7290 Wdiff usr/src/test/zfs-tests/tests/functional/privilege/privilege_002_pos.ksh

Print this page

7290 ZFS test suite needs to control what utilities it can run
Reviewed by: Dan Kimmel <dan.kimmel@delphix.com>
Reviewed by: Matthew Ahrens <mahrens@delphix.com>

Split	Close
Expand all
Collapse all

          --- old/usr/src/test/zfs-tests/tests/functional/privilege/privilege_002_pos.ksh
          +++ new/usr/src/test/zfs-tests/tests/functional/privilege/privilege_002_pos.ksh

   1    1  #! /usr/bin/ksh -p
   2    2  #
   3    3  # CDDL HEADER START
   4    4  #
   5    5  # The contents of this file are subject to the terms of the
   6    6  # Common Development and Distribution License (the "License").
   7    7  # You may not use this file except in compliance with the License.
   8    8  #
   9    9  # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
  10   10  # or http://www.opensolaris.org/os/licensing.
  11   11  # See the License for the specific language governing permissions
  12   12  # and limitations under the License.
  13   13  #
  14   14  # When distributing Covered Code, include this CDDL HEADER in each
  15   15  # file and include the License file at usr/src/OPENSOLARIS.LICENSE.
  16   16  # If applicable, add the following below this CDDL HEADER, with the
  17   17  # fields enclosed by brackets "[]" replaced with your own identifying
  18   18  # information: Portions Copyright [yyyy] [name of copyright owner]

↓ open down ↓

18 lines elided

↑ open up ↑

  19   19  #
  20   20  # CDDL HEADER END
  21   21  #
  22   22  
  23   23  #
  24   24  # Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
  25   25  # Use is subject to license terms.
  26   26  #
  27   27  
  28   28  #
  29      -# Copyright (c) 2013 by Delphix. All rights reserved.
       29 +# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
  30   30  #
  31   31  
  32   32  . $STF_SUITE/include/libtest.shlib
  33   33  
  34   34  #
  35   35  # DESCRIPTION:
  36   36  #
  37   37  # The RBAC profile "ZFS File System Management" works
  38   38  #
  39   39  # STRATEGY:

  40   40  #
  41   41  #       The following actions are taken, both using profile execution (pfexec)
  42   42  #       and without profile execution - we make sure that the latter should
  43   43  #       always fail.
  44   44  #
  45   45  #       (create)
  46   46  #       1. As a normal user, try to create a filesystem - which should fail.
  47   47  #       2. Assign "ZFS File System Management" profile, try to create fs again,
  48   48  #          which should succeed.
  49   49  #
  50   50  #       (pools)
  51   51  #       3. Ensure a user with this profile can't perform pool administration
  52   52  #          by attempting to destroy a pool.
  53   53  #
  54   54  #       (destroy)

↓ open down ↓

15 lines elided

↑ open up ↑

  55   55  #       5. Remove the FS profile, then attempt to destroy the fs, which
  56   56  #          should fail.
  57   57  #       6. Assign the FS profile, then attempt to destroy the fs, which
  58   58  #          should succeed.
  59   59  #
  60   60  
  61   61  verify_runnable "both"
  62   62  
  63   63  log_assert "The RBAC profile \"ZFS File System Management\" works"
  64   64  
  65      -ZFS_USER=$($CAT /tmp/zfs-privs-test-user.txt)
       65 +ZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)
  66   66  
  67   67  # Set a $DATASET where we can create child files systems
  68   68  if is_global_zone; then
  69      -        log_must $ZPOOL create -f $TESTPOOL $DISKS
       69 +        log_must zpool create -f $TESTPOOL $DISKS
  70   70          DATASET=$TESTPOOL
  71   71  else
  72   72          DATASET=zonepool/zonectr0
  73   73  fi
  74   74  
  75   75  # A user shouldn't be able to create filesystems
  76      -log_mustnot $SU $ZFS_USER -c "$ZFS create $DATASET/zfsprivfs"
       76 +log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
  77   77  
  78   78  # Insist this invocation of usermod works
  79      -log_must $USERMOD -P "ZFS File System Management" $ZFS_USER
       79 +log_must usermod -P "ZFS File System Management" $ZFS_USER
  80   80  
  81   81  # Now try to create file systems as the user
  82      -log_mustnot $SU $ZFS_USER -c "$ZFS create $DATASET/zfsprivfs"
  83      -log_must $SU $ZFS_USER -c "$PFEXEC $ZFS create $DATASET/zfsprivfs"
       82 +log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
       83 +log_must su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs"
  84   84  
  85   85  # Ensure the user can't do anything to pools in this state:
  86      -log_mustnot $SU $ZFS_USER -c "$ZPOOL destroy $DATASET"
  87      -log_mustnot $SU $ZFS_USER -c "$PFEXEC $ZPOOL destroy $DATASET"
       86 +log_mustnot su $ZFS_USER -c "zpool destroy $DATASET"
       87 +log_mustnot su $ZFS_USER -c "pfexec zpool destroy $DATASET"
  88   88  
  89   89  # revoke File System Management profile
  90      -$USERMOD -P, $ZFS_USER
       90 +usermod -P, $ZFS_USER
  91   91  
  92   92  # Ensure the user can't create more filesystems
  93      -log_mustnot $SU $ZFS_USER -c "$ZFS create $DATASET/zfsprivfs2"
  94      -log_mustnot $SU $ZFS_USER -c "$PFEXEC $ZFS create $DATASET/zfsprivfs2"
       93 +log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs2"
       94 +log_mustnot su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs2"
  95   95  
  96   96  # assign the profile again and destroy the fs.
  97      -$USERMOD -P "ZFS File System Management" $ZFS_USER
  98      -log_must $SU $ZFS_USER -c "$PFEXEC $ZFS destroy $DATASET/zfsprivfs"
  99      -$USERMOD -P, $ZFS_USER
       97 +usermod -P "ZFS File System Management" $ZFS_USER
       98 +log_must su $ZFS_USER -c "pfexec zfs destroy $DATASET/zfsprivfs"
       99 +usermod -P, $ZFS_USER
 100  100  
 101  101  log_pass "The RBAC profile \"ZFS File System Management\" works"

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX