summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuri Pankov <yuri.pankov@nexenta.com>2016-04-19 16:46:11 -0700
committerMatthew Ahrens <mahrens@delphix.com>2016-04-20 08:34:03 -0700
commit232f5a2e6e6fcc0e7d4f5bd719cd5e6433a24020 (patch)
treeea3e1111cabe06535d5703e375b40f99e7ff6abb
parentda412744bc6f902e4519ae67e92191a2e5d85e2c (diff)
downloadillumos-joyent-232f5a2e6e6fcc0e7d4f5bd719cd5e6433a24020.tar.gz
6875 fix zfs-tests ACL cases
Reviewed by: Gordon Ross <gwr@nexenta.com> Reviewed by: John Kennedy <john.kennedy@delphix.com> Approved by: Richard Lowe <richlowe@richlowe.net>
Diffstat
-rw-r--r--usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh313
-rw-r--r--usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh64
-rw-r--r--usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh265
-rw-r--r--usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh417
-rw-r--r--usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh132
5 files changed, 486 insertions, 705 deletions
diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh
index 0dfd6864be..6486f58464 100644
--- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh
+++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_aclmode_001_pos.ksh
@@ -27,69 +27,62 @@
#
# Copyright (c) 2012 by Delphix. All rights reserved.
+# Copyright 2016 Nexenta Systems, Inc.
#
. $STF_SUITE/tests/functional/acl/acl_common.kshlib
-#
# DESCRIPTION:
-# Verify chmod have correct behaviour on directories and files when
-# filesystem has the different aclmode setting
+# Verify chmod have correct behaviour on directories and files when
+# filesystem has the different aclmode setting
#
# STRATEGY:
-# 1. Loop super user and non-super user to run the test case.
-# 2. Create basedir and a set of subdirectores and files within it.
-# 3. Separately chmod basedir with different aclmode options,
-# combine with the variable setting of aclmode:
-# "discard", "groupmask", or "passthrough".
-# 4. Verify each directories and files have the correct access control
-# capability.
-#
+# 1. Loop super user and non-super user to run the test case.
+# 2. Create basedir and a set of subdirectores and files within it.
+# 3. Separately chmod basedir with different aclmode options,
+# combine with the variable setting of aclmode:
+# "discard", "groupmask", or "passthrough".
+# 4. Verify each directories and files have the correct access control
+# capability.
verify_runnable "both"
function cleanup
{
- # Cleanup tarfile & basedir.
-
(( ${#cwd} != 0 )) && cd $cwd
- if [[ -f $TARFILE ]]; then
- log_must $RM -f $TARFILE
- fi
-
- if [[ -d $basedir ]]; then
- log_must $RM -rf $basedir
- fi
+ [[ -f $TARFILE ]] && log_must $RM -f $TARFILE
+ [[ -d $basedir ]] && log_must $RM -rf $basedir
}
-log_assert "Verify chmod have correct behaviour to directory and file when " \
- "filesystem has the different aclmode setting."
+log_assert "Verify chmod have correct behaviour to directory and file when" \
+ "filesystem has the different aclmode setting"
log_onexit cleanup
-# Define aclmode flag
-set -A aclmode_flag discard groupmask passthrough
-
-set -A ace_prefix "user:$ZFS_ACL_OTHER1" \
- "user:$ZFS_ACL_OTHER2" \
- "group:$ZFS_ACL_STAFF_GROUP" \
- "group:$ZFS_ACL_OTHER_GROUP"
-
-set -A argv "000" "444" "644" "777" "755" "231" "562" "413"
-
-set -A ace_file_preset "read_data" \
- "write_data" \
- "append_data" \
- "execute" \
- "read_data/write_data" \
- "read_data/write_data/append_data" \
- "write_data/append_data" \
- "read_data/execute" \
- "write_data/append_data/execute" \
- "read_data/write_data/append_data/execute"
-
-# Defile the based directory and file
+set -A aclmode_flag "discard" "groupmask" "passthrough"
+
+set -A ace_prefix \
+ "user:$ZFS_ACL_OTHER1" \
+ "user:$ZFS_ACL_OTHER2" \
+ "group:$ZFS_ACL_STAFF_GROUP" \
+ "group:$ZFS_ACL_OTHER_GROUP"
+
+set -A argv "000" "444" "644" "777" "755" "231" "562" "413"
+
+set -A ace_file_preset \
+ "read_data" \
+ "write_data" \
+ "append_data" \
+ "execute" \
+ "read_data/write_data" \
+ "read_data/write_data/append_data" \
+ "write_data/append_data" \
+ "read_data/execute" \
+ "write_data/append_data/execute" \
+ "read_data/write_data/append_data/execute"
+
+# Define the base directory and file
basedir=$TESTDIR/basedir; ofile=$basedir/ofile; odir=$basedir/odir
nfile=$basedir/nfile; ndir=$basedir/ndir
@@ -98,7 +91,6 @@ TARFILE=$TESTDIR/tarfile
# Verify all the node have expected correct access control
allnodes="$nfile $ndir"
-#
# According to the original bits, the input ACE access and ACE type, return the
# expect bits after 'chmod A0{+|=}'.
#
@@ -107,7 +99,6 @@ allnodes="$nfile $ndir"
# $3 bits_limit which was make up of three bit 'rwx'
# $4 ACE access which is read_data, write_data or execute
# $5 ctrl which is to determine allow or deny according to owner/group bit
-#
function cal_bits # isdir bits bits_limit acl_access ctrl
{
typeset -i isdir=$1
@@ -129,7 +120,7 @@ function cal_bits # isdir bits bits_limit acl_access ctrl
flagx=1
fi
else
- #Determine ACE as per owner/group bit
+ # Determine ACE as per owner/group bit
flagr=1
flagw=1
flagx=1
@@ -147,16 +138,16 @@ function cal_bits # isdir bits bits_limit acl_access ctrl
flagx=0
fi
fi
+
if ((flagr != 0)); then
if [[ $acl_access == *"read_data"* ]]; then
- if [[ $acl_access == *"allow"* && $passthrough == 0 ]]; then
- tmpstr=${tmpstr}
+ if [[ $acl_access == *"allow"* &&
+ $passthrough == 0 ]]; then
+ tmpstr=${tmpstr}
+ elif ((isdir == 0)); then
+ tmpstr=${tmpstr}/read_data
else
- if ((isdir == 0)); then
- tmpstr=${tmpstr}/read_data
- else
- tmpstr=${tmpstr}/list_directory/read_data
- fi
+ tmpstr=${tmpstr}/list_directory/read_data
fi
fi
fi
@@ -176,14 +167,17 @@ function cal_bits # isdir bits bits_limit acl_access ctrl
if ((isdir == 0)); then
tmpstr=${tmpstr}/append_data
else
- tmpstr=${tmpstr}/add_subdirectory/append_data
+ tmpstr=${tmpstr}/add_subdirectory
+ tmpstr=${tmpstr}/append_data
fi
fi
fi
fi
+
if ((flagx != 0)); then
if [[ $acl_access == *"execute"* ]]; then
- if [[ $acl_access == *"allow"* && $passthrough == 0 ]]; then
+ if [[ $acl_access == *"allow"* &&
+ $passthrough == 0 ]]; then
tmpstr=${tmpstr}
else
tmpstr=${tmpstr}/execute
@@ -237,6 +231,8 @@ function check_new_acl # bit newmode isdir
typeset gbit
typeset ebit
typeset str=":"
+ typeset dc=""
+
gbit=${mode:1:1}
ebit=${mode:2:1}
if (( ((bits & 4)) == 0 )); then
@@ -258,6 +254,7 @@ function check_new_acl # bit newmode isdir
else
new_acl=${new_acl}${str}add_file/write_data/
new_acl=${new_acl}add_subdirectory/append_data
+ dc="/delete_child"
fi
str="/"
fi
@@ -268,6 +265,7 @@ function check_new_acl # bit newmode isdir
new_acl=${new_acl}${str}execute
fi
fi
+ new_acl=${new_acl}${dc}
$ECHO "$new_acl"
