1 #! /usr/bin/ksh -p
2 #
3 # CDDL HEADER START
4 #
5 # The contents of this file are subject to the terms of the
6 # Common Development and Distribution License (the "License").
7 # You may not use this file except in compliance with the License.
8 #
9 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 # or http://www.opensolaris.org/os/licensing.
11 # See the License for the specific language governing permissions
12 # and limitations under the License.
13 #
14 # When distributing Covered Code, include this CDDL HEADER in each
15 # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 # If applicable, add the following below this CDDL HEADER, with the
17 # fields enclosed by brackets "[]" replaced with your own identifying
18 # information: Portions Copyright [yyyy] [name of copyright owner]
19 #
20 # CDDL HEADER END
21 #
22
23 #
24 # Copyright 2009 Sun Microsystems, Inc. All rights reserved.
25 # Use is subject to license terms.
26 #
27
28 . $STF_SUITE/tests/acl/acl_common.kshlib
29
30 #################################################################################
31 #
32 # __stc_assertion_start
33 #
34 # ID: acl_chmod_rwx_pos004
35 #
36 # DESCRIPTION:
37 # Verify that explicit ACL setting to specified user or group will
38 # override existed access rule.
39 #
40 # STRATEGY:
41 # 1. Loop root and non-root user.
42 # 2. Loop the specified access one by one.
43 # 3. Loop verify explicit ACL set to specified user and group.
44 #
45 # TESTABILITY: explicit
46 #
47 # TEST_AUTOMATION_LEVEL: automated
48 #
49 # __stc_assertion_end
50 #
51 ################################################################################
52
53 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
54 && set -x
55
56 function check_access #log user node access rflag
57 {
58 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
59 && set -x
60
61 typeset log=$1
62 typeset user=$2
63 typeset node=$3
64 typeset access=$4
65 typeset rflag=$5
66
67 if [[ $rflag == "allow" && $access == execute ]]; then
68 rwx_node $user $node $access > $STF_TMPDIR/$NAME.$$ 2>&1
69 #
70 # When everyone@ were deny, this file can't execute.
71 # So,'cannot execute' means user has the permission to
72 # execute, just the file can't be execute.
73 #
74 if [[ $ACL_ERR_STR != *"cannot execute"* ]]; then
75 echo "FAIL: rwx_node $user $node $access"
76 cleanup $STF_FAIL $STF_TMPDIR/$NAME.$$
77 fi
78 else
79 $log rwx_node $user $node $access \
80 > $STF_TMPDIR/$NAME.$$ 2>&1 \
81 || cleanup $STF_FAIL $STF_TMPDIR/$NAME.$$
82 fi
83 }
84
85 function verify_explicit_ACL_rule #node access flag
86 {
87 [[ :$NFSGEN_DEBUG: = *:${NAME}:* || :${NFSGEN_DEBUG}: = *:all:* ]] \
88 && set -x
89
90 set -A a_access "read_data" "write_data" "execute"
91 typeset node=$1
92 typeset access=$2
93 typeset flg=$3
94 typeset log rlog rflag
95
96 # Get the expect log check
97 if [[ $flg == allow ]]; then
98 log=RUN_CHECKNEG
99 rlog=RUN_CHECK
100 rflag=deny
101 else
102 log=RUN_CHECK
103 rlog=RUN_CHECKNEG
104 rflag=allow
105 fi
106
107 # rwx_node() calls 'find' to verify execute permission on a directory,
108 # in TX env, a regular user has no permission to access zone path.
109 # in the case, skip.
110 if [[ -n $ZONE_PATH ]] && [[ $access == *execute* ]] && [[ -d $node ]]; then
111 return
112 fi
113
114 RUN_CHECK usr_exec $CHMOD A+everyone@:$access:$flg $node \
115 || cleanup $STF_FAIL
116 RUN_CHECK usr_exec $CHMOD A+user:$ACL_OTHER1:$access:$rflag $node \
117 || cleanup $STF_FAIL
118 check_access $log $ACL_OTHER1 $node $access $rflag || cleanup $STF_FAIL
119 RUN_CHECK usr_exec $CHMOD A0- $node || cleanup $STF_FAIL
120
121 RUN_CHECK usr_exec \
122 $CHMOD A+group:$ACL_OTHER_GROUP:$access:$rflag $node \
123 || cleanup $STF_FAIL
124 check_access $log $ACL_OTHER1 $node $access $rflag || cleanup $STF_FAIL
125 check_access $log $ACL_OTHER2 $node $access $rflag || cleanup $STF_FAIL
126 RUN_CHECK usr_exec $CHMOD A0- $node || cleanup $STF_FAIL
127 RUN_CHECK usr_exec $CHMOD A0- $node || cleanup $STF_FAIL
128
129 RUN_CHECK usr_exec \
130 $CHMOD A+group:$ACL_OTHER_GROUP:$access:$flg $node \
131 || cleanup $STF_FAIL
132 RUN_CHECK usr_exec $CHMOD A+user:$ACL_OTHER1:$access:$rflag $node \
133 || cleanup $STF_FAIL
134 $log rwx_node $ACL_OTHER1 $node $access \
135 > $STF_TMPDIR/$NAME.$$ 2>&1 \
136 || cleanup $STF_FAIL $STF_TMPDIR/$NAME.$$
137 $rlog rwx_node $ACL_OTHER2 $node $access \
138 > $STF_TMPDIR/$NAME.$$ 2>&1 \
139 || cleanup $STF_FAIL $STF_TMPDIR/$NAME.$$
140 RUN_CHECK usr_exec $CHMOD A0- $node || cleanup $STF_FAIL
141 RUN_CHECK usr_exec $CHMOD A0- $node || cleanup $STF_FAIL
142 }
143
144 echo "ASSERTION: Verify that explicit ACL setting to specified user or group will" \
145 "override existed access rule."
146
147 if [[ -n $ZONE_PATH ]]; then
148 echo "\n\tThe test runs in TX configuration, we don't verify"
149 echo "\texecute permission on a directory.\n"
150 fi
151
152 set -A a_access "read_data" "write_data" "execute"
153 set -A a_flag "allow" "deny"
154 typeset node
155
156 for user in root $ACL_STAFF1; do
157 RUN_CHECK set_cur_usr $user || cleanup $STF_FAIL
158
159 RUN_CHECK usr_exec $TOUCH $testfile || cleanup $STF_FAIL
160 RUN_CHECK usr_exec $MKDIR $testdir || cleanup $STF_FAIL
161 RUN_CHECK usr_exec $CHMOD 755 $testfile $testdir || cleanup $STF_FAIL
162
163 for node in $testfile $testdir; do
164 for access in ${a_access[@]}; do
165 for flg in ${a_flag[@]}; do
166 verify_explicit_ACL_rule $node $access $flg
167 done
168 done
169 done
170
171 RUN_CHECK usr_exec $RM -rf $testfile $testdir || cleanup $STF_FAIL
172 done
173
174 # Explicit ACL setting to specified user or group will override
175 # existed access rule passed.
176 cleanup $STF_PASS