -d' ' -f1 -> --wxr--r-x - -# cp with POSIX.1e ACLs. -$ rm -f posix/xxx -$ rm -f posix/yyy -$ touch posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -rw-rwxr--+ -$ cp posix/xxx posix/yyy -$ ls -l posix/yyy | cut -d' ' -f1 -> -rw-r-xr-- - -# cp -p with POSIX.1e ACLs. -$ rm -f posix/xxx -$ rm -f posix/yyy -$ touch posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ getfacl -nq posix/xxx -> user::rw- -> user:42:--x -> group::r-- -> group:43:-w- -> mask::rwx -> other::r-- -$ ls -l posix/xxx | cut -d' ' -f1 -> -rw-rwxr--+ -$ cp -p posix/xxx posix/yyy -$ getfacl -nq posix/yyy -> user::rw- -> user:42:--x -> group::r-- -> group:43:-w- -> mask::rwx -> other::r-- -$ ls -l posix/yyy | cut -d' ' -f1 -> -rw-rwxr--+ - -# cp from POSIX.1e to none. -$ rm -f posix/xxx -$ rm -f none/xxx -$ touch posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -rw-rwxr--+ -$ cp posix/xxx none/xxx -$ ls -l none/xxx | cut -d' ' -f1 -> -rw-r-xr-- - -# cp -p from POSIX.1e to none. -$ rm -f posix/xxx -$ rm -f none/xxx -$ touch posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -rw-rwxr--+ -$ cp -p posix/xxx none/xxx -> cp: failed to set acl entries for none/xxx: Operation not supported -$ ls -l none/xxx | cut -d' ' -f1 -> -rw-rwxr-- - -# cp from POSIX.1e to NFSv4. -$ rm -f posix/xxx -$ rm -f nfs4/xxx -$ touch posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -rw-rwxr--+ -$ cp posix/xxx nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -rw-r-xr-- - -# cp -p from POSIX.1e to NFSv4. -$ rm -f posix/xxx -$ rm -f nfs4/xxx -$ touch posix/xxx -$ setfacl -m u:42:x,g:43:w posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -rw-rwxr--+ -$ cp -p posix/xxx nfs4/xxx -> cp: failed to set acl entries for nfs4/xxx: Invalid argument -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -rw-rwxr-- - -# cp with NFSv4 ACLs. -$ rm -f nfs4/xxx -$ rm -f nfs4/yyy -$ touch nfs4/xxx -$ chmod 543 nfs4/xxx -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -r-xr---wx+ -$ cp nfs4/xxx nfs4/yyy -$ ls -l nfs4/yyy | cut -d' ' -f1 -> -r-xr----x - -# cp -p with NFSv4 ACLs. -$ rm -f nfs4/xxx -$ rm -f nfs4/yyy -$ touch nfs4/xxx -$ chmod 543 nfs4/xxx -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ cp -p nfs4/xxx nfs4/yyy -$ getfacl -nq nfs4/yyy -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:--x-----------:-------:allow -> owner@:-w-p----------:-------:deny -> group@:-wxp----------:-------:deny -> owner@:r-x---aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:-wxp--a-R-c--s:-------:allow -$ ls -l nfs4/yyy | cut -d' ' -f1 -> -r-xr---wx+ - -# cp from NFSv4 to none. -$ rm -f nfs4/xxx -$ rm -f none/xxx -$ touch nfs4/xxx -$ chmod 543 nfs4/xxx -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -r-xr---wx+ -$ cp nfs4/xxx none/xxx -$ ls -l none/xxx | cut -d' ' -f1 -> -r-xr----x - -# cp -p from NFSv4 to none. -$ rm -f nfs4/xxx -$ rm -f none/xxx -$ touch nfs4/xxx -$ chmod 543 nfs4/xxx -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -r-xr---wx+ -$ cp -p nfs4/xxx none/xxx -> cp: failed to set acl entries for none/xxx: Operation not supported -$ ls -l none/xxx | cut -d' ' -f1 -> -r-xr---wx - -# cp from NFSv4 to POSIX.1e. -$ rm -f nfs4/xxx -$ rm -f posix/xxx -$ touch nfs4/xxx -$ chmod 543 nfs4/xxx -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -r-xr---wx+ -$ cp nfs4/xxx posix/xxx -$ ls -l posix/xxx | cut -d' ' -f1 -> -r-xr----x - -# cp -p from NFSv4 to POSIX.1e. -$ rm -f nfs4/xxx -$ rm -f posix/xxx -$ touch nfs4/xxx -$ chmod 543 nfs4/xxx -$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx -$ ls -l nfs4/xxx | cut -d' ' -f1 -> -r-xr---wx+ -$ cp -p nfs4/xxx posix/xxx -> cp: failed to set acl entries for posix/xxx: Invalid argument -$ ls -l posix/xxx | cut -d' ' -f1 -> -r-xr---wx Index: head/tools/regression/acltools/tools-nfs4-psarc.test =================================================================== --- head/tools/regression/acltools/tools-nfs4-psarc.test +++ head/tools/regression/acltools/tools-nfs4-psarc.test @@ -1,562 +0,0 @@ -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029 -# semantics. Run it as root using ACL-enabled kernel: -# -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test -# -# WARNING: Creates files in unsafe way. - -$ whoami -> root -$ umask 022 - -# Smoke test for getfacl(1). -$ touch xxx -$ getfacl xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -$ getfacl -q xxx -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -# Check verbose mode formatting. -$ getfacl -v xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow -> group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow -> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow - -# Test setfacl -a. -$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test user and group name resolving. -$ rm xxx -$ touch xxx -$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx -$ getfacl xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> user:root:-----------C--:-------:allow -> group:daemon:----------c---:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Check whether ls correctly marks files with "+". -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r--+ - -# Test removing entries by number. -$ setfacl -x 1 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test setfacl -m. -$ setfacl -a0 everyone@:rwx:deny xxx -$ setfacl -a0 everyone@:rwx:deny xxx -$ setfacl -a0 everyone@:rwx:deny xxx -$ setfacl -m everyone@::deny xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> owner@:rw-p--aARWcCos:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test getfacl -i. -$ getfacl -i xxx -> # file: xxx -> # owner: root -> # group: wheel -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> owner@:rw-p--aARWcCos:-------:allow -> user:root:-----------C--:-------:allow:0 -> group:daemon:----------c---:-------:deny:1 -> everyone@:r-----a-R-c--s:-------:allow - -# Make sure cp without any flags does not copy copy the ACL. -$ cp xxx yyy -$ ls -l yyy | cut -d' ' -f1 -> -rw-r--r-- - -# Make sure it does with the "-p" flag. -$ rm yyy -$ cp -p xxx yyy -$ getfacl -n yyy -> # file: yyy -> # owner: root -> # group: wheel -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> owner@:rw-p--aARWcCos:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ rm yyy - -# Test removing entries by... by example? -$ setfacl -x everyone@::deny xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test setfacl -b. -$ setfacl -b xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r-- - -# Check setfacl(1) and getfacl(1) with multiple files. -$ touch xxx yyy zzz - -$ ls -l xxx yyy zzz | cut -d' ' -f1 -> -rw-r--r-- -> -rw-r--r-- -> -rw-r--r-- - -$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory - -$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 -> ls: nnn: No such file or directory -> -rw-r--r--+ -> -rw-r--r--+ -> -rw-r--r--+ - -$ getfacl -nq nnn xxx yyy zzz -> getfacl: nnn: stat() failed: No such file or directory -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow -> -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow -> -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -$ setfacl -b nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory - -$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 -> ls: nnn: No such file or directory -> -rw-r--r-- -> -rw-r--r-- -> -rw-r--r-- - -$ rm xxx yyy zzz - -# Test applying mode to an ACL. -$ touch xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx -$ chmod 600 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> group@:------a-R-c--s:-------:allow -> everyone@:------a-R-c--s:-------:allow - -$ ls -l xxx | cut -d' ' -f1 -> -rw------- - -$ rm xxx -$ touch xxx -$ chown 42 xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx -$ chmod 600 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: 42 -> # group: wheel -> owner@:rw-p--aARWcCos:-------:allow -> group@:------a-R-c--s:-------:allow -> everyone@:------a-R-c--s:-------:allow -$ ls -l xxx | cut -d' ' -f1 -> -rw------- - -$ rm xxx -$ touch xxx -$ chown 43 xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx -$ chmod 124 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: 43 -> # group: wheel -> owner@:rw-p----------:-------:deny -> group@:r-------------:-------:deny -> owner@:--x---aARWcCos:-------:allow -> group@:-w-p--a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow -$ ls -l xxx | cut -d' ' -f1 -> ---x-w-r-- - -$ rm xxx -$ touch xxx -$ chown 43 xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx -$ chmod 412 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: 43 -> # group: wheel -> owner@:-wxp----------:-------:deny -> group@:-w-p----------:-------:deny -> owner@:r-----aARWcCos:-------:allow -> group@:--x---a-R-c--s:-------:allow -> everyone@:-w-p--a-R-c--s:-------:allow -$ ls -l xxx | cut -d' ' -f1 -> -r----x-w- - -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-d-----:allow -> group:43:-w--D---------:-d-----:deny -> group@:-----da-------:-------:allow -> group:44:rw-p-da-------:-------:allow -> owner@:rwxp--aARWcCos:-------:allow -> group@:r-x---a-R-c--s:-------:allow -> everyone@:-w-p--a-R-c--s:f-i----:allow - -$ chmod 777 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> owner@:rwxp--aARWcCos:-------:allow -> group@:rwxp--a-R-c--s:-------:allow -> everyone@:rwxp--a-R-c--s:-------:allow - -# Test applying ACL to mode. -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 u:42:rwx:fi:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> drwxr-xr-x+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr----x---+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr---wx---+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr--------+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr--------+ - -# Test inheritance. -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd -$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd -$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd -$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd -$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd -$ getfacl -qn ddd -> user:41:-w-----A------:f--n---:allow -> group:41:r-----a-------:-din---:allow -> user:42:-----------Co-:f-i----:allow -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-d-n---:deny -> group:43:-w---------C--:f-in---:deny -> user:43:rwxp----------:-------:allow -> owner@:rwxp--aARWcCos:-------:allow -> group@:r-x---a-R-c--s:-------:allow -> everyone@:r-x---a-R-c--s:-------:allow - -$ cd ddd -$ touch xxx -$ getfacl -qn xxx -> user:41:--------------:------I:allow -> user:42:--------------:------I:allow -> user:42:r-------------:------I:allow -> group:43:-w---------C--:------I:deny -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -$ rm xxx -$ umask 077 -$ touch xxx -$ getfacl -qn xxx -> user:41:--------------:------I:allow -> user:42:--------------:------I:allow -> user:42:--------------:------I:allow -> group:43:-w---------C--:------I:deny -> owner@:rw-p--aARWcCos:-------:allow -> group@:------a-R-c--s:-------:allow -> everyone@:------a-R-c--s:-------:allow - -$ rm xxx -$ umask 770 -$ touch xxx -$ getfacl -qn xxx -> owner@:rw-p----------:-------:deny -> group@:rw-p----------:-------:deny -> user:41:--------------:------I:allow -> user:42:--------------:------I:allow -> user:42:--------------:------I:allow -> group:43:-w---------C--:------I:deny -> owner@:------aARWcCos:-------:allow -> group@:------a-R-c--s:-------:allow -> everyone@:rw-p--a-R-c--s:-------:allow - -$ rm xxx -$ umask 707 -$ touch xxx -$ getfacl -qn xxx -> owner@:rw-p----------:-------:deny -> user:41:-w------------:------I:allow -> user:42:--------------:------I:allow -> user:42:r-------------:------I:allow -> group:43:-w---------C--:------I:deny -> owner@:------aARWcCos:-------:allow -> group@:rw-p--a-R-c--s:-------:allow -> everyone@:------a-R-c--s:-------:allow - -$ umask 077 -$ mkdir yyy -$ getfacl -qn yyy -> group:41:------a-------:------I:allow -> user:42:-----------Co-:f-i---I:allow -> user:42:r-x-----------:f-i---I:allow -> group:42:-w--D---------:------I:deny -> owner@:rwxp--aARWcCos:-------:allow -> group@:------a-R-c--s:-------:allow -> everyone@:------a-R-c--s:-------:allow - -$ rmdir yyy -$ umask 770 -$ mkdir yyy -$ getfacl -qn yyy -> owner@:rwxp----------:-------:deny -> group@:rwxp----------:-------:deny -> group:41:------a-------:------I:allow -> user:42:-----------Co-:f-i---I:allow -> user:42:r-x-----------:f-i---I:allow -> group:42:-w--D---------:------I:deny -> owner@:------aARWcCos:-------:allow -> group@:------a-R-c--s:-------:allow -> everyone@:rwxp--a-R-c--s:-------:allow - -$ rmdir yyy -$ umask 707 -$ mkdir yyy -$ getfacl -qn yyy -> owner@:rwxp----------:-------:deny -> group:41:r-----a-------:------I:allow -> user:42:-----------Co-:f-i---I:allow -> user:42:r-x-----------:f-i---I:allow -> group:42:-w--D---------:------I:deny -> owner@:------aARWcCos:-------:allow -> group@:rwxp--a-R-c--s:-------:allow -> everyone@:------a-R-c--s:-------:allow - -# There is some complication regarding how write_acl and write_owner flags -# get inherited. Make sure we got it right. -$ setfacl -b . -$ setfacl -a0 u:42:Co:f:allow . -$ setfacl -a0 u:43:Co:d:allow . -$ setfacl -a0 u:44:Co:fd:allow . -$ setfacl -a0 u:45:Co:fi:allow . -$ setfacl -a0 u:46:Co:di:allow . -$ setfacl -a0 u:47:Co:fdi:allow . -$ setfacl -a0 u:48:Co:fn:allow . -$ setfacl -a0 u:49:Co:dn:allow . -$ setfacl -a0 u:50:Co:fdn:allow . -$ setfacl -a0 u:51:Co:fni:allow . -$ setfacl -a0 u:52:Co:dni:allow . -$ setfacl -a0 u:53:Co:fdni:allow . -$ umask 022 -$ rm xxx -$ touch xxx -$ getfacl -nq xxx -> user:53:--------------:------I:allow -> user:51:--------------:------I:allow -> user:50:--------------:------I:allow -> user:48:--------------:------I:allow -> user:47:--------------:------I:allow -> user:45:--------------:------I:allow -> user:44:--------------:------I:allow -> user:42:--------------:------I:allow -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -$ rmdir yyy -$ mkdir yyy -$ getfacl -nq yyy -> user:53:--------------:------I:allow -> user:52:--------------:------I:allow -> user:50:--------------:------I:allow -> user:49:--------------:------I:allow -> user:47:--------------:fd----I:allow -> user:46:--------------:-d----I:allow -> user:45:-----------Co-:f-i---I:allow -> user:44:--------------:fd----I:allow -> user:43:--------------:-d----I:allow -> user:42:-----------Co-:f-i---I:allow -> owner@:rwxp--aARWcCos:-------:allow -> group@:r-x---a-R-c--s:-------:allow -> everyone@:r-x---a-R-c--s:-------:allow - -$ setfacl -b . -$ setfacl -a0 u:42:Co:f:deny . -$ setfacl -a0 u:43:Co:d:deny . -$ setfacl -a0 u:44:Co:fd:deny . -$ setfacl -a0 u:45:Co:fi:deny . -$ setfacl -a0 u:46:Co:di:deny . -$ setfacl -a0 u:47:Co:fdi:deny . -$ setfacl -a0 u:48:Co:fn:deny . -$ setfacl -a0 u:49:Co:dn:deny . -$ setfacl -a0 u:50:Co:fdn:deny . -$ setfacl -a0 u:51:Co:fni:deny . -$ setfacl -a0 u:52:Co:dni:deny . -$ setfacl -a0 u:53:Co:fdni:deny . -$ umask 022 -$ rm xxx -$ touch xxx -$ getfacl -nq xxx -> user:53:-----------Co-:------I:deny -> user:51:-----------Co-:------I:deny -> user:50:-----------Co-:------I:deny -> user:48:-----------Co-:------I:deny -> user:47:-----------Co-:------I:deny -> user:45:-----------Co-:------I:deny -> user:44:-----------Co-:------I:deny -> user:42:-----------Co-:------I:deny -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -$ rmdir yyy -$ mkdir yyy -$ getfacl -nq yyy -> user:53:-----------Co-:------I:deny -> user:52:-----------Co-:------I:deny -> user:50:-----------Co-:------I:deny -> user:49:-----------Co-:------I:deny -> user:47:-----------Co-:fd----I:deny -> user:46:-----------Co-:-d----I:deny -> user:45:-----------Co-:f-i---I:deny -> user:44:-----------Co-:fd----I:deny -> user:43:-----------Co-:-d----I:deny -> user:42:-----------Co-:f-i---I:deny -> owner@:rwxp--aARWcCos:-------:allow -> group@:r-x---a-R-c--s:-------:allow -> everyone@:r-x---a-R-c--s:-------:allow - -$ rmdir yyy -$ rm xxx -$ cd .. -$ rmdir ddd - -$ rm xxx - Index: head/tools/regression/acltools/tools-nfs4-trivial.test =================================================================== --- head/tools/regression/acltools/tools-nfs4-trivial.test +++ head/tools/regression/acltools/tools-nfs4-trivial.test @@ -1,82 +0,0 @@ -# Copyright (c) 2011 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a tools-level test for acl_is_trivial_np(3). Run it as root on ZFS. -# Note that this does not work on UFS with NFSv4 ACLs enabled - UFS recognizes -# both kind of trivial ACLs and replaces it by the default one. -# -# WARNING: Creates files in unsafe way. - -$ whoami -> root -$ umask 022 - -# Check whether ls(1) correctly recognizes PSARC/2010/029-style trivial ACLs. -$ touch xxx - -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r-- - -$ getfacl -q xxx -> owner@:rw-p--aARWcCos:-------:allow -> group@:r-----a-R-c--s:-------:allow -> everyone@:r-----a-R-c--s:-------:allow - -# Check whether ls(1) correctly recognizes draft-style trivial ACLs. -$ rm xxx -$ touch xxx -$ setfacl -a0 