}
@@ -290,10 +288,8 @@ function build_new_acl # newmode isdir
$ECHO $expect
}
-#
# According to inherited flag, verify subdirectories and files within it has
# correct inherited access control.
-#
function verify_aclmode # <aclmode> <node> <newmode>
{
# Define the nodes which will be affected by inherit.
@@ -345,106 +341,103 @@ function verify_aclmode # <aclmode> <node> <newmode>
#
case $aclmode in
- passthrough)
- if ((acl_count > total_acl)); then
- expect1=$(build_new_acl $newmode $isdir)
- flag=1
- ((total_acl = total_acl + 1))
- ((i = i + 1))
- else
- passthrough=1
- expect1=$(translate_acl $isdir $expect1)
- fi
- ;;
- groupmask)
- if ((acl_count > total_acl)); then
- expect1=$(build_new_acl $newmode $isdir)
- flag=1
- ((total_acl = total_acl + 1))
- ((i = i + 1))
-
- elif [[ $expect1 == *":allow"* ]]; then
- who=${expect1%%:*}
- aclaction=${expect1##*:}
- prefix=$who
- acltemp=""
- reduce=0
- #
- # To determine the mask bits
- # according to the entry type.
- #
- case $who in
- owner@)
- pos=0
- ;;
- group@)
- pos=1
- ;;
- everyone@)
- pos=2
- ;;
- user)
- acltemp=${expect1#*:}
- acltemp=${acltemp%%:*}
- owner=$(get_owner $node)
- group=$(get_group $node)
- if [[ $acltemp == \
- $owner ]]; then
- pos=0
- else
- pos=1
- fi
- prefix=$prefix:$acltemp
- ;;
- group)
- acltemp=${expect1#*:}
- acltemp=${acltemp%%:*}
- pos=1
- prefix=$prefix:$acltemp
- reduce=1
- ;;
- esac
- obits=${newmode:$pos:1}
- ((bits = $obits))
- #
- # permission should be no greater than the
- # group permission bits
- #
- if ((reduce != 0)); then
- ((bits &= ${newmode:1:1}))
+ passthrough)
+ if ((acl_count > total_acl)); then
+ expect1=$(build_new_acl $newmode $isdir)
+ flag=1
+ ((total_acl = total_acl + 1))
+ ((i = i + 1))
+ else
+ passthrough=1
+ expect1=$(translate_acl $isdir $expect1)
+ fi
+ ;;
+ groupmask)
+ if ((acl_count > total_acl)); then
+ expect1=$(build_new_acl $newmode $isdir)
+ flag=1
+ ((total_acl = total_acl + 1))
+ ((i = i + 1))
+ elif [[ $expect1 == *":allow"* ]]; then
+ who=${expect1%%:*}
+ aclaction=${expect1##*:}
+ prefix=$who
+ acltemp=""
+ reduce=0
+ # To determine the mask bits
+ # according to the entry type.
+ #
+ case $who in
+ owner@)
+ pos=0
+ ;;
+ group@)
+ pos=1
+ ;;
+ everyone@)
+ pos=2
+ ;;
+ user)
+ acltemp=${expect1#*:}
+ acltemp=${acltemp%%:*}
+ owner=$(get_owner $node)
+ group=$(get_group $node)
+ if [[ $acltemp == $owner ]]; then
+ pos=0
+ else
+ pos=1
+ fi
+ prefix=$prefix:$acltemp
+ ;;
+ group)
+ acltemp=${expect1#*:}
+ acltemp=${acltemp%%:*}
+ pos=1
+ prefix=$prefix:$acltemp
+ reduce=1
+ ;;
+ esac
+
+ obits=${newmode:$pos:1}
+ ((bits = $obits))
+ # permission should be no greater than the
+ # group permission bits
+ if ((reduce != 0)); then
+ ((bits &= ${newmode:1:1}))
# The ACL permissions are reduced so
# that they are no greater than owner
# permission bits.
+ ((bits_owner = ${newmode:0:1}))
+ ((bits &= $bits_owner))
+ fi
- ((bits_owner = ${newmode:0:1}))
- ((bits &= $bits_owner))
- fi
-
- if ((bits < obits)) && \
- [[ -n $acltemp ]]; then
- expect2=$prefix:
- new_bit=$(cal_bits $isdir $obits $bits_owner $expect1 1)
- expect2=${expect2}${new_bit}:allow
- else
- expect2=$prefix:
- new_bit=$(cal_bits $isdir $obits $obits $expect1 1)
- expect2=${expect2}${new_bit}:allow
- fi
- priv=$(cal_bits $isdir $obits $bits_owner $expect2 0)
- expect1=$prefix:$priv:$aclaction
+ if ((bits < obits)) && [[ -n $acltemp ]]; then
+ expect2=$prefix:
+ new_bit=$(cal_bits $isdir $obits \
+ $bits_owner $expect1 1)
+ expect2=${expect2}${new_bit}:allow
else
- expect1=$(translate_acl $isdir $expect1)
+ expect2=$prefix:
+ new_bit=$(cal_bits $isdir $obits \
+ $obits $expect1 1)
+ expect2=${expect2}${new_bit}:allow
fi
- ;;
- discard)
- passcnt=maxnumber
- break
- ;;
+
+ priv=$(cal_bits $isdir $obits $bits_owner \
+ $expect2 0)
+ expect1=$prefix:$priv:$aclaction
+ else
+ expect1=$(translate_acl $isdir $expect1)
+ fi
+ ;;
+ discard)
+ passcnt=maxnumber
+ break
+ ;;
esac
if ((pass == 0)) ; then
# Get the first ACE to do comparison
-
aclcur=$(get_ACE $node $count)
aclcur=${aclcur#$count:}
if [[ -n $expect1 && $expect1 != $aclcur ]]; then
@@ -487,11 +480,6 @@ cwd=$PWD
cd $TESTDIR
for mode in "${aclmode_flag[@]}"; do
-
- #
- # Set different value of aclmode
- #
-
log_must $ZFS set aclmode=$mode $TESTPOOL/$TESTFS
for user in root $ZFS_ACL_STAFF1; do
@@ -511,17 +499,14 @@ for mode in "${aclmode_flag[@]}"; do
acl=$prefix:$preset
case $((maxnumber % 2)) in
- 0)
- acl=$acl:deny
- ;;
- 1)
- acl=$acl:allow
- ;;
+ 0)
+ acl=$acl:deny
+ ;;
+ 1)
+ acl=$acl:allow
+ ;;
esac
- #
- # Place on the target should succeed.
