1 This script tests if extended attributes permissions are properly checked
2 with and without ACLs. The script must be run as root to allow switching
3 users. The following users are required.
9 Cry immediately if we are not running as root.
15 First, set up a temporary directory and create a regular file with
22 $ chown nobody:nobody f
23 $ ls -l f | awk -- '{ print $1, $3, $4 }'
24 > -rw-r----- nobody nobody
29 Verify that the user bin don't have enough permission to set
30 extended attributes in user.* namespace.
33 $ setfattr -n user.test.xattr -v 123456 f
34 > setfattr: f: Permission denied
37 Now, add an ACL entry for user bin that grants him rw- access. File
38 owners and users capable of CAP_FOWNER are allowed to change ACLs.
41 $ setfacl -m g:bin:rw f
42 $ getfacl --omit-header f
51 Verify that the additional ACL entry grants user bin permission
52 to set extended attributes in user.* namespace for files.
55 $ setfattr -n user.test.xattr -v 123456 f
58 > user.test.xattr="123456"
62 Test if symlinks are properly followed.
66 $ ls -l l | awk -- '{ print $1, $3, $4 }'
67 > lrwxrwxrwx root root
71 > user.test.xattr="123456"
75 Test the sticky directories. Only the owner and privileged user can
80 $ chown nobody:nobody t
82 $ ls -dl t | awk -- '{ print $1, $3, $4 }'
83 > drwxr-x--T nobody nobody
85 $ setfacl -m g:bin:rwx t
86 $ getfacl --omit-header t
94 $ setfattr -n user.test.xattr -v 654321 t
95 > setfattr: t: Operation not permitted
98 Verify that the additional ACL entry grants user bin permission
99 to set extended attributes in user.* namespace for directories.
103 $ chown nobody:nobody d
105 $ ls -dl d | awk -- '{ print $1, $3, $4 }'
106 > drwxr-x--- nobody nobody
108 $ setfacl -m g:bin:rwx d
109 $ getfacl --omit-header d
117 $ setfattr -n user.test.xattr -v 654321 d
120 > user.test.xattr="654321"
124 Test that in user.* namespace, only regular files and directories can have
128 $ mknod -m 0660 hdt b 91 64 # /dev/hdt
129 $ mknod -m 0660 null c 1 3 # /dev/null
130 $ mkfifo -m 0660 fifo
131 $ setfattr -n user.test.xattr -v 123456 hdt
132 > setfattr: hdt: Operation not permitted
133 $ setfattr -n user.test.xattr -v 123456 null
134 > setfattr: null: Operation not permitted
135 $ setfattr -n user.test.xattr -v 123456 fifo
136 > setfattr: fifo: Operation not permitted