1 #! /usr/bin/ksh -p
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22
23 #
24 # Copyright 2009 Sun Microsystems, Inc. All rights reserved.
25 # Use is subject to license terms.
26 #
27
28 . $STF_SUITE/tests/acl/acl_common.kshlib
29
30 #################################################################################
31 #
32 # __stc_assertion_start
33 #
34 # ID: acl_chmod_rwacl_pos001
35 #
36 # DESCRIPTION:
37 # Verify assigned read_acl/write_acl to owner@/group@/everyone@,
38 # specificied user and group. File have the correct access permission.
39 #
40 # STRATEGY:
41 # 1. Separatedly verify file and directory was assigned read_acl/write_acl
42 # by root and non-root user.
43 # 2. Verify owner always can read and write acl, even deny.
44 # 3. Verify group access permission, when group was assigned
45 # read_acl/write_acl.
46 # 4. Verify access permission, after everyone was assigned read_acl/write.
47 # 5. Verify everyone@ was deny except specificied user, this user can read
48 # and write acl.
49 # 6. Verify the group was deny except specified user, this user can read
50 # and write acl
51 #
52 # TESTABILITY: explicit
53 #
54 # TEST_AUTOMATION_LEVEL: automated
55 #
56 # __stc_assertion_end
57 #
58 ################################################################################
59
60 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
61 && set -x
62
63 function case_cleanup
64 {
65 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
66 && set -x
67
68 [[ $1 != $STF_PASS ]] && [[ -f $STF_TMPDIR/$NAME.$$ ]] \
69 && cat $STF_TMPDIR/$NAME.$$
70 rm -rf $STF_TMPDIR/$NAME.$$.*
71
72 # restore the mount option and enable attribute cache
73 cd $CWD
74 RUN_CHECK do_remount
75 [[ -n $1 ]] && cleanup $1 || return 0
76 }
77
78 echo "ASSERTION: Verify chmod A[number]{+|-|=} read_acl/write_acl have correct " \
79 "behaviour to access permission."
80
81 function read_ACL #<node> <user1> <user2> ...
82 {
83 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
84 && set -x
85
86 typeset node=$1
87 typeset user
88 typeset -i ret
89
90 shift
91 for user in $@; do
92 RUN_CHECK chgusr_exec $user $LS -vd $node \
93 > $STF_TMPDIR/$NAME.$$ 2>&1
94 ret=$?
95 (( ret != 0 )) && return $ret
96
97 shift
98 done
99
100 return 0
101 }
102
103 function write_ACL #<node> <user1> <user2> ...
104 {
105 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
106 && set -x
107
108 typeset node=$1
109 typeset user
110 typeset -i ret before_cnt after_cnt
111
112 shift
113 for user in "$@"; do
114 before_cnt=$(count_ACE $node)
115 ret=$?;
116 (( ret != 0 )) && return $ret
117
118 RUN_CHECK chgusr_exec $user $CHMOD A0+owner@:read_data:allow $node
119 ret=$?
120 (( ret != 0 )) && return $ret
121
122 after_cnt=$(count_ACE $node)
123 ret=$?
124 (( ret != 0 )) && return $ret
125
126 RUN_CHECK chgusr_exec $user $CHMOD A0- $node
127 ret=$?
128 (( ret != 0 )) && return $ret
129
130 if (( after_cnt - before_cnt != 1 )); then
131 return 1
132 fi
133
134 shift
135 done
136
137 return 0
138 }
139
140 function check_owner #<node>
141 {
142 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
143 && set -x
144
145 typeset node=$1
146
147 for acc in allow deny; do
148 RUN_CHECK usr_exec \
149 $CHMOD A0+owner@:read_acl/write_acl:$acc $node \
150 || case_cleanup $STF_FAIL
151 RUN_CHECK read_ACL $node $ACL_CUR_USER \
152 || case_cleanup $STF_FAIL
153 RUN_CHECK write_ACL $node $ACL_CUR_USER \
154 || case_cleanup $STF_FAIL
155 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
156 done
157 }
158
159 function check_group #<node>
160 {
161 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
162 && set -x
163
164 typeset node=$1
165
166 typeset grp_usr=""
167 if [[ $ACL_CUR_USER == root ]]; then
168 grp_usr=$ACL_ADMIN
169 elif [[ $ACL_CUR_USER == $ACL_STAFF1 ]]; then
170 grp_usr=$ACL_STAFF2
171 fi
172
173 RUN_CHECK usr_exec $CHMOD A0+group@:read_acl/write_acl:allow $node \
174 || case_cleanup $STF_FAIL
175 RUN_CHECK read_ACL $node $grp_usr || case_cleanup $STF_FAIL
176 RUN_CHECK write_ACL $node $grp_usr || case_cleanup $STF_FAIL
177 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
178
179 RUN_CHECK usr_exec $CHMOD A0+group@:read_acl/write_acl:deny $node \
180 || case_cleanup $STF_FAIL
181 RUN_CHECKNEG read_ACL $node $grp_usr || case_cleanup $STF_FAIL