- #
log_must usr_exec $CHMOD A+$acl $obj
acls[$maxnumber]=$acl
@@ -540,8 +525,6 @@ for mode in "${aclmode_flag[@]}"; do
log_must usr_exec $CHMOD $newmode $obj
log_must usr_exec $CHMOD $newmode $target
log_must verify_aclmode $mode $obj $newmode
-
- # Restore the tar archive
log_must $TAR xpf@ $TARFILE
done
done
@@ -550,4 +533,4 @@ for mode in "${aclmode_flag[@]}"; do
done
done
-log_pass "Verify chmod behaviour co-op with aclmode setting passed."
+log_pass "Verify chmod behaviour co-op with aclmode setting passed"
diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh
index 7ddf774e85..ec96c7bae6 100644
--- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh
+++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_delete_001_pos.ksh
@@ -25,12 +25,15 @@
# Use is subject to license terms.
#
+#
+# Copyright 2016 Nexenta Systems, Inc.
+#
+
. $STF_SUITE/tests/functional/acl/acl_common.kshlib
-#
# DESCRIPTION:
-# Verify that the combined delete_child/delete permission for
-# owner/group/everyone are correct.
+# Verify that the combined delete_child/delete permission for
+# owner/group/everyone are correct.
#
# -------------------------------------------------------
# | Parent Dir | Target Object Permissions |
@@ -39,20 +42,13 @@
# | | ACL Allows | ACL Denies| Delete |
# | | Delete | Delete | unspecified|
# -------------------------------------------------------
-# | ACL Allows | Permit | Permit | Permit |
-# | DELETE_CHILD | |
+# | ACL Denies | Permit | Deny | Deny |
+# | DELETE_CHILD | | | |
+# | or WRITE_DATA | | | |
# -------------------------------------------------------
-# | ACL Denies | Permit | Deny | Deny |
-# | DELETE_CHILD | | | |
-# -------------------------------------------------------
-# | ACL specifies | | | |
-# | only allows | Permit | Permit | Permit |
-# | write and | | | |
-# | execute | | | |
-# -------------------------------------------------------
-# | ACL denies | | | |
-# | write and | Permit | Deny | Deny |
-# | execute | | | |
+# | ACL Allows | Permit | Deny | Permit |
+# | DELETE_CHILD | | | |
+# | or WRITE_DATA | | | |
# -------------------------------------------------------
#
# STRATEGY:
@@ -60,7 +56,6 @@
# 2. Set special ACE combination to the file and directory
# 3. Try to remove the file
# 4. Verify that combined permissions for owner/group/everyone are correct.
-#
verify_runnable "both"
@@ -99,7 +94,7 @@ set -A access_target \
set -A a_flag "owner@" "group@" "everyone@" "user:$ZFS_ACL_STAFF1"
log_assert "Verify that the combined delete_child/delete permission for" \
- "owner/group/everyone are correct."
+ "owner/group/everyone are correct."
log_onexit cleanup
function operate_node #user node
@@ -139,20 +134,25 @@ function logname #acl_parent acl_target user
typeset user=$3
# To super user, read and write deny permission was override.
- if [[ $user == root || $acl_target == *:allow ]]; then
+ if [[ $user == "root" || $acl_target == *":allow"* ]]; then
print "log_must"
- elif [[ $acl_parent == *"delete_child"* ]]; then
- if [[ $acl_parent == *"delete_child:allow"* ]]; then
- print "log_must"
- else
- print "log_mustnot"
- fi
- elif [[ $acl_parent == *"write_data"* ]]; then
- if [[ $acl_parent == *"write_data:allow"* ]]; then
- print "log_must"
- else
- print "log_mustnot"
- fi
+ # If target ACL has an ACE deny'ing delete, DENY
+ elif [[ $acl_target == *"delete:deny"* ]]; then
+ print "log_mustnot"
+ # If target ACL has an ACE allow'ing delete, ALLOW
+ elif [[ $acl_target == *"delete:allow"* ]]; then
+ print "log_must"
+ # If container ACL has an ACE deny'ing delete_child or
+ # write_data, DENY
+ elif [[ $acl_parent == *"delete_child:deny"* ||
+ $acl_parent == *"write_data:deny"* ]]; then
+ print "log_mustnot"
+ # If container ACL has an ACE allow'ing delete_child or
+ # write_data, ALLOW
+ elif [[ $acl_parent == *"delete_child:allow"* ||
+ $acl_parent == *"write_data:allow"* ]]; then
+ print "log_must"
+ # Otherwise, DENY
else
print "log_mustnot"
fi
@@ -298,4 +298,4 @@ while (( i < ${#users[@]} )); do
done
log_pass "Verify that the combined delete_child/delete permission for" \
- "owner/group/everyone are correct."
+ "owner/group/everyone are correct."
diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh
index 0b675786f7..cade1bf1be 100644
--- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh
+++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_002_neg.ksh
@@ -27,59 +27,49 @@
#
# Copyright (c) 2012 by Delphix. All rights reserved.
+# Copyright 2016 Nexenta Systems, Inc.
#
. $STF_SUITE/tests/functional/acl/acl_common.kshlib
-#
# DESCRIPTION:
-# Verify chmod have correct behaviour to directory and file not inherited
-# when filesystem has the different aclinherit setting
+# Verify chmod have correct behaviour to directory and file not inherited
+# when filesystem has the different aclinherit setting
#
# STRATEGY:
-# 1. Loop super user and non-super user to run the test case.
-# 2. Create basedir and a set of subdirectores and files within it.
-# 3. Separately chmod basedir with different inherite options,
-# combine with the variable setting of aclinherit:
-# "discard", "noallow", "restricted" or "passthrough".
-# 4. Then create nested directories and files like the following.
-#
-# ofile
-# odir
-# chmod --> basedir -|
-# |_ nfile1
-# |_ ndir1 _
-# |_ nfile2
-# |_ ndir2 _
-# |_ nfile3
-# |_ ndir3
+# 1. Use both super user and non-super user to run the test case.
+# 2. Create basedir and a set of subdirectores and files inside of it.
+# 3. For the following values of the aclinherity property, add ACEs with
+# different inherit options to basedir:
+# "discard", "noallow", "restricted" and "passthrough".
+# 4. Create nested directories and files like the following.
#
-# 5. Verify non-inherited directories and files have the correct access
-# control capability.
+# ofile
+# odir
+# chmod --> basedir -|
+# |_ nfile1
+# |_ ndir1 _
+# |_ nfile2
+# |_ ndir2 _
+# |_ nfile3
+# |_ ndir3
#
+# 5. Verify non-inherited directories and files have the correct access
+# control capability.
verify_runnable "both"
function cleanup
{
- typeset dir
-
- # Cleanup basedir, compared file and dir.
