1 This script tests if file permissions are properly checked with and
2 without ACLs. The script must be run as root to allow switching users.
3 The following users are required. They must be a member in the groups
10 Cry immediately if we are not running as root.
16 First, set up a temporary directory and create a regular file with
23 $ ls -l f | awk -- '{sub(/\\./, "", $1); print $1, $3, $4 }'
24 > -rw-r----- root root
27 Make sure root has access to the file. Verify that user daemon does not
28 have access to the file owned by root.
34 > f: Permission denied
39 Now, change the ownership of the file to bin:bin and verify that this
40 gives user bin write access.
43 $ ls -l f | awk -- '{sub(/\\./, "", $1); print $1, $3, $4 }'
49 User daemon is a member in the owning group, which has only read access.
58 > f: Permission denied
61 Now, add an ACL entry for user daemon that grants him rw- access. File
62 owners and users capable of CAP_FOWNER are allowed to change ACLs.
65 $ setfacl -m u:daemon:rw f
66 $ getfacl --omit-header f
75 Verify that the additional ACL entry grants user daemon write access.
85 Remove write access from the group class permission bits, and
86 verify that this masks daemon's write permission.
90 $ getfacl --omit-header f
92 > user:daemon:rw- #effective:r--
100 > f: Permission denied
103 Add an entry for group daemon with rw- access, and change the
104 permissions for user daemon to r--. Also change the others permissions t
105 rw-. The user entry should take precedence, so daemon should be denied
109 $ setfacl -m u:daemon:r,g:daemon:rw-,o::rw- f
113 > f: Permission denied
116 Remove the entry for user daemon. The group daemon permissions should
117 now give user daemon rw- access.
120 $ setfacl -x u:daemon f
131 Set the group daemon permissions to r-- and verify that after than, user
132 daemon does not have write access anymore.
135 $ setfacl -m g:daemon:r f
139 > f: Permission denied
142 Now, remove the group daemon entry. Because user daemon is a member in
143 the owning group, he should still have no write access.
146 $ setfacl -x g:daemon f
150 > f: Permission denied
153 Change the owning group. The other permissions should now grant user
169 Verify that permissions in separate matching ACL entries do not
173 $ setfacl -m g:bin:r,g:daemon:w f
176 $ : < f # open for reading
177 $ : > f # open for writing
178 $ : <> f # open for read-write
179 > f: Permission denied
182 Test if directories can have ACLs. We assume that only one access check
183 algorithm is used for all file types the file system, so these tests
184 only need to verify that ACL permissions make a difference.
191 $ shopt -s nullglob ; echo e/*
195 > e/i: Permission denied
198 $ setfacl -m u:bin:rx e
203 following 2 lines seems not valid, which also failed on ext3 in FC3 enviroment,
204 although it pass in FC2. commented out by CFS (agreed with HP)
205 Replaced "echo" with "touch" can resolve such problem.
207 # > e/i: Permission denied
208 $ touch e/i 2>&1 | sed -e "s/touch .*e\\/i.*:/touch \\'e\\/i\\':/"
209 > touch: cannot touch 'e/i': Permission denied
212 $ setfacl -m u:bin:rwx e
218 Test if symlinks are properly followed.
223 $ setfacl -m u:bin:rw l
224 $ ls -l g | awk -- '{ print $1, $3, $4 }'
225 > -rw-rw----+ root root
228 Test if ACLs are effective for block and character special files, fifos,
229 sockets. This is done by creating special files locally. The devices do
230 not need to exist: The access check is earlier in the code path than the
231 test if the device exists.
234 $ mknod -m 0660 hdt b 91 64 # /dev/hdt
235 $ mknod -m 0660 null c 1 3 # /dev/null
236 $ mkfifo -m 0660 fifo
240 > hdt: Permission denied
242 > null: Permission denied
244 > fifo: Permission denied
247 $ setfacl -m u:bin:rw hdt null fifo
251 > hdt: No such device or address
253 $ ( echo blah > fifo & ) ; cat fifo
257 Test if CAP_FOWNER is properly honored for directories. This addresses a
258 specific bug in XFS 1.2, which does not grant root access to files in
259 directories if the file has an ACL and only CAP_FOWNER would grant them.
263 $ chown daemon:daemon x
265 $ ls -l x/j | awk -- '{sub(/\\./, "", $1); print $1, $3, $4 }'
266 > -rw-r----- root root
268 $ setfacl -m u:daemon:r x
270 $ ls -l x/j | awk -- '{sub(/\\./, "", $1); print $1, $3, $4 }'
271 > -rw-r----- root root
272 (With the bug this gives: `ls: x/j: Permission denied'.)
275 (With the bug this gives: `x/k: Permission denied'.)