182 RUN_CHECKNEG write_ACL $node $grp_usr || case_cleanup $STF_FAIL
183 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
184 }
185
186 function check_everyone #<node>
187 {
188 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
189 && set -x
190
191 typeset node=$1
192
193 typeset flag
194 for flag in allow deny; do
195 if [[ $flag == allow ]]; then
196 log=RUN_CHECK
197 else
198 log=RUN_CHECKNEG
199 fi
200
201 RUN_CHECK usr_exec \
202 $CHMOD A0+everyone@:read_acl/write_acl:$flag $node \
203 || case_cleanup $STF_FAIL
204
205 eval $log read_ACL $node $ACL_OTHER1 $ACL_OTHER2 \
206 || case_cleanup $STF_FAIL
207 eval $log write_ACL $node $ACL_OTHER1 $ACL_OTHER2 \
208 || case_cleanup $STF_FAIL
209
210 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
211 done
212 }
213
214 function check_spec_user #<node>
215 {
216 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
217 && set -x
218
219 typeset node=$1
220
221 RUN_CHECK usr_exec $CHMOD A0+everyone@:read_acl/write_acl:deny $node \
222 || case_cleanup $STF_FAIL
223 RUN_CHECK usr_exec \
224 $CHMOD A0+user:$ACL_OTHER1:read_acl/write_acl:allow $node \
225 || case_cleanup $STF_FAIL
226
227 # The specified user can read and write acl
228 RUN_CHECK read_ACL $node $ACL_OTHER1 || case_cleanup $STF_FAIL
229 RUN_CHECK write_ACL $node $ACL_OTHER1 || case_cleanup $STF_FAIL
230
231 # All the other user can't read and write acl
232 RUN_CHECKNEG \
233 read_ACL $node $ACL_ADMIN $ACL_STAFF2 $ACL_OTHER2 \
234 || case_cleanup $STF_FAIL
235 RUN_CHECKNEG \
236 write_ACL $node $ACL_ADMIN $ACL_STAFF2 $ACL_OTHER2 \
237 || case_cleanup $STF_FAIL
238
239 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
240 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
241 }
242
243 function check_spec_group #<node>
244 {
245 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
246 && set -x
247
248 typeset node=$1
249
250 RUN_CHECK usr_exec $CHMOD A0+everyone@:read_acl/write_acl:deny $node \
251 || case_cleanup $STF_FAIL
252 RUN_CHECK usr_exec $CHMOD \
253 A0+group:$ACL_OTHER_GROUP:read_acl/write_acl:allow $node \
254 || case_cleanup $STF_FAIL
255
256 # The specified group can read and write acl
257 RUN_CHECK read_ACL $node $ACL_OTHER1 $ACL_OTHER2 \
258 || case_cleanup $STF_FAIL
259 RUN_CHECK write_ACL $node $ACL_OTHER1 $ACL_OTHER2 \
260 || case_cleanup $STF_FAIL
261
262 # All the other user can't read and write acl
263 RUN_CHECKNEG read_ACL $node $ACL_ADMIN $ACL_STAFF2 \
264 || case_cleanup $STF_FAIL
265 RUN_CHECKNEG write_ACL $node $ACL_ADMIN $ACL_STAFF2 \
266 || case_cleanup $STF_FAIL
267 }
268
269 function check_user_in_group #<node>
270 {
271 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
272 && set -x
273
274 typeset node=$1
275
276 RUN_CHECK usr_exec $CHMOD \
277 A0+group:$ACL_OTHER_GROUP:read_acl/write_acl:deny $node \
278 || case_cleanup $STF_FAIL
279 RUN_CHECK usr_exec $CHMOD \
280 A0+user:$ACL_OTHER1:read_acl/write_acl:allow $node \
281 || case_cleanup $STF_FAIL
282 RUN_CHECK read_ACL $node $ACL_OTHER1 || case_cleanup $STF_FAIL
283 RUN_CHECK write_ACL $node $ACL_OTHER1 || case_cleanup $STF_FAIL
284 RUN_CHECKNEG read_ACL $node $ACL_OTHER2 || case_cleanup $STF_FAIL
285 RUN_CHECKNEG write_ACL $node $ACL_OTHER2 || case_cleanup $STF_FAIL
286
287 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
288 RUN_CHECK usr_exec $CHMOD A0- $node || case_cleanup $STF_FAIL
289 }
290
291 # This case needs to disable the attribute cache.
292 cd /
293 RUN_CHECK do_remount noac || case_cleanup $STF_FAIL
294
295 # use relative path, TX doesn't allow a regular user access zone path.
296 cd $MNTDIR
297 set -A func_name check_owner \
298 check_group \
299 check_everyone \
300 check_spec_user \
301 check_spec_group \
302 check_user_in_group
303
304 for user in root $ACL_STAFF1; do
305 RUN_CHECK set_cur_usr $user || case_cleanup $STF_FAIL
306
307 RUN_CHECK usr_exec $TOUCH $testfile || case_cleanup $STF_FAIL
308 RUN_CHECK usr_exec $MKDIR $testdir || case_cleanup $STF_FAIL
309
310 typeset func node
311 for func in ${func_name[@]}; do
312 for node in $testfile $testdir; do
313 eval $func \$node
314 done
315 done
316
317 RUN_CHECK usr_exec $RM -rf $testfile $testdir || case_cleanup $STF_FAIL
318 done
319
320 # Verify chmod A[number]{+|-|=} read_data/write_data passed.
321 case_cleanup $STF_PASS