7290 Cdiff usr/src/test/zfs-tests/tests/functional/privilege/privilege_001

Print this page

7290 ZFS test suite needs to control what utilities it can run
Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>


*** 24,34 ****
  # Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  # Use is subject to license terms.
  #
  
  #
! # Copyright (c) 2013 by Delphix. All rights reserved.
  #
  
  . $STF_SUITE/include/libtest.shlib
  
  #
--- 24,34 ----
  # Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  # Use is subject to license terms.
  #
  
  #
! # Copyright (c) 2013, 2016 by Delphix. All rights reserved.
  #
  
  . $STF_SUITE/include/libtest.shlib
  
  #
*** 57,91 ****
  # We can only run this in the global zone
  verify_runnable "global"
  
  log_assert "The RBAC profile \"ZFS Storage Management\" works"
  
! ZFS_USER=$($CAT /tmp/zfs-privs-test-user.txt)
  
  # the user shouldn't be able to do anything initially
! log_mustnot $SU $ZFS_USER -c "$ZPOOL create $TESTPOOL $DISKS"
! log_mustnot $SU $ZFS_USER -c "$PFEXEC $ZPOOL create $TESTPOOL $DISKS"
  
  # the first time we assign the profile, we insist it should work
! log_must $USERMOD -P "ZFS Storage Management" $ZFS_USER
! log_must $SU $ZFS_USER -c "$PFEXEC $ZPOOL create -f $TESTPOOL $DISKS"
  
  # ensure the user can't create a filesystem with this profile
! log_mustnot $SU $ZFS_USER -c "$ZFS create $TESTPOOL/fs"
  
  # add ZFS File System Management profile, and try to create a fs
! log_must $USERMOD -P "ZFS File System Management" $ZFS_USER
! log_must $SU $ZFS_USER -c "$PFEXEC $ZFS create $TESTPOOL/fs"
  
  # revoke File System Management profile
! $USERMOD -P, $ZFS_USER
! $USERMOD -P "ZFS Storage Management" $ZFS_USER
  
  # ensure the user can destroy pools
! log_mustnot $SU $ZFS_USER -c "$ZPOOL destroy $TESTPOOL"
! log_must $SU $ZFS_USER -c "$PFEXEC $ZPOOL destroy $TESTPOOL"
  
  # revoke Storage Management profile
! $USERMOD -P, $ZFS_USER
! log_mustnot $SU $ZFS_USER -c "$PFEXEC $ZPOOL create -f $TESTPOOL $DISKS"
  
  log_pass "The RBAC profile \"ZFS Storage Management\" works"
--- 57,91 ----
  # We can only run this in the global zone
  verify_runnable "global"
  
  log_assert "The RBAC profile \"ZFS Storage Management\" works"
  
! ZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)
  
  # the user shouldn't be able to do anything initially
! log_mustnot su $ZFS_USER -c "zpool create $TESTPOOL $DISKS"
! log_mustnot su $ZFS_USER -c "pfexec zpool create $TESTPOOL $DISKS"
  
  # the first time we assign the profile, we insist it should work
! log_must usermod -P "ZFS Storage Management" $ZFS_USER
! log_must su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"
  
  # ensure the user can't create a filesystem with this profile
! log_mustnot su $ZFS_USER -c "zfs create $TESTPOOL/fs"
  
  # add ZFS File System Management profile, and try to create a fs
! log_must usermod -P "ZFS File System Management" $ZFS_USER
! log_must su $ZFS_USER -c "pfexec zfs create $TESTPOOL/fs"
  
  # revoke File System Management profile
! usermod -P, $ZFS_USER
! usermod -P "ZFS Storage Management" $ZFS_USER
  
  # ensure the user can destroy pools
! log_mustnot su $ZFS_USER -c "zpool destroy $TESTPOOL"
! log_must su $ZFS_USER -c "pfexec zpool destroy $TESTPOOL"
  
  # revoke Storage Management profile
! usermod -P, $ZFS_USER
! log_mustnot su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"
  
  log_pass "The RBAC profile \"ZFS Storage Management\" works"