Index: stable/12/bin/setfacl/setfacl.c =================================================================== --- stable/12/bin/setfacl/setfacl.c (revision 340522) +++ stable/12/bin/setfacl/setfacl.c (revision 340523) @@ -1,504 +1,504 @@ /*- * Copyright (c) 2001 Chris D. Faulhaber * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #include #include #include #include #include "setfacl.h" /* file operations */ #define OP_MERGE_ACL 0x00 /* merge acl's (-mM) */ #define OP_REMOVE_DEF 0x01 /* remove default acl's (-k) */ #define OP_REMOVE_EXT 0x02 /* remove extended acl's (-b) */ #define OP_REMOVE_ACL 0x03 /* remove acl's (-xX) */ #define OP_REMOVE_BY_NUMBER 0x04 /* remove acl's (-xX) by acl entry number */ #define OP_ADD_ACL 0x05 /* add acls entries at a given position */ /* TAILQ entry for acl operations */ struct sf_entry { uint op; acl_t acl; uint entry_number; TAILQ_ENTRY(sf_entry) next; }; static TAILQ_HEAD(, sf_entry) entrylist; bool have_mask; bool have_stdin; bool n_flag; static bool h_flag; static bool H_flag; static bool L_flag; static bool R_flag; static bool need_mask; static acl_type_t acl_type = ACL_TYPE_ACCESS; static int handle_file(FTS *ftsp, FTSENT *file); static acl_t clear_inheritance_flags(acl_t acl); static char **stdin_files(void); static void usage(void); static void usage(void) { fprintf(stderr, "usage: setfacl [-R [-H | -L | -P]] [-bdhkn] " "[-a position entries] [-m entries] [-M file] " "[-x entries] [-X file] [file ...]\n"); exit(1); } static char ** stdin_files(void) { char **files_list; char filename[PATH_MAX]; size_t fl_count, i; if (have_stdin) err(1, "cannot have more than one stdin"); i = 0; have_stdin = true; bzero(&filename, sizeof(filename)); /* Start with an array size sufficient for basic cases. */ fl_count = 1024; files_list = zmalloc(fl_count * sizeof(char *)); while (fgets(filename, (int)sizeof(filename), stdin)) { /* remove the \n */ filename[strlen(filename) - 1] = '\0'; files_list[i] = strdup(filename); if (files_list[i] == NULL) err(1, "strdup() failed"); /* Grow array if necessary. */ if (++i == fl_count) { fl_count <<= 1; if (fl_count > SIZE_MAX / sizeof(char *)) errx(1, "Too many input files"); files_list = zrealloc(files_list, fl_count * sizeof(char *)); } } /* fts_open() requires the last array element to be NULL. */ files_list[i] = NULL; return (files_list); } /* * Remove any inheritance flags from NFSv4 ACLs when running in recursive * mode. This is to avoid files being assigned identical ACLs to their * parent directory while also being set to inherit them. * * The acl argument is assumed to be valid. */ static acl_t clear_inheritance_flags(acl_t acl) { acl_t nacl; acl_entry_t acl_entry; acl_flagset_t acl_flagset; int acl_brand, entry_id; (void)acl_get_brand_np(acl, &acl_brand); if (acl_brand != ACL_BRAND_NFS4) return (acl); nacl = acl_dup(acl); if (nacl == NULL) { warn("acl_dup() failed"); return (acl); } entry_id = ACL_FIRST_ENTRY; while (acl_get_entry(nacl, entry_id, &acl_entry) == 1) { entry_id = ACL_NEXT_ENTRY; if (acl_get_flagset_np(acl_entry, &acl_flagset) != 0) { warn("acl_get_flagset_np() failed"); continue; } if (acl_get_flag_np(acl_flagset, ACL_ENTRY_INHERIT_ONLY) == 1) { if (acl_delete_entry(nacl, acl_entry) != 0) warn("acl_delete_entry() failed"); continue; } if (acl_delete_flag_np(acl_flagset, ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | ACL_ENTRY_NO_PROPAGATE_INHERIT) != 0) warn("acl_delete_flag_np() failed"); } return (nacl); } static int handle_file(FTS *ftsp, FTSENT *file) { acl_t acl, nacl; acl_entry_t unused_entry; int local_error, ret; struct sf_entry *entry; bool follow_symlink; local_error = 0; switch (file->fts_info) { case FTS_D: /* Do not recurse if -R not specified. */ if (!R_flag) fts_set(ftsp, file, FTS_SKIP); break; case FTS_DP: /* Skip the second visit to a directory. */ return (0); case FTS_DNR: case FTS_ERR: warnx("%s: %s", file->fts_path, strerror(file->fts_errno)); return (0); default: break; } if (acl_type == ACL_TYPE_DEFAULT && file->fts_info != FTS_D) { warnx("%s: default ACL may only be set on a directory", file->fts_path); return (1); } follow_symlink = (!R_flag && !h_flag) || (R_flag && L_flag) || (R_flag && H_flag && file->fts_level == FTS_ROOTLEVEL); if (follow_symlink) ret = pathconf(file->fts_accpath, _PC_ACL_NFS4); else ret = lpathconf(file->fts_accpath, _PC_ACL_NFS4); if (ret > 0) { if (acl_type == ACL_TYPE_DEFAULT) { warnx("%s: there are no default entries in NFSv4 ACLs", file->fts_path); return (1); } acl_type = ACL_TYPE_NFS4; } else if (ret == 0) { if (acl_type == ACL_TYPE_NFS4) acl_type = ACL_TYPE_ACCESS; - } else if (ret < 0 && errno != EINVAL) { - warn("%s: pathconf(..., _PC_ACL_NFS4) failed", + } else if (ret < 0 && errno != EINVAL && errno != ENOENT) { + warn("%s: pathconf(_PC_ACL_NFS4) failed", file->fts_path); } if (follow_symlink) acl = acl_get_file(file->fts_accpath, acl_type); else acl = acl_get_link_np(file->fts_accpath, acl_type); if (acl == NULL) { if (follow_symlink) warn("%s: acl_get_file() failed", file->fts_path); else warn("%s: acl_get_link_np() failed", file->fts_path); return (1); } /* Cycle through each option. */ TAILQ_FOREACH(entry, &entrylist, next) { nacl = entry->acl; switch (entry->op) { case OP_ADD_ACL: if (R_flag && file->fts_info != FTS_D && acl_type == ACL_TYPE_NFS4) nacl = clear_inheritance_flags(nacl); local_error += add_acl(nacl, entry->entry_number, &acl, file->fts_path); break; case OP_MERGE_ACL: if (R_flag && file->fts_info != FTS_D && acl_type == ACL_TYPE_NFS4) nacl = clear_inheritance_flags(nacl); local_error += merge_acl(nacl, &acl, file->fts_path); need_mask = true; break; case OP_REMOVE_EXT: /* * Don't try to call remove_ext() for empty * default ACL. */ if (acl_type == ACL_TYPE_DEFAULT && acl_get_entry(acl, ACL_FIRST_ENTRY, &unused_entry) == 0) { local_error += remove_default(&acl, file->fts_path); break; } remove_ext(&acl, file->fts_path); need_mask = false; break; case OP_REMOVE_DEF: if (acl_type == ACL_TYPE_NFS4) { warnx("%s: there are no default entries in " "NFSv4 ACLs; cannot remove", file->fts_path); local_error++; break; } if (acl_delete_def_file(file->fts_accpath) == -1) { warn("%s: acl_delete_def_file() failed", file->fts_path); local_error++; } if (acl_type == ACL_TYPE_DEFAULT) local_error += remove_default(&acl, file->fts_path); need_mask = false; break; case OP_REMOVE_ACL: local_error += remove_acl(nacl, &acl, file->fts_path); need_mask = true; break; case OP_REMOVE_BY_NUMBER: local_error += remove_by_number(entry->entry_number, &acl, file->fts_path); need_mask = true; break; } if (nacl != entry->acl) { acl_free(nacl); nacl = NULL; } if (local_error) break; } /* * Don't try to set an empty default ACL; it will always fail. * Use acl_delete_def_file(3) instead. */ if (acl_type == ACL_TYPE_DEFAULT && acl_get_entry(acl, ACL_FIRST_ENTRY, &unused_entry) == 0) { if (acl_delete_def_file(file->fts_accpath) == -1) { warn("%s: acl_delete_def_file() failed", file->fts_path); return (1); } return (0); } /* Don't bother setting the ACL if something is broken. */ if (local_error) { return (1); } if (acl_type != ACL_TYPE_NFS4 && need_mask && set_acl_mask(&acl, file->fts_path) == -1) { warnx("%s: failed to set ACL mask", file->fts_path); return (1); } else if (follow_symlink) { if (acl_set_file(file->fts_accpath, acl_type, acl) == -1) { warn("%s: acl_set_file() failed", file->fts_path); return (1); } } else { if (acl_set_link_np(file->fts_accpath, acl_type, acl) == -1) { warn("%s: acl_set_link_np() failed", file->fts_path); return (1); } } acl_free(acl); return (0); } int main(int argc, char *argv[]) { int carried_error, ch, entry_number, fts_options; FTS *ftsp; FTSENT *file; char **files_list; struct sf_entry *entry; char *end; acl_type = ACL_TYPE_ACCESS; carried_error = fts_options = 0; have_mask = have_stdin = n_flag = false; TAILQ_INIT(&entrylist); while ((ch = getopt(argc, argv, "HLM:PRX:a:bdhkm:nx:")) != -1) switch(ch) { case 'H': H_flag = true; L_flag = false; break; case 'L': L_flag = true; H_flag = false; break; case 'M': entry = zmalloc(sizeof(struct sf_entry)); entry->acl = get_acl_from_file(optarg); if (entry->acl == NULL) err(1, "%s: get_acl_from_file() failed", optarg); entry->op = OP_MERGE_ACL; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; case 'P': H_flag = L_flag = false; break; case 'R': R_flag = true; break; case 'X': entry = zmalloc(sizeof(struct sf_entry)); entry->acl = get_acl_from_file(optarg); entry->op = OP_REMOVE_ACL; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; case 'a': entry = zmalloc(sizeof(struct sf_entry)); entry_number = strtol(optarg, &end, 10); if (end - optarg != (int)strlen(optarg)) errx(1, "%s: invalid entry number", optarg); if (entry_number < 0) errx(1, "%s: entry number cannot be less than zero", optarg); entry->entry_number = entry_number; if (argv[optind] == NULL) errx(1, "missing ACL"); entry->acl = acl_from_text(argv[optind]); if (entry->acl == NULL) err(1, "%s", argv[optind]); optind++; entry->op = OP_ADD_ACL; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; case 'b': entry = zmalloc(sizeof(struct sf_entry)); entry->op = OP_REMOVE_EXT; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; case 'd': acl_type = ACL_TYPE_DEFAULT; break; case 'h': h_flag = 1; break; case 'k': entry = zmalloc(sizeof(struct sf_entry)); entry->op = OP_REMOVE_DEF; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; case 'm': entry = zmalloc(sizeof(struct sf_entry)); entry->acl = acl_from_text(optarg); if (entry->acl == NULL) err(1, "%s", optarg); entry->op = OP_MERGE_ACL; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; case 'n': n_flag = true; break; case 'x': entry = zmalloc(sizeof(struct sf_entry)); entry_number = strtol(optarg, &end, 10); if (end - optarg == (int)strlen(optarg)) { if (entry_number < 0) errx(1, "%s: entry number cannot be less than zero", optarg); entry->entry_number = entry_number; entry->op = OP_REMOVE_BY_NUMBER; } else { entry->acl = acl_from_text(optarg); if (entry->acl == NULL) err(1, "%s", optarg); entry->op = OP_REMOVE_ACL; } TAILQ_INSERT_TAIL(&entrylist, entry, next); break; default: usage(); break; } argc -= optind; argv += optind; if (!n_flag && TAILQ_EMPTY(&entrylist)) usage(); /* Take list of files from stdin. */ if (argc == 0 || strcmp(argv[0], "-") == 0) { files_list = stdin_files(); } else files_list = argv; if (R_flag) { if (h_flag) errx(1, "the -R and -h options may not be " "specified together."); if (L_flag) { fts_options = FTS_LOGICAL; } else { fts_options = FTS_PHYSICAL; if (H_flag) { fts_options |= FTS_COMFOLLOW; } } } else if (h_flag) { fts_options = FTS_PHYSICAL; } else { fts_options = FTS_LOGICAL; } /* Open all files. */ if ((ftsp = fts_open(files_list, fts_options | FTS_NOSTAT, 0)) == NULL) err(1, "fts_open"); while ((file = fts_read(ftsp)) != NULL) carried_error += handle_file(ftsp, file); return (carried_error); } Index: stable/12/tests/sys/acl/Makefile =================================================================== --- stable/12/tests/sys/acl/Makefile (revision 340522) +++ stable/12/tests/sys/acl/Makefile (revision 340523) @@ -1,39 +1,37 @@ # $FreeBSD$ PACKAGE= tests TESTSDIR= ${TESTSBASE}/sys/acl BINDIR= ${TESTSDIR} ${PACKAGE}FILES+= tools-crossfs.test ${PACKAGE}FILES+= tools-nfs4.test ${PACKAGE}FILES+= tools-nfs4-psarc.test ${PACKAGE}FILES+= tools-nfs4-trivial.test ${PACKAGE}FILES+= tools-posix.test SCRIPTS+= run -# Disable 00 and 02 until they've been updated for setfacl's new behavior -# PR 229930 tests/sys/acl/00:main fails in CI due to unexpected error message -# TAP_TESTS_SH+= 00 -# TAP_TESTS_SH+= 02 +TAP_TESTS_SH+= 00 TAP_TESTS_SH+= 01 +TAP_TESTS_SH+= 02 TAP_TESTS_SH+= 03 TAP_TESTS_SH+= 04 .for t in ${TAP_TESTS_SH} TEST_METADATA.