owner@:x:deny,owner@:rwpAWCo:allow,group@:wxp:deny,group@:r:allow,everyone@:wxpAWCo:deny,everyone@:raRcs:allow xxx -$ setfacl -x5 xxx -$ setfacl -x5 xxx -$ setfacl -x5 xxx - -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r-- - -$ getfacl -q xxx -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Make sure ls(1) actually can recognize something as non-trivial. -$ setfacl -x0 xxx - -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r--+ - -$ getfacl -q xxx -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ rm xxx - Index: head/tools/regression/acltools/tools-nfs4.test =================================================================== --- head/tools/regression/acltools/tools-nfs4.test +++ head/tools/regression/acltools/tools-nfs4.test @@ -1,828 +0,0 @@ -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a tools-level test for NFSv4 ACL functionality. Run it as root -# using ACL-enabled kernel: -# -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test -# -# WARNING: Creates files in unsafe way. - -$ whoami -> root -$ umask 022 - -# Smoke test for getfacl(1). -$ touch xxx -$ getfacl xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ getfacl -q xxx -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Check verbose mode formatting. -$ getfacl -v xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:execute::deny -> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow -> group@:write_data/execute/append_data::deny -> group@:read_data::allow -> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny -> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow - -# Test setfacl -a. -$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test user and group name resolving. -$ rm xxx -$ touch xxx -$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx -$ getfacl xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> user:root:-----------C--:-------:allow -> group:daemon:----------c---:-------:deny -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Check whether ls correctly marks files with "+". -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r--+ - -# Test removing entries by number. -$ setfacl -x 4 xxx -$ setfacl -x 4 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test setfacl -m. -$ setfacl -a0 everyone@:rwx:deny xxx -$ setfacl -a0 everyone@:rwx:deny xxx -$ setfacl -a0 everyone@:rwx:deny xxx -$ setfacl -m everyone@::deny xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:--------------:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test getfacl -i. -$ getfacl -i xxx -> # file: xxx -> # owner: root -> # group: wheel -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> user:root:-----------C--:-------:allow:0 -> group:daemon:----------c---:-------:deny:1 -> everyone@:--------------:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Make sure cp without any flags does not copy copy the ACL. -$ cp xxx yyy -$ ls -l yyy | cut -d' ' -f1 -> -rw-r--r-- - -# Make sure it does with the "-p" flag. -$ rm yyy -$ cp -p xxx yyy -$ getfacl -n yyy -> # file: yyy -> # owner: root -> # group: wheel -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> everyone@:--------------:-------:deny -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:--------------:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ rm yyy - -# Test removing entries by... by example? -$ setfacl -x everyone@::deny xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> user:0:-----------C--:-------:allow -> group:1:----------c---:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -# Test setfacl -b. -$ setfacl -b xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r-- - -# Check setfacl(1) and getfacl(1) with multiple files. -$ touch xxx yyy zzz - -$ ls -l xxx yyy zzz | cut -d' ' -f1 -> -rw-r--r-- -> -rw-r--r-- -> -rw-r--r-- - -$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory - -$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 -> ls: nnn: No such file or directory -> -rw-r--r--+ -> -rw-r--r--+ -> -rw-r--r--+ - -$ getfacl -nq nnn xxx yyy zzz -> getfacl: nnn: stat() failed: No such file or directory -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow -> -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow -> -> user:42:--x-----------:-------:allow -> group:43:-w------------:-------:allow -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ setfacl -b nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory - -$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 -> ls: nnn: No such file or directory -> -rw-r--r-- -> -rw-r--r-- -> -rw-r--r-- - -$ rm xxx yyy zzz - -# Test applying mode to an ACL. -$ touch xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx -$ chmod 600 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user:42:r-------------:-------:deny -> user:42:r-------------:-------:allow -> user:43:-w------------:-------:deny -> user:43:-w------------:-------:allow -> user:44:--x-----------:-------:deny -> user:44:--x-----------:-------:allow -> owner@:--------------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:--------------:-------:deny -> group@:--------------:-------:allow -> everyone@:-------A-W-Co-:-------:deny -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:rwxp----------:-------:deny -> group@:--------------:-------:allow -> everyone@:rwxp---A-W-Co-:-------:deny -> everyone@:------a-R-c--s:-------:allow -$ ls -l xxx | cut -d' ' -f1 -> -rw-------+ - -$ rm xxx -$ touch xxx -$ chown 42 xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx -$ chmod 600 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: 42 -> # group: wheel -> user:42:--------------:-------:deny -> user:42:r-------------:-------:allow -> user:43:-w------------:-------:deny -> user:43:-w------------:-------:allow -> user:44:--x-----------:-------:deny -> user:44:--x-----------:-------:allow -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:rwxp----------:-------:deny -> group@:--------------:-------:allow -> everyone@:rwxp---A-W-Co-:-------:deny -> everyone@:------a-R-c--s:-------:allow -$ ls -l xxx | cut -d' ' -f1 -> -rw-------+ - -$ rm xxx -$ touch xxx -$ chown 43 xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx -$ chmod 124 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: 43 -> # group: wheel -> user:42:r-------------:-------:deny -> user:42:r-------------:-------:allow -> user:43:-w------------:-------:deny -> user:43:-w------------:-------:allow -> user:44:--x-----------:-------:deny -> user:44:--x-----------:-------:allow -> owner@:rw-p----------:-------:deny -> owner@:--x----A-W-Co-:-------:allow -> group@:r-x-----------:-------:deny -> group@:-w-p----------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow -$ ls -l xxx | cut -d' ' -f1 -> ---x-w-r--+ - -$ rm xxx -$ touch xxx -$ chown 43 xxx -$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx -$ chmod 412 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: 43 -> # group: wheel -> user:42:r-------------:-------:deny -> user:42:r-------------:-------:allow -> user:43:-w------------:-------:deny -> user:43:-w------------:-------:allow -> user:44:--------------:-------:deny -> user:44:--x-----------:-------:allow -> owner@:-wxp----------:-------:deny -> owner@:r------A-W-Co-:-------:allow -> group@:rw-p----------:-------:deny -> group@:--x-----------:-------:allow -> everyone@:r-x----A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:-------:allow -$ ls -l xxx | cut -d' ' -f1 -> -r----x-w-+ - -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-d-----:allow -> group:43:-w--D---------:-d-----:deny -> group@:-----da-------:-------:allow -> group:44:rw-p-da-------:-------:allow -> owner@:--------------:-------:deny -> owner@:rwxp---A-W-Co-:-------:allow -> group@:-w-p----------:-------:deny -> group@:r-x-----------:-------:allow -> everyone@:-w-p---A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:f-i----:allow -$ chmod 777 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-di----:allow -> group:42:--------------:-------:deny -> group:42:-w--D---------:-------:allow -> group:43:-w--D---------:-di----:deny -> group:43:-w--D---------:-------:deny -> group@:-----da-------:-------:allow -> group:44:--------------:-------:deny -> group:44:rw-p-da-------:-------:allow -> owner@:--------------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:--------------:-------:deny -> group@:--------------:-------:allow -> everyone@:-------A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:f-i----:allow -> owner@:--------------:-------:deny -> owner@:rwxp---A-W-Co-:-------:allow -> group@:--------------:-------:deny -> group@:rwxp----------:-------:allow -> everyone@:-------A-W-Co-:-------:deny -> everyone@:rwxp--a-R-c--s:-------:allow - -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ chmod 124 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-di----:allow -> group:42:--------------:-------:deny -> group:42:----D---------:-------:allow -> group:43:-w--D---------:-di----:deny -> group:43:-w--D---------:-------:deny -> group@:-----da-------:-------:allow -> group:44:r-------------:-------:deny -> group:44:r----da-------:-------:allow -> owner@:--------------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:--------------:-------:deny -> group@:--------------:-------:allow -> everyone@:-------A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:f-i----:allow -> owner@:rw-p----------:-------:deny -> owner@:--x----A-W-Co-:-------:allow -> group@:r-x-----------:-------:deny -> group@:-w-p----------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ chmod 412 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: root -> # group: wheel -> user:42:r-------------:-------:deny -> user:42:r-x-----------:-------:allow -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-di----:allow -> group:42:-w------------:-------:deny -> group:42:-w--D---------:-------:allow -> group:43:-w--D---------:-di----:deny -> group:43:-w--D---------:-------:deny -> group@:-----da-------:-------:allow -> group:44:rw-p----------:-------:deny -> group:44:rw-p-da-------:-------:allow -> owner@:--------------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:--------------:-------:deny -> group@:--------------:-------:allow -> everyone@:-------A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:f-i----:allow -> owner@:-wxp----------:-------:deny -> owner@:r------A-W-Co-:-------:allow -> group@:rw-p----------:-------:deny -> group@:--x-----------:-------:allow -> everyone@:r-x----A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:-------:allow - -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:44:rwapd:allow ddd -$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd -$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd -$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd -$ chown 42 ddd -$ chmod 412 ddd -$ getfacl -n ddd -> # file: ddd -> # owner: 42 -> # group: wheel -> user:42:--x-----------:-------:deny -> user:42:r-x-----------:-------:allow -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-di----:allow -> group:42:-w------------:-------:deny -> group:42:-w--D---------:-------:allow -> group:43:-w--D---------:-di----:deny -> group:43:-w--D---------:-------:deny -> group@:-----da-------:-------:allow -> group:44:rw-p----------:-------:deny -> group:44:rw-p-da-------:-------:allow -> owner@:--------------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:--------------:-------:deny -> group@:--------------:-------:allow -> everyone@:-------A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:f-i----:allow -> owner@:-wxp----------:-------:deny -> owner@:r------A-W-Co-:-------:allow -> group@:rw-p----------:-------:deny -> group@:--x-----------:-------:allow -> everyone@:r-x----A-W-Co-:-------:deny -> everyone@:-w-p--a-R-c--s:-------:allow - -# Test applying ACL to mode. -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 u:42:rwx:fi:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> drwxr-xr-x+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr----x---+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr---wx---+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr--------+ - -$ rmdir ddd -$ mkdir ddd -$ chmod 0 ddd -$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd -$ ls -ld ddd | cut -d' ' -f1 -> dr--------+ - -# Test inheritance. -$ rmdir ddd -$ mkdir ddd -$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd -$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd -$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd -$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd -$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd -$ getfacl -qn ddd -> user:41:-w-----A------:f--n---:allow -> group:41:r-----a-------:-din---:allow -> user:42:-----------Co-:f-i----:allow -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-d-n---:deny -> group:43:-w---------C--:f-in---:deny -> user:43:rwxp----------:-------:allow -> owner@:--------------:-------:deny -> owner@:rwxp---A-W-Co-:-------:allow -> group@:-w-p----------:-------:deny -> group@:r-x-----------:-------:allow -> everyone@:-w-p---A-W-Co-:-------:deny -> everyone@:r-x---a-R-c--s:-------:allow - -$ cd ddd -$ touch xxx -$ getfacl -qn xxx -> user:41:-w------------:-------:deny -> user:41:-w-----A------:-------:allow -> user:42:--------------:-------:deny -> user:42:--------------:-------:allow -> user:42:--x-----------:-------:deny -> user:42:r-x-----------:-------:allow -> group:43:-w---------C--:-------:deny -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ rm xxx -$ umask 077 -$ touch xxx -$ getfacl -qn xxx -> user:41:-w------------:-------:deny -> user:41:-w-----A------:-------:allow -> user:42:--------------:-------:deny -> user:42:--------------:-------:allow -> user:42:r-x-----------:-------:deny -> user:42:r-x-----------:-------:allow -> group:43:-w---------C--:-------:deny -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:rwxp----------:-------:deny -> group@:--------------:-------:allow -> everyone@:rwxp---A-W-Co-:-------:deny -> everyone@:------a-R-c--s:-------:allow - -$ rm xxx -$ umask 770 -$ touch xxx -$ getfacl -qn xxx -> user:41:-w------------:-------:deny -> user:41:-w-----A------:-------:allow -> user:42:--------------:-------:deny -> user:42:--------------:-------:allow -> user:42:r-x-----------:-------:deny -> user:42:r-x-----------:-------:allow -> group:43:-w---------C--:-------:deny -> owner@:rwxp----------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:rwxp----------:-------:deny -> group@:--------------:-------:allow -> everyone@:--x----A-W-Co-:-------:deny -> everyone@:rw-p--a-R-c--s:-------:allow - -$ rm xxx -$ umask 707 -$ touch xxx -$ getfacl -qn xxx -> user:41:--------------:-------:deny -> user:41:-w-----A------:-------:allow -> user:42:--------------:-------:deny -> user:42:--------------:-------:allow -> user:42:--x-----------:-------:deny -> user:42:r-x-----------:-------:allow -> group:43:-w---------C--:-------:deny -> owner@:rwxp----------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:--x-----------:-------:deny -> group@:rw-p----------:-------:allow -> everyone@:rwxp---A-W-Co-:-------:deny -> everyone@:------a-R-c--s:-------:allow - -$ umask 077 -$ mkdir yyy -$ getfacl -qn yyy -> group:41:r-------------:-------:deny -> group:41:r-----a-------:-------:allow -> user:42:-----------Co-:f-i----:allow -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-------:deny -> owner@:--------------:-------:deny -> owner@:rwxp---A-W-Co-:-------:allow -> group@:rwxp----------:-------:deny -> group@:--------------:-------:allow -> everyone@:rwxp---A-W-Co-:-------:deny -> everyone@:------a-R-c--s:-------:allow - -$ rmdir yyy -$ umask 770 -$ mkdir yyy -$ getfacl -qn yyy -> group:41:r-------------:-------:deny -> group:41:r-----a-------:-------:allow -> user:42:-----------Co-:f-i----:allow -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-------:deny -> owner@:rwxp----------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:rwxp----------:-------:deny -> group@:--------------:-------:allow -> everyone@:-------A-W-Co-:-------:deny -> everyone@:rwxp--a-R-c--s:-------:allow - -$ rmdir yyy -$ umask 707 -$ mkdir yyy -$ getfacl -qn yyy -> group:41:--------------:-------:deny -> group:41:------a-------:-------:allow -> user:42:-----------Co-:f-i----:allow -> user:42:r-x-----------:f-i----:allow -> group:42:-w--D---------:-------:deny -> owner@:rwxp----------:-------:deny -> owner@:-------A-W-Co-:-------:allow -> group@:--------------:-------:deny -> group@:rwxp----------:-------:allow -> everyone@:rwxp---A-W-Co-:-------:deny -> everyone@:------a-R-c--s:-------:allow - -# There is some complication regarding how write_acl and write_owner flags -# get inherited. Make sure we got it right. -$ setfacl -b . -$ setfacl -a0 u:42:Co:f:allow . -$ setfacl -a0 u:43:Co:d:allow . -$ setfacl -a0 u:44:Co:fd:allow . -$ setfacl -a0 u:45:Co:fi:allow . -$ setfacl -a0 u:46:Co:di:allow . -$ setfacl -a0 