+ [[ -f $ofile ]] && log_must $RM -f $ofile
+ [[ -d $odir ]] && log_must $RM -rf $odir
+ [[ -d $basedir ]] && log_must $RM -rf $basedir
- if [[ -f $ofile ]]; then
- log_must $RM -f $ofile
- fi
-
- for dir in $odir $basedir ; do
- if [[ -d $dir ]]; then
- log_must $RM -rf $dir
- fi
- done
log_must $ZFS set aclmode=discard $TESTPOOL/$TESTFS
}
-log_assert "Verify chmod have correct behaviour to directory and file when " \
- "filesystem has the different aclinherit setting."
+log_assert "Verify different inherit options combined with different" \
+ "aclinherit property values"
log_onexit cleanup
# Define inherit flag
@@ -89,10 +79,8 @@ typeset strategy_flag=("" inherit_only no_propagate inherit_only/no_propagate)
typeset ace_prefix1="user:$ZFS_ACL_OTHER1"
typeset ace_prefix2="user:$ZFS_ACL_OTHER2"
-typeset ace_discard ace_noallow ace_secure ace_passthrough
-typeset ace_secure_new
-# Defile the based directory and file
+# Define the base directory and file
basedir=$TESTDIR/basedir; ofile=$TESTDIR/ofile; odir=$TESTDIR/odir
# Define the files and directories will be created after chmod
@@ -102,10 +90,8 @@ nfile1=$basedir/nfile1; nfile2=$ndir1/nfile2; nfile3=$ndir2/nfile3
# Verify all the node have expected correct access control
allnodes="$ndir1 $ndir2 $ndir3 $nfile1 $nfile2 $nfile3"
-#
# According to inherited flag, verify subdirectories and files within it has
# correct inherited access control.
-#
function verify_inherit #<aclinherit> <object> [strategy]
{
# Define the nodes which will be affected by inherit.
@@ -118,12 +104,10 @@ function verify_inherit #<aclinherit> <object> [strategy]
typeset str2="/inherited:"
# count: the ACE item to fetch
- # maxnumber: predefine as 4
- # passcnt: counter, if it achieves to maxnumber,
+ # passcnt: counter, if it achieves to maxaces,
# then no additional ACE should apply.
# isinherit: indicate if the current target is in the inherit list.
-
- typeset -i count=0 pass=0 passcnt=0 isinherit=0 maxnumber=4 no_propagate=0
+ typeset -i count=0 pass=0 passcnt=0 isinherit=0 no_propagate=0
log_must usr_exec $MKDIR -p $ndir3
log_must usr_exec $TOUCH $nfile1 $nfile2 $nfile3
@@ -150,7 +134,7 @@ function verify_inherit #<aclinherit> <object> [strategy]
no_propagate=1
fi
fi
- # Verify ACE's for all the dirs/files under $basedir
+ # Verify ACEs for all the dirs/files under basedir
for node in $allnodes; do
if [[ " $non_inherit_nodes " == *" $node "* ]]; then
no_inherit=1
@@ -160,87 +144,86 @@ function verify_inherit #<aclinherit> <object> [strategy]
i=0
count=0
passcnt=0
- while ((i < maxnumber)); do
- pass=0
- eval expect1=\$acl$i
+ while ((i < maxaces)); do
+ typeset expacl
+
+ if [[ $inherit == "restricted" ]]; then
+ eval expacl=\$acls$i
+ else
+ eval expacl=\$acl$i
+ fi
case $inherit in
- noallow)
- [[ $expect1 == *":allow" ]] && pass=1
- ;;
- discard)
- passcnt=maxnumber
- break
- ;;
+ noallow)
+ if [[ $expacl == *":allow" ]]; then
+ ((i = i + 1))
+ continue
+ fi
+ ;;
+ discard)
+ ((passcnt = maxaces))
+ break
+ ;;
esac
- if ((pass == 0 && no_inherit == 1)); then
- aclaction=${expect1##*:}
- acltemp=${expect1%:*}
- # Verify ACE's for sub-directory
- if [[ -d $node ]]; then
- eval expect1=\$acl$i
- acltemp=${expect1%:*}
- if [[ $inherit_type == "directory" || \
- $inherit_type == "both" ]]; then
- expect1=${acltemp}/inherited:
- expect1=${expect1}${aclaction}
- elif [[ $inherit_type == "file" ]]; then
- if [[ $expect1 != \
- *"inherit_only"* ]]; then
- #
- # directory should append
- # "inherit_only" if not have
- #
- expect1=${acltemp}${str1}
- expect1=${expect1}${aclaction}
- else
- expect1=${acltemp}${str2}
- expect1=${expect1}${aclaction}
- fi
- fi
- aclcur=$(get_ACE $node $count)
- aclcur=${aclcur#$count:}
- if [[ $no_propagate == 0 ]]; then
- if [[ $expect1 != $aclcur ]]; then
- $LS -vd $basedir
- $LS -vd $node
- log_fail "$inherit $i #"\
- "$count ACE: $aclcur"\
- "expect to be $expect1"
- fi
+ if ((no_inherit == 0)); then
+ ((i = i + 1))
+ continue
+ fi
+
+ if [[ -d $node ]]; then
+ # Verify ACEs for subdirectory
+ aclaction=${expacl##*:}
+ acltemp=${expacl%:*}
+ if [[ $inherit_type == "directory" ||
+ $inherit_type == "both" ]]; then
+ expacl=${acltemp}${str2}
+ expacl=${expacl}${aclaction}
+ elif [[ $inherit_type == "file" ]]; then
+ if [[ $expacl != *"inherit_only"* ]]; then
+ # Directory should have
+ # "inherit_only" appended
+ expacl=${acltemp}${str1}
+ expacl=${expacl}${aclaction}
else
- # compare if directory has basic
- # ACL's
- compare_acls $node $odir
- if [[ $? -ne 0 ]]; then
- $LS -vd $basedir
- $LS -vd $node
- log_fail "Unexpect acl:"\
- " $node, $inherit"
- "($str)"
- fi
+ expacl=${acltemp}${str2}
+ expacl=${expacl}${aclaction}
+ fi
+ fi
+ aclcur=$(get_ACE $node $count)
+ aclcur=${aclcur#$count:}
+ if [[ $no_propagate == 0 ]]; then
+ if [[ $expacl != $aclcur ]]; then
+ $LS -vd $basedir
+ $LS -vd $node
+ log_fail "$inherit $i #$count" \
+ "ACE: $aclcur," \
+ "expected: $expacl"
fi
- # Verify ACE's for nested file
- elif [[ -f $node ]]; then
- compare_acls $node $ofile
+ else
+ # Compare if directory has trivial ACL
+ compare_acls $node $odir
if [[ $? -ne 0 ]]; then
$LS -vd $basedir
$LS -vd $node
- log_fail "Unexpect acl: $node," \
- "$inherit ($str)"
+ log_fail "unexpected ACE:"
+ "$node, $inherit ($str)"
fi
-
fi
- ((count = count + 1))
+ # Verify ACE's for nested file
+ elif [[ -f $node ]]; then
+ compare_acls $node $ofile
+ if [[ $? -ne 0 ]]; then
+ $LS -vd $basedir
+ $LS -vd $node
+ log_fail "unexpected ACE:" \
+ "$node, $inherit ($str)"
+ fi
fi
+ ((count = count + 1))
((i = i + 1))
done
- #
- # If there's no any ACE be checked, it should be identify as
- # an normal file/dir, verify it.