$t+= required_user="root" .endfor _ACL_PROGS= getfacl setfacl .for t in 01 03 04 TEST_METADATA.$t+= required_programs="perl zpool ${_ACL_PROGS}" .endfor # .for t in 00 02 # TEST_METADATA.$t+= required_programs="perl ${_ACL_PROGS}" # .endfor .include Index: stable/12/tests/sys/acl/tools-nfs4-psarc.test =================================================================== --- stable/12/tests/sys/acl/tools-nfs4-psarc.test (revision 340522) +++ stable/12/tests/sys/acl/tools-nfs4-psarc.test (revision 340523) @@ -1,562 +1,562 @@ # Copyright (c) 2008, 2009 Edward Tomasz Napierała # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # # This is a tools-level test for NFSv4 ACL functionality with PSARC/2010/029 # semantics. Run it as root using ACL-enabled kernel: # # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4-psarc.test # # WARNING: Creates files in unsafe way. $ whoami > root $ umask 022 # Smoke test for getfacl(1). $ touch xxx $ getfacl xxx > # file: xxx > # owner: root > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow $ getfacl -q xxx > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow # Check verbose mode formatting. $ getfacl -v xxx > # file: xxx > # owner: root > # group: wheel > owner@:read_data/write_data/append_data/read_attributes/write_attributes/read_xattr/write_xattr/read_acl/write_acl/write_owner/synchronize::allow > group@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow # Test setfacl -a. $ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test user and group name resolving. $ rm xxx $ touch xxx $ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx $ getfacl xxx > # file: xxx > # owner: root > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > user:root:-----------C--:-------:allow > group:daemon:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Check whether ls correctly marks files with "+". $ ls -l xxx | cut -d' ' -f1 > -rw-r--r--+ # Test removing entries by number. $ setfacl -x 1 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test setfacl -m. $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -m everyone@::deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:rw-p--aARWcCos:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test getfacl -i. $ getfacl -i xxx > # file: xxx > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:rw-p--aARWcCos:-------:allow > user:root:-----------C--:-------:allow:0 > group:daemon:----------c---:-------:deny:1 > everyone@:r-----a-R-c--s:-------:allow # Make sure cp without any flags does not copy copy the ACL. $ cp xxx yyy $ ls -l yyy | cut -d' ' -f1 > -rw-r--r-- # Make sure it does with the "-p" flag. $ rm yyy $ cp -p xxx yyy $ getfacl -n yyy > # file: yyy > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:rw-p--aARWcCos:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rm yyy # Test removing entries by... by example? $ setfacl -x everyone@::deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test setfacl -b. $ setfacl -b xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw-r--r-- # Check setfacl(1) and getfacl(1) with multiple files. $ touch xxx yyy zzz $ ls -l xxx yyy zzz | cut -d' ' -f1 > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory +> setfacl: nnn: acl_get_file() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r--+ > -rw-r--r--+ > -rw-r--r--+ $ getfacl -nq nnn xxx yyy zzz > getfacl: nnn: stat() failed: No such file or directory > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow $ setfacl -b nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory +> setfacl: nnn: acl_get_file() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ rm xxx yyy zzz # Test applying mode to an ACL. $ touch xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx $ chmod 600 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > group@:------a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw------- $ rm xxx $ touch xxx $ chown 42 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 600 xxx $ getfacl -n xxx > # file: xxx > # owner: 42 > # group: wheel > owner@:rw-p--aARWcCos:-------:allow > group@:------a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw------- $ rm xxx $ touch xxx $ chown 43 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 124 xxx $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel > owner@:rw-p----------:-------:deny > group@:r-------------:-------:deny > owner@:--x---aARWcCos:-------:allow > group@:-w-p--a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > ---x-w-r-- $ rm xxx $ touch xxx $ chown 43 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 412 xxx $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel > owner@:-wxp----------:-------:deny > group@:-w-p----------:-------:deny > owner@:r-----aARWcCos:-------:allow > group@:--x---a-R-c--s:-------:allow > everyone@:-w-p--a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -r----x-w- $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-d-----:allow > group:43:-w--D---------:-d-----:deny > group@:-----da-------:-------:allow > group:44:rw-p-da-------:-------:allow > owner@:rwxp--aARWcCos:-------:allow > group@:r-x---a-R-c--s:-------:allow > everyone@:-w-p--a-R-c--s:f-i----:allow $ chmod 777 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > owner@:rwxp--aARWcCos:-------:allow > group@:rwxp--a-R-c--s:-------:allow > everyone@:rwxp--a-R-c--s:-------:allow # Test applying ACL to mode. $ rmdir ddd $ mkdir ddd $ setfacl -a0 u:42:rwx:fi:allow ddd $ ls -ld ddd | cut -d' ' -f1 > drwxr-xr-x+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr----x---+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr---wx---+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr--------+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr--------+ # Test inheritance. $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd $ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd $ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd $ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd $ getfacl -qn ddd > user:41:-w-----A------:f--n---:allow > group:41:r-----a-------:-din---:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-d-n---:deny > group:43:-w---------C--:f-in---:deny > user:43:rwxp----------:-------:allow > owner@:rwxp--aARWcCos:-------:allow > group@:r-x---a-R-c--s:-------:allow > everyone@:r-x---a-R-c--s:-------:allow $ cd ddd $ touch xxx $ getfacl -qn xxx > user:41:--------------:------I:allow > user:42:--------------:------I:allow > user:42:r-------------:------I:allow > group:43:-w---------C--:------I:deny > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow $ rm xxx $ umask 077 $ touch xxx $ getfacl -qn xxx > user:41:--------------:------I:allow > user:42:--------------:------I:allow > user:42:--------------:------I:allow > group:43:-w---------C--:------I:deny > owner@:rw-p--aARWcCos:-------:allow > group@:------a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow $ rm xxx $ umask 770 $ touch xxx $ getfacl -qn xxx > owner@:rw-p----------:-------:deny > group@:rw-p----------:-------:deny > user:41:--------------:------I:allow > user:42:--------------:------I:allow > user:42:--------------:------I:allow > group:43:-w---------C--:------I:deny > owner@:------aARWcCos:-------:allow > group@:------a-R-c--s:-------:allow > everyone@:rw-p--a-R-c--s:-------:allow $ rm xxx $ umask 707 $ touch xxx $ getfacl -qn xxx > owner@:rw-p----------:-------:deny > user:41:-w------------:------I:allow > user:42:--------------:------I:allow > user:42:r-------------:------I:allow > group:43:-w---------C--:------I:deny > owner@:------aARWcCos:-------:allow > group@:rw-p--a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow $ umask 077 $ mkdir yyy $ getfacl -qn yyy > group:41:------a-------:------I:allow > user:42:-----------Co-:f-i---I:allow > user:42:r-x-----------:f-i---I:allow > group:42:-w--D---------:------I:deny > owner@:rwxp--aARWcCos:-------:allow > group@:------a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow $ rmdir yyy $ umask 770 $ mkdir yyy $ getfacl -qn yyy > owner@:rwxp----------:-------:deny > group@:rwxp----------:-------:deny > group:41:------a-------:------I:allow > user:42:-----------Co-:f-i---I:allow > user:42:r-x-----------:f-i---I:allow > group:42:-w--D---------:------I:deny > owner@:------aARWcCos:-------:allow > group@:------a-R-c--s:-------:allow > everyone@:rwxp--a-R-c--s:-------:allow $ rmdir yyy $ umask 707 $ mkdir yyy $ getfacl -qn yyy > owner@:rwxp----------:-------:deny > group:41:r-----a-------:------I:allow > user:42:-----------Co-:f-i---I:allow > user:42:r-x-----------:f-i---I:allow > group:42:-w--D---------:------I:deny > owner@:------aARWcCos:-------:allow > group@:rwxp--a-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow # There is some complication regarding how write_acl and write_owner flags # get inherited. Make sure we got it right. $ setfacl -b . $ setfacl -a0 u:42:Co:f:allow . $ setfacl -a0 u:43:Co:d:allow . $ setfacl -a0 u:44:Co:fd:allow . $ setfacl -a0 u:45:Co:fi:allow . $ setfacl -a0 u:46:Co:di:allow . $ setfacl -a0 u:47:Co:fdi:allow . $ setfacl -a0 u:48:Co:fn:allow . $ setfacl -a0 u:49:Co:dn:allow . $ setfacl -a0 u:50:Co:fdn:allow . $ setfacl -a0 u:51:Co:fni:allow . $ setfacl -a0 u:52:Co:dni:allow . $ setfacl -a0 u:53:Co:fdni:allow . $ umask 022 $ rm xxx $ touch xxx $ getfacl -nq xxx > user:53:--------------:------I:allow > user:51:--------------:------I:allow > user:50:--------------:------I:allow > user:48:--------------:------I:allow > user:47:--------------:------I:allow > user:45:--------------:------I:allow > user:44:--------------:------I:allow > user:42:--------------:------I:allow > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow $ rmdir yyy $ mkdir yyy $ getfacl -nq yyy > user:53:--------------:------I:allow > user:52:--------------:------I:allow > user:50:--------------:------I:allow > user:49:--------------:------I:allow > user:47:--------------:fd----I:allow > user:46:--------------:-d----I:allow > user:45:-----------Co-:f-i---I:allow > user:44:--------------:fd----I:allow > user:43:--------------:-d----I:allow > user:42:-----------Co-:f-i---I:allow > owner@:rwxp--aARWcCos:-------:allow > group@:r-x---a-R-c--s:-------:allow > everyone@:r-x---a-R-c--s:-------:allow $ setfacl -b . $ setfacl -a0 u:42:Co:f:deny . $ setfacl -a0 u:43:Co:d:deny . $ setfacl -a0 u:44:Co:fd:deny . $ setfacl -a0 u:45:Co:fi:deny . $ setfacl -a0 u:46:Co:di:deny . $ setfacl -a0 u:47:Co:fdi:deny . $ setfacl -a0 u:48:Co:fn:deny . $ setfacl -a0 u:49:Co:dn:deny . $ setfacl -a0 u:50:Co:fdn:deny . $ setfacl -a0 u:51:Co:fni:deny . $ setfacl -a0 u:52:Co:dni:deny . $ setfacl -a0 u:53:Co:fdni:deny . $ umask 022 $ rm xxx $ touch xxx $ getfacl -nq xxx > user:53:-----------Co-:------I:deny > user:51:-----------Co-:------I:deny > user:50:-----------Co-:------I:deny > user:48:-----------Co-:------I:deny > user:47:-----------Co-:------I:deny > user:45:-----------Co-:------I:deny > user:44:-----------Co-:------I:deny > user:42:-----------Co-:------I:deny > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow $ rmdir yyy $ mkdir yyy $ getfacl -nq yyy > user:53:-----------Co-:------I:deny > user:52:-----------Co-:------I:deny > user:50:-----------Co-:------I:deny > user:49:-----------Co-:------I:deny > user:47:-----------Co-:fd----I:deny > user:46:-----------Co-:-d----I:deny > user:45:-----------Co-:f-i---I:deny > user:44:-----------Co-:fd----I:deny > user:43:-----------Co-:-d----I:deny > user:42:-----------Co-:f-i---I:deny > owner@:rwxp--aARWcCos:-------:allow > group@:r-x---a-R-c--s:-------:allow > everyone@:r-x---a-R-c--s:-------:allow $ rmdir yyy $ rm xxx $ cd .. $ rmdir ddd $ rm xxx Index: stable/12/tests/sys/acl/tools-nfs4.test =================================================================== --- stable/12/tests/sys/acl/tools-nfs4.test (revision 340522) +++ stable/12/tests/sys/acl/tools-nfs4.test (revision 340523) @@ -1,828 +1,828 @@ # Copyright (c) 2008, 2009 Edward Tomasz Napierała # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # # This is a tools-level test for NFSv4 ACL functionality. Run it as root # using ACL-enabled kernel: # # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test # # WARNING: Creates files in unsafe way. $ whoami > root $ umask 022 # Smoke test for getfacl(1). $ touch xxx $ getfacl xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ getfacl -q xxx > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Check verbose mode formatting. $ getfacl -v xxx > # file: xxx > # owner: root > # group: wheel > owner@:execute::deny > owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow > group@:write_data/execute/append_data::deny > group@:read_data::allow > everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny > everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow # Test setfacl -a. $ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test user and group name resolving. $ rm xxx $ touch xxx $ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx $ getfacl xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:root:-----------C--:-------:allow > group:daemon:----------c---:-------:deny > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Check whether ls correctly marks files with "+". $ ls -l xxx | cut -d' ' -f1 > -rw-r--r--+ # Test removing entries by number. $ setfacl -x 4 xxx $ setfacl -x 4 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test setfacl -m. $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -a0 everyone@:rwx:deny xxx $ setfacl -m everyone@::deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:--------------:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test getfacl -i. $ getfacl -i xxx > # file: xxx > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:root:-----------C--:-------:allow:0 > group:daemon:----------c---:-------:deny:1 > everyone@:--------------:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Make sure cp without any flags does not copy copy the ACL. $ cp xxx yyy $ ls -l yyy | cut -d' ' -f1 > -rw-r--r-- # Make sure it does with the "-p" flag. $ rm yyy $ cp -p xxx yyy $ getfacl -n yyy > # file: yyy > # owner: root > # group: wheel > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > everyone@:--------------:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:--------------:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rm yyy # Test removing entries by... by example? $ setfacl -x everyone@::deny xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > user:0:-----------C--:-------:allow > group:1:----------c---:-------:deny > everyone@:r-----a-R-c--s:-------:allow # Test setfacl -b. $ setfacl -b xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw-r--r-- # Check setfacl(1) and getfacl(1) with multiple files. $ touch xxx yyy zzz $ ls -l xxx yyy zzz | cut -d' ' -f1 > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory +> setfacl: nnn: acl_get_file() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r--+ > -rw-r--r--+ > -rw-r--r--+ $ getfacl -nq nnn xxx yyy zzz > getfacl: nnn: stat() failed: No such file or directory > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow > > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow > > user:42:--x-----------:-------:allow > group:43:-w------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ setfacl -b nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory +> setfacl: nnn: acl_get_file() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ rm xxx yyy zzz # Test applying mode to an ACL. $ touch xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx $ chmod 600 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user:42:r-------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--x-----------:-------:deny > user:44:--x-----------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw-------+ $ rm xxx $ touch xxx $ chown 42 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 600 xxx $ getfacl -n xxx > # file: xxx > # owner: 42 > # group: wheel > user:42:--------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--x-----------:-------:deny > user:44:--x-----------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -rw-------+ $ rm xxx $ touch xxx $ chown 43 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 124 xxx $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel > user:42:r-------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--x-----------:-------:deny > user:44:--x-----------:-------:allow > owner@:rw-p----------:-------:deny > owner@:--x----A-W-Co-:-------:allow > group@:r-x-----------:-------:deny > group@:-w-p----------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > ---x-w-r--+ $ rm xxx $ touch xxx $ chown 43 xxx $ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx $ chmod 412 xxx $ getfacl -n xxx > # file: xxx > # owner: 43 > # group: wheel > user:42:r-------------:-------:deny > user:42:r-------------:-------:allow > user:43:-w------------:-------:deny > user:43:-w------------:-------:allow > user:44:--------------:-------:deny > user:44:--x-----------:-------:allow > owner@:-wxp----------:-------:deny > owner@:r------A-W-Co-:-------:allow > group@:rw-p----------:-------:deny > group@:--x-----------:-------:allow > everyone@:r-x----A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:-------:allow $ ls -l xxx | cut -d' ' -f1 > -r----x-w-+ $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-d-----:allow > group:43:-w--D---------:-d-----:deny > group@:-----da-------:-------:allow > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow $ chmod 777 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:--------------:-------:deny > group:42:-w--D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:--------------:-------:deny > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:rwxp----------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:rwxp--a-R-c--s:-------:allow $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ chmod 124 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:--------------:-------:deny > group:42:----D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:r-------------:-------:deny > group:44:r----da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:rw-p----------:-------:deny > owner@:--x----A-W-Co-:-------:allow > group@:r-x-----------:-------:deny > group@:-w-p----------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ chmod 412 ddd $ getfacl -n ddd > # file: ddd > # owner: root > # group: wheel > user:42:r-------------:-------:deny > user:42:r-x-----------:-------:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:-w------------:-------:deny > group:42:-w--D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:rw-p----------:-------:deny > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:-wxp----------:-------:deny > owner@:r------A-W-Co-:-------:allow > group@:rw-p----------:-------:deny > group@:--x-----------:-------:allow > everyone@:r-x----A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:-------:allow $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:44:rwapd:allow ddd $ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd $ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd $ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd $ chown 42 ddd $ chmod 412 ddd $ getfacl -n ddd > # file: ddd > # owner: 42 > # group: wheel > user:42:--x-----------:-------:deny > user:42:r-x-----------:-------:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-di----:allow > group:42:-w------------:-------:deny > group:42:-w--D---------:-------:allow > group:43:-w--D---------:-di----:deny > group:43:-w--D---------:-------:deny > group@:-----da-------:-------:allow > group:44:rw-p----------:-------:deny > group:44:rw-p-da-------:-------:allow > owner@:--------------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:f-i----:allow > owner@:-wxp----------:-------:deny > owner@:r------A-W-Co-:-------:allow > group@:rw-p----------:-------:deny > group@:--x-----------:-------:allow > everyone@:r-x----A-W-Co-:-------:deny > everyone@:-w-p--a-R-c--s:-------:allow # Test applying ACL to mode. $ rmdir ddd $ mkdir ddd $ setfacl -a0 u:42:rwx:fi:allow ddd $ ls -ld ddd | cut -d' ' -f1 > drwxr-xr-x+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr----x---+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr---wx---+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr--------+ $ rmdir ddd $ mkdir ddd $ chmod 0 ddd $ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd $ ls -ld ddd | cut -d' ' -f1 > dr--------+ # Test inheritance. $ rmdir ddd $ mkdir ddd $ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd $ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd $ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd $ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd $ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd $ getfacl -qn ddd > user:41:-w-----A------:f--n---:allow > group:41:r-----a-------:-din---:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-d-n---:deny > group:43:-w---------C--:f-in---:deny > user:43:rwxp----------:-------:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow $ cd ddd $ touch xxx $ getfacl -qn xxx > user:41:-w------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:--x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rm xxx $ umask 077 $ touch xxx $ getfacl -qn xxx > user:41:-w------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:r-x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ rm xxx $ umask 770 $ touch xxx $ getfacl -qn xxx > user:41:-w------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:r-x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:--x----A-W-Co-:-------:deny > everyone@:rw-p--a-R-c--s:-------:allow $ rm xxx $ umask 707 $ touch xxx $ getfacl -qn xxx > user:41:--------------:-------:deny > user:41:-w-----A------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > user:42:--x-----------:-------:deny > user:42:r-x-----------:-------:allow > group:43:-w---------C--:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--x-----------:-------:deny > group@:rw-p----------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ umask 077 $ mkdir yyy $ getfacl -qn yyy > group:41:r-------------:-------:deny > group:41:r-----a-------:-------:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-------:deny > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow $ rmdir yyy $ umask 770 $ mkdir yyy $ getfacl -qn yyy > group:41:r-------------:-------:deny > group:41:r-----a-------:-------:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:rwxp----------:-------:deny > group@:--------------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:rwxp--a-R-c--s:-------:allow $ rmdir yyy $ umask 707 $ mkdir yyy $ getfacl -qn yyy > group:41:--------------:-------:deny > group:41:------a-------:-------:allow > user:42:-----------Co-:f-i----:allow > user:42:r-x-----------:f-i----:allow > group:42:-w--D---------:-------:deny > owner@:rwxp----------:-------:deny > owner@:-------A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:rwxp----------:-------:allow > everyone@:rwxp---A-W-Co-:-------:deny > everyone@:------a-R-c--s:-------:allow # There is some complication regarding how write_acl and write_owner flags # get inherited. Make sure we got it right. $ setfacl -b . $ setfacl -a0 u:42:Co:f:allow . $ setfacl -a0 u:43:Co:d:allow . $ setfacl -a0 u:44:Co:fd:allow . $ setfacl -a0 u:45:Co:fi:allow . $ setfacl -a0 u:46:Co:di:allow . $ setfacl -a0 u:47:Co:fdi:allow . $ setfacl -a0 u:48:Co:fn:allow . $ setfacl -a0 u:49:Co:dn:allow . $ setfacl -a0 u:50:Co:fdn:allow . $ setfacl -a0 u:51:Co:fni:allow . $ setfacl -a0 u:52:Co:dni:allow . $ setfacl -a0 u:53:Co:fdni:allow . $ umask 022 $ rm xxx $ touch xxx $ getfacl -nq xxx > user:53:--------------:-------:deny > user:53:--------------:-------:allow > user:51:--------------:-------:deny > user:51:--------------:-------:allow > user:50:--------------:-------:deny > user:50:--------------:-------:allow > user:48:--------------:-------:deny > user:48:--------------:-------:allow > user:47:--------------:-------:deny > user:47:--------------:-------:allow > user:45:--------------:-------:deny > user:45:--------------:-------:allow > user:44:--------------:-------:deny > user:44:--------------:-------:allow > user:42:--------------:-------:deny > user:42:--------------:-------:allow > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rmdir yyy $ mkdir yyy $ getfacl -nq yyy > user:53:--------------:-------:deny > user:53:--------------:-------:allow > user:52:--------------:-------:deny > user:52:--------------:-------:allow > user:50:--------------:-------:deny > user:50:--------------:-------:allow > user:49:--------------:-------:deny > user:49:--------------:-------:allow > user:47:-----------Co-:fdi----:allow > user:47:--------------:-------:deny > user:47:--------------:-------:allow > user:46:-----------Co-:-di----:allow > user:46:--------------:-------:deny > user:46:--------------:-------:allow > user:45:-----------Co-:f-i----:allow > user:44:-----------Co-:fdi----:allow > user:44:--------------:-------:deny > user:44:--------------:-------:allow > user:43:-----------Co-:-di----:allow > user:43:--------------:-------:deny > user:43:--------------:-------:allow > user:42:-----------Co-:f-i----:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow $ setfacl -b . $ setfacl -a0 u:42:Co:f:deny . $ setfacl -a0 u:43:Co:d:deny . $ setfacl -a0 u:44:Co:fd:deny . $ setfacl -a0 u:45:Co:fi:deny . $ setfacl -a0 u:46:Co:di:deny . $ setfacl -a0 u:47:Co:fdi:deny . $ setfacl -a0 u:48:Co:fn:deny . $ setfacl -a0 u:49:Co:dn:deny . $ setfacl -a0 u:50:Co:fdn:deny . $ setfacl -a0 u:51:Co:fni:deny . $ setfacl -a0 u:52:Co:dni:deny . $ setfacl -a0 u:53:Co:fdni:deny . $ umask 022 $ rm xxx $ touch xxx $ getfacl -nq xxx > user:53:-----------Co-:-------:deny > user:51:-----------Co-:-------:deny > user:50:-----------Co-:-------:deny > user:48:-----------Co-:-------:deny > user:47:-----------Co-:-------:deny > user:45:-----------Co-:-------:deny > user:44:-----------Co-:-------:deny > user:42:-----------Co-:-------:deny > owner@:--x-----------:-------:deny > owner@:rw-p---A-W-Co-:-------:allow > group@:-wxp----------:-------:deny > group@:r-------------:-------:allow > everyone@:-wxp---A-W-Co-:-------:deny > everyone@:r-----a-R-c--s:-------:allow $ rmdir yyy $ mkdir yyy $ getfacl -nq yyy > user:53:-----------Co-:-------:deny > user:52:-----------Co-:-------:deny > user:50:-----------Co-:-------:deny > user:49:-----------Co-:-------:deny > user:47:-----------Co-:fdi----:deny > user:47:-----------Co-:-------:deny > user:46:-----------Co-:-di----:deny > user:46:-----------Co-:-------:deny > user:45:-----------Co-:f-i----:deny > user:44:-----------Co-:fdi----:deny > user:44:-----------Co-:-------:deny > user:43:-----------Co-:-di----:deny > user:43:-----------Co-:-------:deny > user:42:-----------Co-:f-i----:deny > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow $ rmdir yyy $ rm xxx $ cd .. $ rmdir ddd $ rm xxx Index: stable/12/tests/sys/acl/tools-posix.test =================================================================== --- stable/12/tests/sys/acl/tools-posix.test (revision 340522) +++ stable/12/tests/sys/acl/tools-posix.test (revision 340523) @@ -1,453 +1,453 @@ # Copyright (c) 2008, 2009 Edward Tomasz Napierała # All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # # This is a tools-level test for POSIX.1e ACL functionality. Run it as root # using ACL-enabled kernel: # # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test # # WARNING: Creates files in unsafe way. $ whoami > root $ umask 022 # Smoke test for getfacl(1). $ touch xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > group::r-- > other::r-- $ getfacl -q xxx > user::rw- > group::r-- > other::r-- $ setfacl -m u:42:r,g:43:w xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > user:42:r-- > group::r-- > group:43:-w- > mask::rw- > other::r-- # Check whether ls correctly marks files with "+". $ ls -l xxx | cut -d' ' -f1 > -rw-rw-r--+ # Same as above, but for symlinks. $ ln -s xxx lll $ getfacl -h lll > # file: lll > # owner: root > # group: wheel > user::rwx > group::r-x > other::r-x $ getfacl -qh lll > user::rwx > group::r-x > other::r-x $ getfacl -q lll > user::rw- > user:42:r-- > group::r-- > group:43:-w- > mask::rw- > other::r-- $ setfacl -hm u:44:x,g:45:w lll $ getfacl -h lll > # file: lll > # owner: root > # group: wheel > user::rwx > user:44:--x > group::r-x > group:45:-w- > mask::rwx > other::r-x $ ls -l lll | cut -d' ' -f1 > lrwxrwxr-x+ # Check whether the original file is left untouched. $ ls -l xxx | cut -d' ' -f1 > -rw-rw-r--+ $ rm lll # Test removing entries. $ setfacl -x user:42: xxx $ getfacl xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > group::r-- > group:43:-w- > mask::rw- > other::r-- $ setfacl -m u:42:r xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > user:42:r-- > group::r-- > group:43:-w- > mask::rw- > other::r-- # Test removing entries by number. $ setfacl -x 1 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > group::r-- > group:43:-w- > mask::rw- > other::r-- $ setfacl -m g:43:r xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > group::r-- > group:43:r-- > mask::r-- > other::r-- # Make sure cp without any flags does not copy the ACL. $ cp xxx yyy $ ls -l yyy | cut -d' ' -f1 > -rw-r--r-- # Make sure it does with the "-p" flag. $ rm yyy $ cp -p xxx yyy $ getfacl -n yyy > # file: yyy > # owner: root > # group: wheel > user::rw- > group::r-- > group:43:r-- > mask::r-- > other::r-- $ rm yyy # Test removing entries by... by example? $ setfacl -m u:42:r,g:43:w xxx $ setfacl -x u:42: xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > group::r-- > group:43:-w- > mask::rw- > other::r-- # Test setfacl -b. $ setfacl -b xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > group::r-- > mask::r-- > other::r-- $ ls -l xxx | cut -d' ' -f1 > -rw-r--r--+ $ setfacl -nb xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > group::r-- > other::r-- $ ls -l xxx | cut -d' ' -f1 > -rw-r--r-- # Check setfacl(1) and getfacl(1) with multiple files. $ touch xxx yyy zzz $ ls -l xxx yyy zzz | cut -d' ' -f1 > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ setfacl -m u:42:x,g:43:w nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory +> setfacl: nnn: acl_get_file() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-rwxr--+ > -rw-rwxr--+ > -rw-rwxr--+ $ getfacl -nq nnn xxx yyy zzz > getfacl: nnn: stat() failed: No such file or directory > user::rw- > user:42:--x > group::r-- > group:43:-w- > mask::rwx > other::r-- > > user::rw- > user:42:--x > group::r-- > group:43:-w- > mask::rwx > other::r-- > > user::rw- > user:42:--x > group::r-- > group:43:-w- > mask::rwx > other::r-- $ setfacl -b nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory +> setfacl: nnn: acl_get_file() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r--+ > -rw-r--r--+ > -rw-r--r--+ $ setfacl -bn nnn xxx yyy zzz -> setfacl: nnn: stat() failed: No such file or directory +> setfacl: nnn: acl_get_file() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory > -rw-r--r-- > -rw-r--r-- > -rw-r--r-- $ rm xxx yyy zzz # Check whether chmod actually does what it should do. $ touch xxx $ setfacl -m u:42:rwx,g:43:rwx xxx $ chmod 600 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::rw- > user:42:rwx # effective: --- > group::r-- # effective: --- > group:43:rwx # effective: --- > mask::--- > other::--- $ chmod 060 xxx $ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel > user::--- > user:42:rwx # effective: rw- > group::r-- > group:43:rwx # effective: rw- > mask::rw- > other::--- # Test default ACLs. $ umask 022 $ mkdir ddd $ getfacl -qn ddd > user::rwx > group::r-x > other::r-x $ ls -l | grep ddd | cut -d' ' -f1 > drwxr-xr-x $ getfacl -dq ddd $ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd $ getfacl -dqn ddd > user::rwx > group::r-x > mask::rwx > other::r-x # No change - ls(1) output doesn't take into account default ACLs. $ ls -l | grep ddd | cut -d' ' -f1 > drwxr-xr-x $ setfacl -dm g:42:rwx,u:42:r ddd $ setfacl -dm g::w ddd $ getfacl -dqn ddd > user::rwx > user:42:r-- > group::-w- > group:42:rwx > mask::rwx > other::r-x $ setfacl -dx group:42: ddd $ getfacl -dqn ddd > user::rwx > user:42:r-- > group::-w- > mask::rw- > other::r-x $ ls -l | grep ddd | cut -d' ' -f1 > drwxr-xr-x $ rmdir ddd $ rm xxx # Test inheritance. $ mkdir ddd $ touch ddd/xxx $ getfacl -q ddd/xxx > user::rw- > group::r-- > other::r-- $ mkdir ddd/ddd $ getfacl -q ddd/ddd > user::rwx > group::r-x > other::r-x $ rmdir ddd/ddd $ rm ddd/xxx $ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd $ setfacl -dm g:42:rwx,u:43:r ddd $ getfacl -dq ddd > user::rwx > user:43:r-- > group::r-x > group:42:rwx > mask::rwx > other::r-x $ touch ddd/xxx $ getfacl -q ddd/xxx > user::rw- > user:43:r-- > group::r-x # effective: r-- > group:42:rwx # effective: r-- > mask::r-- > other::r-- $ mkdir ddd/ddd $ getfacl -q ddd/ddd > user::rwx > user:43:r-- > group::r-x > group:42:rwx # effective: r-x > mask::r-x > other::r-x $ rmdir ddd/ddd $ rm ddd/xxx $ rmdir ddd # Test if we deal properly with fifos. $ mkfifo fff $ ls -l fff | cut -d' ' -f1 > prw-r--r-- $ setfacl -m u:42:r,g:43:w fff $ getfacl fff > # file: fff > # owner: root > # group: wheel > user::rw- > user:42:r-- > group::r-- > group:43:-w- > mask::rw- > other::r-- $ ls -l fff | cut -d' ' -f1 > prw-rw-r--+ $ setfacl -bn fff $ getfacl fff > # file: fff > # owner: root > # group: wheel > user::rw- > group::r-- > other::r-- $ ls -l fff | cut -d' ' -f1 > prw-r--r-- $ rm fff # Test if we deal properly with device files. $ mknod bbb b 1 1 $ setfacl -m u:42:r,g:43:w bbb > setfacl: bbb: acl_get_file() failed: Operation not supported $ ls -l bbb | cut -d' ' -f1 > brw-r--r-- $ rm bbb $ mknod ccc c 1 1 $ setfacl -m u:42:r,g:43:w ccc > setfacl: ccc: acl_get_file() failed: Operation not supported $ ls -l ccc | cut -d' ' -f1 > crw-r--r-- $ rm ccc Index: stable/12 =================================================================== --- stable/12 (revision 340522) +++ stable/12 (revision 340523) Property changes on: stable/12 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r339781-339782