u:47:Co:fdi:allow . -$ setfacl -a0 u:48:Co:fn:allow . -$ setfacl -a0 u:49:Co:dn:allow . -$ setfacl -a0 u:50:Co:fdn:allow . -$ setfacl -a0 u:51:Co:fni:allow . -$ setfacl -a0 u:52:Co:dni:allow . -$ setfacl -a0 u:53:Co:fdni:allow . -$ umask 022 -$ rm xxx -$ touch xxx -$ getfacl -nq xxx -> user:53:--------------:-------:deny -> user:53:--------------:-------:allow -> user:51:--------------:-------:deny -> user:51:--------------:-------:allow -> user:50:--------------:-------:deny -> user:50:--------------:-------:allow -> user:48:--------------:-------:deny -> user:48:--------------:-------:allow -> user:47:--------------:-------:deny -> user:47:--------------:-------:allow -> user:45:--------------:-------:deny -> user:45:--------------:-------:allow -> user:44:--------------:-------:deny -> user:44:--------------:-------:allow -> user:42:--------------:-------:deny -> user:42:--------------:-------:allow -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ rmdir yyy -$ mkdir yyy -$ getfacl -nq yyy -> user:53:--------------:-------:deny -> user:53:--------------:-------:allow -> user:52:--------------:-------:deny -> user:52:--------------:-------:allow -> user:50:--------------:-------:deny -> user:50:--------------:-------:allow -> user:49:--------------:-------:deny -> user:49:--------------:-------:allow -> user:47:-----------Co-:fdi----:allow -> user:47:--------------:-------:deny -> user:47:--------------:-------:allow -> user:46:-----------Co-:-di----:allow -> user:46:--------------:-------:deny -> user:46:--------------:-------:allow -> user:45:-----------Co-:f-i----:allow -> user:44:-----------Co-:fdi----:allow -> user:44:--------------:-------:deny -> user:44:--------------:-------:allow -> user:43:-----------Co-:-di----:allow -> user:43:--------------:-------:deny -> user:43:--------------:-------:allow -> user:42:-----------Co-:f-i----:allow -> owner@:--------------:-------:deny -> owner@:rwxp---A-W-Co-:-------:allow -> group@:-w-p----------:-------:deny -> group@:r-x-----------:-------:allow -> everyone@:-w-p---A-W-Co-:-------:deny -> everyone@:r-x---a-R-c--s:-------:allow - -$ setfacl -b . -$ setfacl -a0 u:42:Co:f:deny . -$ setfacl -a0 u:43:Co:d:deny . -$ setfacl -a0 u:44:Co:fd:deny . -$ setfacl -a0 u:45:Co:fi:deny . -$ setfacl -a0 u:46:Co:di:deny . -$ setfacl -a0 u:47:Co:fdi:deny . -$ setfacl -a0 u:48:Co:fn:deny . -$ setfacl -a0 u:49:Co:dn:deny . -$ setfacl -a0 u:50:Co:fdn:deny . -$ setfacl -a0 u:51:Co:fni:deny . -$ setfacl -a0 u:52:Co:dni:deny . -$ setfacl -a0 u:53:Co:fdni:deny . -$ umask 022 -$ rm xxx -$ touch xxx -$ getfacl -nq xxx -> user:53:-----------Co-:-------:deny -> user:51:-----------Co-:-------:deny -> user:50:-----------Co-:-------:deny -> user:48:-----------Co-:-------:deny -> user:47:-----------Co-:-------:deny -> user:45:-----------Co-:-------:deny -> user:44:-----------Co-:-------:deny -> user:42:-----------Co-:-------:deny -> owner@:--x-----------:-------:deny -> owner@:rw-p---A-W-Co-:-------:allow -> group@:-wxp----------:-------:deny -> group@:r-------------:-------:allow -> everyone@:-wxp---A-W-Co-:-------:deny -> everyone@:r-----a-R-c--s:-------:allow - -$ rmdir yyy -$ mkdir yyy -$ getfacl -nq yyy -> user:53:-----------Co-:-------:deny -> user:52:-----------Co-:-------:deny -> user:50:-----------Co-:-------:deny -> user:49:-----------Co-:-------:deny -> user:47:-----------Co-:fdi----:deny -> user:47:-----------Co-:-------:deny -> user:46:-----------Co-:-di----:deny -> user:46:-----------Co-:-------:deny -> user:45:-----------Co-:f-i----:deny -> user:44:-----------Co-:fdi----:deny -> user:44:-----------Co-:-------:deny -> user:43:-----------Co-:-di----:deny -> user:43:-----------Co-:-------:deny -> user:42:-----------Co-:f-i----:deny -> owner@:--------------:-------:deny -> owner@:rwxp---A-W-Co-:-------:allow -> group@:-w-p----------:-------:deny -> group@:r-x-----------:-------:allow -> everyone@:-w-p---A-W-Co-:-------:deny -> everyone@:r-x---a-R-c--s:-------:allow - -$ rmdir yyy -$ rm xxx -$ cd .. -$ rmdir ddd - -$ rm xxx - Index: head/tools/regression/acltools/tools-posix.test =================================================================== --- head/tools/regression/acltools/tools-posix.test +++ head/tools/regression/acltools/tools-posix.test @@ -1,453 +0,0 @@ -# Copyright (c) 2008, 2009 Edward Tomasz Napierała -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ -# - -# This is a tools-level test for POSIX.1e ACL functionality. Run it as root -# using ACL-enabled kernel: -# -# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test -# -# WARNING: Creates files in unsafe way. - -$ whoami -> root -$ umask 022 - -# Smoke test for getfacl(1). -$ touch xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> other::r-- - -$ getfacl -q xxx -> user::rw- -> group::r-- -> other::r-- - -$ setfacl -m u:42:r,g:43:w xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> user:42:r-- -> group::r-- -> group:43:-w- -> mask::rw- -> other::r-- - -# Check whether ls correctly marks files with "+". -$ ls -l xxx | cut -d' ' -f1 -> -rw-rw-r--+ - -# Same as above, but for symlinks. -$ ln -s xxx lll -$ getfacl -h lll -> # file: lll -> # owner: root -> # group: wheel -> user::rwx -> group::r-x -> other::r-x - -$ getfacl -qh lll -> user::rwx -> group::r-x -> other::r-x - -$ getfacl -q lll -> user::rw- -> user:42:r-- -> group::r-- -> group:43:-w- -> mask::rw- -> other::r-- - -$ setfacl -hm u:44:x,g:45:w lll -$ getfacl -h lll -> # file: lll -> # owner: root -> # group: wheel -> user::rwx -> user:44:--x -> group::r-x -> group:45:-w- -> mask::rwx -> other::r-x - -$ ls -l lll | cut -d' ' -f1 -> lrwxrwxr-x+ - -# Check whether the original file is left untouched. -$ ls -l xxx | cut -d' ' -f1 -> -rw-rw-r--+ - -$ rm lll - -# Test removing entries. -$ setfacl -x user:42: xxx -$ getfacl xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> group:43:-w- -> mask::rw- -> other::r-- - -$ setfacl -m u:42:r xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> user:42:r-- -> group::r-- -> group:43:-w- -> mask::rw- -> other::r-- - -# Test removing entries by number. -$ setfacl -x 1 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> group:43:-w- -> mask::rw- -> other::r-- - -$ setfacl -m g:43:r xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> group:43:r-- -> mask::r-- -> other::r-- - -# Make sure cp without any flags does not copy the ACL. -$ cp xxx yyy -$ ls -l yyy | cut -d' ' -f1 -> -rw-r--r-- - -# Make sure it does with the "-p" flag. -$ rm yyy -$ cp -p xxx yyy -$ getfacl -n yyy -> # file: yyy -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> group:43:r-- -> mask::r-- -> other::r-- - -$ rm yyy - -# Test removing entries by... by example? -$ setfacl -m u:42:r,g:43:w xxx -$ setfacl -x u:42: xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> group:43:-w- -> mask::rw- -> other::r-- - -# Test setfacl -b. -$ setfacl -b xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> mask::r-- -> other::r-- - -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r--+ - -$ setfacl -nb xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> other::r-- - -$ ls -l xxx | cut -d' ' -f1 -> -rw-r--r-- - -# Check setfacl(1) and getfacl(1) with multiple files. -$ touch xxx yyy zzz - -$ ls -l xxx yyy zzz | cut -d' ' -f1 -> -rw-r--r-- -> -rw-r--r-- -> -rw-r--r-- - -$ setfacl -m u:42:x,g:43:w nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory - -$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 -> ls: nnn: No such file or directory -> -rw-rwxr--+ -> -rw-rwxr--+ -> -rw-rwxr--+ - -$ getfacl -nq nnn xxx yyy zzz -> getfacl: nnn: stat() failed: No such file or directory -> user::rw- -> user:42:--x -> group::r-- -> group:43:-w- -> mask::rwx -> other::r-- -> -> user::rw- -> user:42:--x -> group::r-- -> group:43:-w- -> mask::rwx -> other::r-- -> -> user::rw- -> user:42:--x -> group::r-- -> group:43:-w- -> mask::rwx -> other::r-- - -$ setfacl -b nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory - -$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 -> ls: nnn: No such file or directory -> -rw-r--r--+ -> -rw-r--r--+ -> -rw-r--r--+ - -$ setfacl -bn nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory - -$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 -> ls: nnn: No such file or directory -> -rw-r--r-- -> -rw-r--r-- -> -rw-r--r-- - -$ rm xxx yyy zzz - -# Check whether chmod actually does what it should do. -$ touch xxx -$ setfacl -m u:42:rwx,g:43:rwx xxx -$ chmod 600 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::rw- -> user:42:rwx # effective: --- -> group::r-- # effective: --- -> group:43:rwx # effective: --- -> mask::--- -> other::--- - -$ chmod 060 xxx -$ getfacl -n xxx -> # file: xxx -> # owner: root -> # group: wheel -> user::--- -> user:42:rwx # effective: rw- -> group::r-- -> group:43:rwx # effective: rw- -> mask::rw- -> other::--- - -# Test default ACLs. -$ umask 022 -$ mkdir ddd -$ getfacl -qn ddd -> user::rwx -> group::r-x -> other::r-x - -$ ls -l | grep ddd | cut -d' ' -f1 -> drwxr-xr-x - -$ getfacl -dq ddd -$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd -$ getfacl -dqn ddd -> user::rwx -> group::r-x -> mask::rwx -> other::r-x - -# No change - ls(1) output doesn't take into account default ACLs. -$ ls -l | grep ddd | cut -d' ' -f1 -> drwxr-xr-x - -$ setfacl -dm g:42:rwx,u:42:r ddd -$ setfacl -dm g::w ddd -$ getfacl -dqn ddd -> user::rwx -> user:42:r-- -> group::-w- -> group:42:rwx -> mask::rwx -> other::r-x - -$ setfacl -dx group:42: ddd -$ getfacl -dqn ddd -> user::rwx -> user:42:r-- -> group::-w- -> mask::rw- -> other::r-x - -$ ls -l | grep ddd | cut -d' ' -f1 -> drwxr-xr-x - -$ rmdir ddd -$ rm xxx - -# Test inheritance. -$ mkdir ddd - -$ touch ddd/xxx -$ getfacl -q ddd/xxx -> user::rw- -> group::r-- -> other::r-- - -$ mkdir ddd/ddd -$ getfacl -q ddd/ddd -> user::rwx -> group::r-x -> other::r-x - -$ rmdir ddd/ddd -$ rm ddd/xxx - -$ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd -$ setfacl -dm g:42:rwx,u:43:r ddd -$ getfacl -dq ddd -> user::rwx -> user:43:r-- -> group::r-x -> group:42:rwx -> mask::rwx -> other::r-x - -$ touch ddd/xxx -$ getfacl -q ddd/xxx -> user::rw- -> user:43:r-- -> group::r-x # effective: r-- -> group:42:rwx # effective: r-- -> mask::r-- -> other::r-- - -$ mkdir ddd/ddd -$ getfacl -q ddd/ddd -> user::rwx -> user:43:r-- -> group::r-x -> group:42:rwx # effective: r-x -> mask::r-x -> other::r-x - -$ rmdir ddd/ddd -$ rm ddd/xxx -$ rmdir ddd - -# Test if we deal properly with fifos. -$ mkfifo fff -$ ls -l fff | cut -d' ' -f1 -> prw-r--r-- - -$ setfacl -m u:42:r,g:43:w fff -$ getfacl fff -> # file: fff -> # owner: root -> # group: wheel -> user::rw- -> user:42:r-- -> group::r-- -> group:43:-w- -> mask::rw- -> other::r-- - -$ ls -l fff | cut -d' ' -f1 -> prw-rw-r--+ - -$ setfacl -bn fff -$ getfacl fff -> # file: fff -> # owner: root -> # group: wheel -> user::rw- -> group::r-- -> other::r-- - -$ ls -l fff | cut -d' ' -f1 -> prw-r--r-- - -$ rm fff - -# Test if we deal properly with device files. -$ mknod bbb b 1 1 -$ setfacl -m u:42:r,g:43:w bbb -> setfacl: bbb: acl_get_file() failed: Operation not supported -$ ls -l bbb | cut -d' ' -f1 -> brw-r--r-- - -$ rm bbb - -$ mknod ccc c 1 1 -$ setfacl -m u:42:r,g:43:w ccc -> setfacl: ccc: acl_get_file() failed: Operation not supported -$ ls -l ccc | cut -d' ' -f1 -> crw-r--r-- - -$ rm ccc