- #
-
- if ((passcnt == maxnumber)); then
+ # If there are no ACEs to be checked, compare the trivial ones.
+ if ((passcnt == maxaces)); then
if [[ -d $node ]]; then
compare_acls $node $odir
elif [[ -f $node ]]; then
@@ -250,32 +233,19 @@ function verify_inherit #<aclinherit> <object> [strategy]
if [[ $? -ne 0 ]]; then
$LS -vd $basedir
$LS -vd $node
- log_fail "Unexpect acl: $node, $inherit ($str)"
+ log_fail "Unexpected ACE: $node, $inherit ($str)"
fi
fi
done
}
-typeset -i i=0
+typeset -i i=0 maxaces=4
typeset acl0 acl1 acl2 acl3
typeset acls0 acls1 acls2 acls3
-#
-# Set aclmode=passthrough to make sure
-# the acl will not change during chmod.
-# A general testing should verify the combination of
-# aclmode/aclinherit works well,
-# here we just simple test them separately.
-#
-
log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS
for inherit in "${aclinherit_flag[@]}"; do
-
- #
- # Set different value of aclinherit
- #
-
log_must $ZFS set aclinherit=$inherit $TESTPOOL/$TESTFS
for user in root $ZFS_ACL_STAFF1; do
@@ -286,25 +256,20 @@ for inherit in "${aclinherit_flag[@]}"; do
typeset inh_opt=$obj
((${#str} != 0)) && inh_opt=$inh_opt/$str
- #
- # Prepare 4 ACES, which should include :
+ # Prepare 4 ACES, which should include:
# deny -> to verify "noallow"
- # write_acl/write_owner -> to verify "secure"
- #
-
- acl0=${ace_prefix1}":read_xattr/write_acl/"
- acl0=${acl0}"write_owner:"${inh_opt}":deny"
- acl1="$ace_prefix2:read_xattr/write_acl/"
- acl1=${acl1}"write_owner:$inh_opt:allow"
- acl2="$ace_prefix1:read_xattr:$inh_opt:deny"
- acl3="$ace_prefix2:read_xattr:$inh_opt:allow"
-
- #
- # The ACE filtered by write_acl/write_owner
- #
-
- acls0="$ace_prefix1:read_xattr:$inh_opt:deny"
- acls1="$ace_prefix2:read_xattr:$inh_opt:allow"
+ # write_acl/write_owner -> to verify "restricted"
+ acl0="${ace_prefix1}:read_xattr/write_acl"
+ acl0="${acl0}/write_owner:${inh_opt}:deny"
+ acl1="${ace_prefix2}:read_xattr/write_acl"
+ acl1="${acl1}/write_owner:${inh_opt}:allow"
+ acl2="${ace_prefix1}:read_xattr:${inh_opt}:deny"
+ acl3="${ace_prefix2}:read_xattr:${inh_opt}:allow"
+
+ # The ACEs filtered by write_acl/write_owner
+ acls0=$acl0
+ acls1="${ace_prefix2}:read_xattr"
+ acls1="${acls1}:${inh_opt}:allow"
acls2=$acl2
acls3=$acl3
#
@@ -319,12 +284,7 @@ for inherit in "${aclinherit_flag[@]}"; do
i=3
while ((i >= 0)); do
eval acl=\$acl$i
-
- #
- # Place on a directory should succeed.
- #
log_must usr_exec $CHMOD A+$acl $basedir
-
((i = i - 1))
done
log_note "verify_inherit $inherit $obj $str"
@@ -336,4 +296,5 @@ for inherit in "${aclinherit_flag[@]}"; do
done
done
-log_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed."
+log_pass "Verify different inherit options combined with different" \
+ "aclinherit property values"
diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh
index 3ce7547f0f..28126d5071 100644
--- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh
+++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_003_pos.ksh
@@ -25,83 +25,71 @@
# Use is subject to license terms.
#
+#
+# Copyright 2016 Nexenta Systems, Inc.
+#
+
. $STF_SUITE/tests/functional/acl/acl_common.kshlib
-#
# DESCRIPTION:
-# Verify chmod have correct behaviour to directory and file when
-# filesystem has the different aclinherit setting
+# Verify chmod have correct behaviour to directory and file when
+# filesystem has the different aclinherit setting
#
# STRATEGY:
-# 1. Loop super user and non-super user to run the test case.
-# 2. Create basedir and a set of subdirectores and files within it.
-# 3. Separately chmod basedir with different inherite options,
-# combine with the variable setting of aclinherit:
-# "discard", "noallow", "secure" or "passthrough".
-# 4. Then create nested directories and files like the following.
-#
-# ofile
-# odir
-# chmod --> basedir -|
-# |_ nfile1
-# |_ ndir1 _
-# |_ nfile2
-# |_ ndir2 _
-# |_ nfile3
-# |_ ndir3
+# 1. Use both super user and non-super user to run the test case.
+# 2. Create basedir and a set of subdirectores and files within it.
+# 3. Separately chmod basedir with different inherite options,
+# combine with the variable setting of aclinherit:
+# "discard", "noallow", "restricted" or "passthrough".
+# 4. Then create nested directories and files like the following.
#
-# 5. Verify each directories and files have the correct access control
-# capability.
+# ofile
+# odir
+# chmod --> basedir -|
+# |_ nfile1
+# |_ ndir1 _
+# |_ nfile2
+# |_ ndir2 _
+# |_ nfile3
+# |_ ndir3
#
+# 5. Verify each directories and files have the correct access control
+# capability.
verify_runnable "both"
function cleanup
{
- typeset dir
-
- # Cleanup basedir, compared file and dir.
-
- if [[ -f $ofile ]]; then
- log_must $RM -f $ofile
- fi
-
- for dir in $odir $basedir ; do
- if [[ -d $dir ]]; then
- log_must $RM -rf $dir
- fi
- done
+ [[ -f $ofile ]] && log_must $RM -f $ofile
+ [[ -d $odir ]] && log_must $RM -rf $odir
+ [[ -d $basedir ]] && log_must $RM -rf $basedir
}
-log_assert "Verify chmod have correct behaviour to directory and file when " \
- "filesystem has the different aclinherit setting."
