1 This script tests if extended attributes permissions are properly checked
2 with and without ACLs. The script must be run as root to allow switching
3 users. The following users are required.
9 Cry immediately if we are not running as root.
15 First, set up a temporary directory and create a regular file with
17 # Need to remove trailing '.' when SELinux is enabled
23 $ chown nobody:nobody f
24 $ ls -l f | awk -- '{ sub(/\\.$/, "", $1); print $1, $3, $4 }'
25 > -rw-r----- nobody nobody
30 Verify that the user bin don't have enough permission to set
31 extended attributes in user.* namespace.
34 $ setfattr -n user.test.xattr -v 123456 f
35 > setfattr: f: Permission denied
38 Now, add an ACL entry for user bin that grants him rw- access. File
39 owners and users capable of CAP_FOWNER are allowed to change ACLs.
42 $ setfacl -m g:bin:rw f
43 $ getfacl --omit-header f
52 Verify that the additional ACL entry grants user bin permission
53 to set extended attributes in user.* namespace for files.
56 $ setfattr -n user.test.xattr -v 123456 f
59 > user.test.xattr="123456"
63 Test if symlinks are properly followed.
64 # Need to remove trailing '.' when SELinux is enabled
68 $ ls -l l | awk -- '{ sub(/\\.$/, "", $1); print $1, $3, $4 }'
69 > lrwxrwxrwx root root
73 > user.test.xattr="123456"
77 Test the sticky directories. Only the owner and privileged user can
79 # Need to remove trailing '.' when SELinux is enabled
83 $ chown nobody:nobody t
85 $ ls -dl t | awk -- '{ sub(/\\.$/, "", $1); print $1, $3, $4 }'
86 > drwxr-x--T nobody nobody
88 $ setfacl -m g:bin:rwx t
89 $ getfacl --omit-header t
97 $ setfattr -n user.test.xattr -v 654321 t
98 > setfattr: t: Operation not permitted
101 Verify that the additional ACL entry grants user bin permission
102 to set extended attributes in user.* namespace for directories.
103 # Need to remove trailing '.' when SELinux is enabled
107 $ chown nobody:nobody d
109 $ ls -dl d | awk -- '{ sub(/\\.$/, "", $1); print $1, $3, $4 }'
110 > drwxr-x--- nobody nobody
112 $ setfacl -m g:bin:rwx d
113 $ getfacl --omit-header d
121 $ setfattr -n user.test.xattr -v 654321 d
124 > user.test.xattr="654321"
128 Test that in user.* namespace, only regular files and directories can have
132 $ mknod -m 0660 hdt b 91 64 # /dev/hdt
133 $ mknod -m 0660 null c 1 3 # /dev/null
134 $ mkfifo -m 0660 fifo
135 $ setfattr -n user.test.xattr -v 123456 hdt
136 > setfattr: hdt: Operation not permitted
137 $ setfattr -n user.test.xattr -v 123456 null
138 > setfattr: null: Operation not permitted
139 $ setfattr -n user.test.xattr -v 123456 fifo
140 > setfattr: fifo: Operation not permitted