1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
#! /usr/bin/ksh -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#
# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
#
. $STF_SUITE/include/libtest.shlib
#
# DESCRIPTION:
#
# The RBAC profile "ZFS File System Management" works
#
# STRATEGY:
#
# The following actions are taken, both using profile execution (pfexec)
# and without profile execution - we make sure that the latter should
# always fail.
#
# (create)
# 1. As a normal user, try to create a filesystem - which should fail.
# 2. Assign "ZFS File System Management" profile, try to create fs again,
# which should succeed.
#
# (pools)
# 3. Ensure a user with this profile can't perform pool administration
# by attempting to destroy a pool.
#
# (destroy)
# 5. Remove the FS profile, then attempt to destroy the fs, which
# should fail.
# 6. Assign the FS profile, then attempt to destroy the fs, which
# should succeed.
#
verify_runnable "both"
log_assert "The RBAC profile \"ZFS File System Management\" works"
ZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)
# Set a $DATASET where we can create child files systems
if is_global_zone; then
log_must zpool create -f $TESTPOOL $DISKS
DATASET=$TESTPOOL
else
DATASET=zonepool/zonectr0
fi
# A user shouldn't be able to create filesystems
log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
# Insist this invocation of usermod works
log_must usermod -P "ZFS File System Management" $ZFS_USER
# Now try to create file systems as the user
log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
log_must su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs"
# Ensure the user can't do anything to pools in this state:
log_mustnot su $ZFS_USER -c "zpool destroy $DATASET"
log_mustnot su $ZFS_USER -c "pfexec zpool destroy $DATASET"
# revoke File System Management profile
usermod -P, $ZFS_USER
# Ensure the user can't create more filesystems
log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs2"
log_mustnot su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs2"
# assign the profile again and destroy the fs.
usermod -P "ZFS File System Management" $ZFS_USER
log_must su $ZFS_USER -c "pfexec zfs destroy $DATASET/zfsprivfs"
usermod -P, $ZFS_USER
log_pass "The RBAC profile \"ZFS File System Management\" works"
|