+log_assert "Verify chmod have correct behaviour to directory and file when" \
+ "filesystem has the different aclinherit setting"
log_onexit cleanup
# Define inherit flag
-typeset aclinherit_flag=(discard noallow secure passthrough)
+typeset aclinherit_flag=("discard" "noallow" "restricted" "passthrough")
typeset object_flag=("f-" "-d" "fd")
typeset strategy_flag=("--" "i-" "-n" "in")
typeset ace_prefix1="owner@"
typeset ace_prefix2="group@"
typeset ace_prefix3="everyone@"
-typeset ace_discard ace_noallow ace_secure ace_passthrough
-typeset ace_secure_new
-# Defile the based directory and file
-basedir=$TESTDIR/basedir; ofile=$TESTDIR/ofile; odir=$TESTDIR/odir
+# Define the base directory and file
+basedir=$TESTDIR/basedir; ofile=$TESTDIR/ofile; odir=$TESTDIR/odir
-# Define the files and directories will be created after chmod
+# Define the files and directories that will be created after chmod
ndir1=$basedir/ndir1; ndir2=$ndir1/ndir2; ndir3=$ndir2/ndir3
nfile1=$basedir/nfile1; nfile2=$ndir1/nfile2; nfile3=$ndir2/nfile3
-# Verify all the node have expected correct access control
+# Verify all nodes have expected correct access control
allnodes="$ndir1 $ndir2 $ndir3 $nfile1 $nfile2 $nfile3"
-#
# According to inherited flag, verify subdirectories and files within it has
# correct inherited access control.
-#
function verify_inherit #<aclinherit> <object> [strategy]
{
# Define the nodes which will be affected by inherit.
@@ -110,222 +98,133 @@ function verify_inherit #<aclinherit> <object> [strategy]
typeset obj=$2
typeset str=$3
- # count: the ACE item to fetch
- # pass: to mark if the current ACE should apply to the target
- # maxnumber: predefine as 4
- # passcnt: counter, if it achieves to maxnumber,
- # then no additional ACE should apply.
- # isinherit: indicate if the current target is in the inherit list.
- # step: indicate if the ACE be split during inherit.
-
- typeset -i count=0 pass=0 passcnt=0 isinherit=0 maxnumber=4 step=0
-
log_must usr_exec $MKDIR -p $ndir3
log_must usr_exec $TOUCH $nfile1 $nfile2 $nfile3
- # Get the files which inherited ACE.
- if [[ ${obj:0:1} == "f" ]]; then
- inherit_nodes="$inherit_nodes $nfile1"
-
- if [[ ${str:1:1} != "n" ]]; then
- inherit_nodes="$inherit_nodes $nfile2 $nfile3"
+ # Check if we have any inheritance flags set
+ if [[ $obj != "--" ]]; then
+ # Files should have inherited ACEs only if file_inherit is set
+ if [[ ${obj:0:1} == "f" ]]; then
+ inherit_nodes="$inherit_nodes $nfile1"
+ if [[ ${str:1:1} != "n" ]]; then
+ inherit_nodes="$inherit_nodes $nfile2 $nfile3"
+ fi
fi
- fi
- # Get the directores which inherited ACE.
- if [[ ${obj:1:1} == "d" ]]; then
- inherit_nodes="$inherit_nodes $ndir1"
- if [[ ${str:1:1} != "n" ]]; then
- inherit_nodes="$inherit_nodes $ndir2 $ndir3"
+ # Directories should have inherited ACEs if file_inherit without
+ # no_propagate and/or dir_inherit is set
+ if [[ (${obj:0:1} == "f" && ${str:1:1} != "n") ||
+ ${obj:1:1} == "d" ]]; then
+ inherit_nodes="$inherit_nodes $ndir1"
+ if [[ ${str:1:1} != "n" ]]; then
+ inherit_nodes="$inherit_nodes $ndir2 $ndir3"
+ fi
fi
fi
for node in $allnodes; do
- step=0
- if [[ " $inherit_nodes " == *" $node "* ]]; then
- isinherit=1
- if [[ -d $node ]] ; then
- step=1
- fi
- else
- isinherit=0
+ typeset -i i=0 count=0 inherited=0
+ typeset expacl perm inh act
+
+ if [[ "$inherit_nodes" == *"$node"* ]]; then
+ inherited=1
fi
- i=0
- count=0
- passcnt=0
- while ((i < maxnumber)); do
- pass=0
- eval expect1=\$acl$i
- expect2=$expect1
-
- #
- # aclinherit=passthrough,
- # inherit all inheritable ACL entries without any
- # modifications made to the ACL entries when they
- # are inherited.
- #
- # aclinherit=secure,
- # any inheritable ACL entries will remove
- # write_acl and write_owner permissions when the ACL entry is
- # inherited.
- #
- # aclinherit=noallow,
- # only inherit inheritable ACE that specify "deny" permissions
- #
- # aclinherit=discard
- # will not inherit any ACL entries
- #
+ while ((i < $maxaces)); do
+ # If current node isn't in inherit list, there's
+ # nothing to check, skip to checking trivial ACL
+ if ((inherited == 0)); then
+ ((count = maxaces + 1))
+ break
+ fi
+ eval expacl=\$acl$i
case $inherit in
- passthrough)
- action=${expect1##*:}
- expect1=${expect1%:$action}
- expect1=${expect1%-}
- expect1=${expect1%I}
- expect1=${expect1}I:$action
- ;;
- secure)
- eval expect2=\$acls$i
- ;;
- noallow)
- if [[ $expect1 == *":allow" ]] ; then
- pass=1
- ((passcnt = passcnt + 1))
- else
- eval expect2=\$acls$i
- fi
- ;;
- discard)
- passcnt=maxnumber
- break
- ;;
- esac
-
- if ((pass == 0)) ; then
- acltemp=${expect2%:*}
- acltemp=${acltemp%:*}
- aclaction=${expect2##*:}
- expect2=${acltemp}:------I:${aclaction}
-
- acltemp=${expect1%:*}
- inh=${acltemp##*:}
-
- if [[ -d $node ]]; then
- if [[ ${inh:3:1} == "n" ]]; then
-
- #
- # if no_propagate is set,
- # then clear all inherit flags,
- # only one ACE should left.
- #
-
- step=0
- expect1=""
-
- elif [[ ${inh:2:1} != "i" ]]; then
-
- #
- # directory should append
- # "inherit_only" if not have
- #
- acltemp=${acltemp%i*}
- expect1=${acltemp}i---I:${aclaction}
- else
- acltemp=${acltemp%-}
- acltemp=${acltemp%I}
- expect1=${acltemp}I:${aclaction}
- fi
-
- #
- # cleanup the first ACE if the directory
- # not in inherit list
- #
-
- if ((isinherit == 0)); then
- expect1=""
- fi
- elif [[ -f $node ]] ; then
- expect1=""
+ discard)
+ # Do not inherit any ACEs
+ ((count = maxaces + 1))
+ break
+ ;;
+ noallow)
+ # Only inherit inheritable ACEs that specify
+ # "deny" permissions
+ if [[ $expacl == *":allow" ]] ; then
+ ((i = i + 1))
+ continue
fi
+ ;;
+ restricted)
+ # Remove write_acl and write_owner permissions
+ # when the ACEs is inherited
+ eval expacl=\$acls$i
+ ;;
+ passthrough)
+ ;;
+ esac
- # Get the first ACE to do comparison
+ perm=${expacl%:*}
+ inh=${perm##*:}
+ inh=${inh:0:2}
+ perm=${perm%:*}
+ act=${expacl##*:}
- aclcur=$(get_ACE $node $count compact)
- aclcur=${aclcur#$count:}
- if [[ -n $expect1 && $expect1 != $aclcur ]]; then
- $LS -Vd $basedir
- $LS -Vd $node
- log_fail "$inherit $i #$count " \
- "ACE: $aclcur, expect to be " \
- "$expect1"
+ if [[ -d $node ]]; then
+ # Clear inheritance flags if no_propagate is set
+ if [[ ${str:1:1} == "n" ]]; then
+ inh="--"
fi
-
- #
- # Get the second ACE (if should have) to do
- # comparison
- #
- if ((step > 0)); then
- ((count = count + step))
-
- aclcur=$(get_ACE $node $count compact)
- aclcur=${aclcur#$count:}
- if [[ -n $expect2 && \
- $expect2 != $aclcur ]]; then
-
- $LS -Vd $basedir
- $LS -Vd $node
- log_fail "$inherit $i " \
- "#$count ACE: $aclcur, " \
- "expect to be $expect2"
- fi
+ expacl="$perm:$inh"
+ # Set inherit_only if there's a file_inherit
+ # without dir_inherit
+ if [[ ${obj:0:1} == "f" &&
+ ${obj:1:1} != "d" ]]; then
+ expacl="${expacl}i---I:$act"
+ else
+ expacl="${expacl}----I:$act"
fi
- ((count = count + 1))
+ elif [[ -f $node ]] ; then
+ expacl="$perm:------I:$act"
fi
+
+ aclcur=$(get_ACE $node $count compact)
+ aclcur=${aclcur#$count:}
+ if [[ -n $expacl && $expacl != $aclcur ]]; then
+ $LS -Vd $basedir
+ $LS -Vd $node
+ log_fail "$inherit $i #$count" \
+ "expected: $expacl, current: $aclcur"
+ fi
+
((i = i + 1))
+ ((count = count + 1))
done
- #
- # If there's no any ACE be checked, it should be identify as
- # an normal file/dir, verify it.
- #
-
- if ((passcnt == maxnumber)); then
+ # There were no non-trivial ACEs to check, do the trivial ones
+ if ((count == maxaces + 1)); then
if [[ -d $node ]]; then
compare_acls $node $odir
- elif [[ -f $node ]]; then
+ elif [[ -f $node ]]; then
compare_acls $node $ofile
fi
if [[ $? -ne 0 ]]; then
$LS -Vd $basedir
$LS -Vd $node
- log_fail "Unexpect acl: $node, $inherit ($str)"
+ log_fail "unexpected acl: $node," \
+ "$inherit ($str)"
fi
fi
+
done
}
-typeset -i i=0
-typeset acl0 acl1 acl2 acl3
-typeset acls0 acls1 acls2 acls3
-
-#
-# Set aclmode=passthrough to make sure
-# the acl will not change during chmod.
-# A general testing should verify the combination of
-# aclmode/aclinherit works well,
-# here we just simple test them separately.
-#
+typeset -i i=0 maxaces=6
+typeset acl0 acl1 acl2 acl3 acl4 acl5
+typeset acls0 acls1 acls2 acls3 acls4 acls5
log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS
for inherit in "${aclinherit_flag[@]}"; do
-
- #
- # Set different value of aclinherit
- #
-
log_must $ZFS set aclinherit=$inherit $TESTPOOL/$TESTFS
for user in root $ZFS_ACL_STAFF1; do
@@ -334,64 +233,36 @@ for inherit in "${aclinherit_flag[@]}"; do
for obj in "${object_flag[@]}"; do
for str in "${strategy_flag[@]}"; do
typeset inh_opt=$obj
- ((${#str} != 0)) && inh_opt=${inh_opt}${str}--
-
- inh_a=${inh_opt}-
- inh_b=${inh_opt}I
-
- #
- # Prepare 4 ACES, which should include :
- # deny -> to verify "noallow"
- # write_acl/write_owner -> to verify "secure"
- #
-
- acl0="$ace_prefix1:rwxp---A-W-Co-:${inh_a}:allow"
- acl1="$ace_prefix2:rwxp---A-W-Co-:${inh_a}:deny"
- acl2="$ace_prefix3:rwxp---A-W-Co-:${inh_a}:allow"
- acl3="$ace_prefix1:-------A-W----:${inh_a}:deny"
- acl4="$ace_prefix2:-------A-W----:${inh_a}:allow"
- acl5="$ace_prefix3:-------A-W----:${inh_a}:deny"
-
-
- #
- # The ACE filtered by write_acl/write_owner
- #
-
- if [[ $inheri == "passthrough" ]]; then
- acls0="$ace_prefix1:rwxp---A-W----:${inh_b}:allow"
- acls1="$ace_prefix2:rwxp---A-W----:${inh_b}:deny"
- acls2="$ace_prefix3:rwxp---A-W----:${inh_b}:allow"
- acls3="$ace_prefix1:rwxp---A-W----:${inh_b}:deny"
- acls4="$ace_prefix2:rwxp---A-W----:${inh_b}:allow"
- acls5="$ace_prefix3:rwxp---A-W----:${inh_b}:deny"
- else
- acls0="$ace_prefix1:-------A-W----:${inh_b}:allow"
- acls1="$ace_prefix2:-------A-W-Co-:${inh_b}:deny"
- acls2="$ace_prefix3:-------A-W----:${inh_b}:allow"
- acls3="$ace_prefix1:-------A-W----:${inh_b}:deny"
- acls4="$ace_prefix2:-------A-W----:${inh_b}:allow"
- acls5="$ace_prefix3:-------A-W----:${inh_b}:deny"
- fi
-
- #
- # Create basedir and tmp dir/file
- # for comparison.
- #
+ ((${#str} != 0)) && inh_opt="${inh_opt}${str}--"
+
+ inh_a="${inh_opt}-"
+ inh_b="${inh_opt}I"
+
+ # deny - to verify "noallow"
+ # write_acl/write_owner - to verify "restricted"
+ acl0="$ace_prefix1:-------A-W-Co-:$inh_a:allow"
+ acl1="$ace_prefix2:-------A-W-Co-:$inh_a:deny"
+ acl2="$ace_prefix3:-------A-W-Co-:$inh_a:allow"
+ acl3="$ace_prefix1:-------A-W----:$inh_a:deny"
+ acl4="$ace_prefix2:-------A-W----:$inh_a:allow"
+ acl5="$ace_prefix3:-------A-W----:$inh_a:deny"
+
+ # ACEs filtered by write_acl/write_owner
+ acls0="$ace_prefix1:-------A-W----:$inh_b:allow"
+ acls1="$ace_prefix2:-------A-W-Co-:$inh_b:deny"
+ acls2="$ace_prefix3:-------A-W----:$inh_b:allow"
+ acls3="$ace_prefix1:-------A-W----:$inh_b:deny"
+ acls4="$ace_prefix2:-------A-W----:$inh_b:allow"
+ acls5="$ace_prefix3:-------A-W----:$inh_b:deny"
- log_note "$user: $CHMOD $acl $basedir"
log_must usr_exec $MKDIR $basedir
log_must usr_exec $MKDIR $odir
log_must usr_exec $TOUCH $ofile
- i=5
+ ((i = maxaces - 1))
while ((i >= 0)); do
eval acl=\$acl$i
-
- #
- # Place on a directory should succeed.
- #
log_must usr_exec $CHMOD A+$acl $basedir
-
((i = i - 1))
done
@@ -403,4 +274,4 @@ for inherit in "${aclinherit_flag[@]}"; do
done
done
-log_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed."
+log_pass "Verify chmod inherit behaviour co-op with aclinherit setting passed"
diff --git a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh
index 0ecf85eccb..98b5568e8d 100644
--- a/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh
+++ b/usr/src/test/zfs-tests/tests/functional/acl/nontrivial/zfs_acl_chmod_inherit_004_pos.ksh
@@ -25,125 +25,91 @@
# Use is subject to license terms.
#
-#
# Copyright (c) 2012 by Delphix. All rights reserved.
+# Copyright 2016 Nexenta Systems, Inc.
#
. $STF_SUITE/tests/functional/acl/acl_common.kshlib
-#
# DESCRIPTION:
-# Verify aclinherit=passthrough-x will inherit the 'x' bits while mode request.
+# Verify aclinherit=passthrough-x will inherit the execute permission only if
+# file creation mode requests it.
#
# STRATEGY:
-# 1. Loop super user and non-super user to run the test case.
-# 2. Create basedir and a set of subdirectores and files within it.
-# 3. Set aclinherit=passthrough-x
-# 4. Verify only passthrough-x will inherit the 'x' bits while mode request.
-#
+# 1. Use both super user and non-super user to run the test case.
+# 2. Set aclinherit=passthrough-x
+# 3. Create basedir and a set of files, one with 644 and one with 755 mode.
+# 4. Verify that execute permission is inherited only if file creation mode
+# requests them.
verify_runnable "both"
function cleanup
{
- if [[ -d $basedir ]]; then
- log_must $RM -rf $basedir
- fi
+ [[ -d $basedir ]] && log_must $RM -rf $basedir
}
-$ZPOOL upgrade -v
-$ZPOOL upgrade -v | $GREP "passthrough-x aclinherit" > /dev/null 2>&1
-if (($? != 0)); then
- log_unsupported "passthrough-x aclinherit not supported."
-fi
-
-log_assert "Verify aclinherit=passthrough-x will inherit the 'x' bits while" \
- " mode request."
+
+log_assert "aclinherit=passthrough-x should inherit the execute permission" \
+ "only if file creation mode requests it"
log_onexit cleanup
set -A aces \
- "owner@:read_data/write_data/add_subdirectory/append_data/execute:dir_inherit/inherit_only:allow" \
- "owner@:read_data/write_data/add_subdirectory/append_data/execute::allow" \
- "group@:add_subdirectory/append_data/execute:dir_inherit/inherit_only:allow" \
- "group@:add_subdirectory/append_data/execute::allow" \
- "everyone@:add_subdirectory/append_data/execute:dir_inherit/inherit_only:allow" \
- "everyone@:add_subdirectory/append_data/execute::allow" \
- "owner@:read_data/write_data/add_subdirectory/append_data/execute:file_inherit/inherit_only:allow" \
- "group@:read_data/add_subdirectory/append_data/execute:file_inherit/inherit_only:allow" \
- "everyone@:read_data/add_subdirectory/append_data/execute:file_inherit/inherit_only:allow"
-
-# Defile the based directory and file
-basedir=$TESTDIR/basedir
+ "owner@:rwxp:f:allow" \
+ "group@:rxp:f:allow" \
+ "everyone@:rxp:f:allow"
+typeset basedir="$TESTDIR/basedir"
+typeset nfile1="$basedir/nfile1" nfile2="$basedir/nfile2"
-#
-# According to inherited flag, verify subdirectories and files within it has
-# correct inherited access control.
-#
-function verify_inherit # <object>
+function check_execute_bit
{
- typeset obj=$1
+ typeset ace
+ typeset file=$1
+ typeset -i i=0
- # Define the files and directories will be created after chmod
- ndir1=$obj/ndir1; ndir2=$ndir1/ndir2
- nfile1=$ndir1/nfile1.c; nfile2=$ndir1/nfile2
+ while ((i < 6)); do
+ ace=$(get_ACE $file $i)
+ if [[ "$ace" == *"execute"* ]]; then
+ return 0
+ fi
+ ((i = i + 1))
+ done
- log_must usr_exec $MKDIR -p $ndir1
+ return 1
+}
+function verify_inherit
+{
typeset -i i=0
+
+ log_must usr_exec $MKDIR $basedir
+
+ # Modify owner@, group@ and everyone@ ACEs to include execute
+ # permission (see above), and make them file-inheritable
while ((i < ${#aces[*]})); do
- if ((i < 3)); then
- log_must usr_exec $CHMOD A$i=${aces[i]} $ndir1
- else
- log_must usr_exec $CHMOD A$i+${aces[i]} $ndir1
- fi
+ log_must usr_exec $CHMOD A$i=${aces[i]} $basedir
((i = i + 1))
done
- log_must usr_exec $MKDIR -p $ndir2
+
+ # Create file with 644 mode
log_must usr_exec $TOUCH $nfile1
+ # Check that execute permission wasn't inherited
+ log_mustnot check_execute_bit $nfile1
- $CAT > $nfile1 <<EOF
-#include <stdlib.h>
-#include <stdio.h>
-int main()
-{ return 0; }
-EOF
-
- mode=$(get_mode $ndir2)
- if [[ $mode != "drwx--x--x"* ]]; then
- log_fail "Unexpect mode of $ndir2, expect: drwx--x--x, current: $mode"
- fi
-
- mode=$(get_mode $nfile1)
- if [[ $mode != "-rw-r--r--"* ]]; then
- log_fail "Unexpect mode of $nfile1, expect: -rw-r--r--, current: $mode"
- fi
-
- if [[ -x /usr/sfw/bin/gcc ]]; then
- log_must /usr/sfw/bin/gcc -o $nfile2 $nfile1
- mode=$(get_mode $nfile2)
- if [[ $mode != "-rwxr-xr-x"* ]]; then
- log_fail "Unexpect mode of $nfile2, expect: -rwxr-xr-x, current: $mode"
- fi
- fi
+ # Use cp(1) to copy over /usr/bin/true
+ log_must usr_exec $CP $TRUE $nfile2
+ # Check that execute permission was inherited
+ log_must check_execute_bit $nfile2
}
-#
-# Set aclmode=passthrough to make sure
-# the acl will not change during chmod.
-# A general testing should verify the combination of
-# aclmode/aclinherit works well,
-# here we just simple test them separately.
-#
-
log_must $ZFS set aclmode=passthrough $TESTPOOL/$TESTFS
log_must $ZFS set aclinherit=passthrough-x $TESTPOOL/$TESTFS
for user in root $ZFS_ACL_STAFF1; do
log_must set_cur_usr $user
-
- verify_inherit $basedir
-
+ verify_inherit
cleanup
done
-log_pass "Verify aclinherit=passthrough-x will inherit the 'x' bits while mode request."
+log_pass "aclinherit=passthrough-x should inherit the execute permission" \
+ "only if file creation mode requests it"
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 18:20:31 +0000