3 # Run select tests by setting SEC_ONLY, or as arguments to the script.
4 # Skip specific tests by setting SEC_EXCEPT.
10 export PATH=$PWD/$SRCDIR:$SRCDIR:$PWD/$SRCDIR/../utils:$PATH:/sbin
12 SEC_ONLY=${SEC_ONLY:-"$*"}
13 [ "$SEC_EXCEPT" ] && echo "Skipping tests: `echo $SEC_EXCEPT`"
19 WTL=${WTL:-write_time_limit}
22 ENABLE_IDENTITY=/usr/sbin/l_getidentity
24 LUSTRE_CONF_DIR=/etc/lustre
25 PERM_CONF=$LUSTRE_CONF_DIR/perm.conf
26 LDLM_LPROC=$LPROC/ldlm
27 LLITE_LPROC=$LPROC/llite
30 OST_LPROC=$LPROC/obdfilter
34 $LCTL mark "$*" 2> /dev/null || true
37 SANITYSECLOG=${SANITYSECLOG:-/tmp/sanity-sec.log}
38 [ "$SANITYSECLOG" ] && rm -f $SANITYSECLOG || true
41 sec_log "FAIL: $TESTNAME $@"
42 if [ "$SANITYSECLOG" ]; then
43 echo "FAIL: $TESTNAME $@" >> $SANITYSECLOG
54 sec_log "$0: SKIP: $TESTNAME $@"
55 [ "$SANITYSECLOG" ] && echo "$0: SKIP: $TESTNAME $@" >> $SANITYSECLOG
61 USER1=`cat /etc/passwd|grep :$ID1:$ID1:|cut -d: -f1`
62 USER2=`cat /etc/passwd|grep :$ID2:$ID2:|cut -d: -f1`
64 if [ -z "$USER1" ]; then
65 echo "===== Please add user1 (uid=$ID1 gid=$ID1)! Skip sanity-sec ====="
66 sec_error "===== Please add user1 (uid=$ID1 gid=$ID1)! ====="
70 if [ -z "$USER2" ]; then
71 echo "===== Please add user2 (uid=$ID2 gid=$ID2)! Skip sanity-sec ====="
72 sec_error "===== Please add user2 (uid=$ID2 gid=$ID2)! ====="
76 export NAME=${NAME:-local}
78 LUSTRE=${LUSTRE:-`dirname $0`/..}
79 . $LUSTRE/tests/test-framework.sh
81 . ${CONFIG:=$LUSTRE/tests/cfg/$NAME.sh}
83 mounted_lustre_filesystems() {
84 awk '($3 ~ "lustre" && $1 ~ ":") { print $2 }' /proc/mounts
87 MOUNTED="`mounted_lustre_filesystems`"
88 if [ -z "$MOUNTED" ]; then
91 MOUNTED="`mounted_lustre_filesystems`"
92 [ -z "$MOUNTED" ] && sec_error "NAME=$NAME not mounted"
96 [ `echo $MOUNT | wc -w` -gt 1 ] && sec_error "NAME=$NAME mounted more than once"
99 [ -z "`echo $DIR | grep $MOUNT`" ] && echo "$DIR not in $MOUNT" && \
100 sec_cleanup && exit 99
102 [ `ls -l $LDLM_LPROC/namespaces 2>/dev/null | grep *-mdc-* | wc -l` -gt 1 ] \
103 && echo "skip multi-MDS test" && sec_cleanup && exit 0
105 OST_COUNT=$(ls -l $LDLM_LPROC/namespaces 2>/dev/null | grep osc | grep -v MDT | wc -l)
108 GSS_REF=$(lsmod | grep ^ptlrpc_gss | awk '{print $3}')
109 if [ ! -z "$GSS_REF" -a "$GSS_REF" != "0" ]; then
111 echo "with GSS support"
114 echo "without GSS support"
118 MDT_REF=$(lsmod | grep ^mdt | awk '{print $3}')
119 if [ ! -z "$MDT_REF" -a "$MDT_REF" != "0" ]; then
127 MDT="`do_facet $SINGLEMDS ls -l $MDT_LPROC/ | grep MDT | awk '{print $9}'`"
128 if [ ! -z "$MDT" ]; then
129 IDENTITY_UPCALL=$MDT_LPROC/$MDT/identity_upcall
130 IDENTITY_UPCALL_BAK="`more $IDENTITY_UPCALL`"
131 IDENTITY_FLUSH=$MDT_LPROC/$MDT/identity_flush
132 ROOTSQUASH_UID=$MDT_LPROC/$MDT/rootsquash_uid
133 ROOTSQUASH_GID=$MDT_LPROC/$MDT/rootsquash_gid
134 NOSQUASH_NIDS=$MDT_LPROC/$MDT/nosquash_nids
135 MDSCAPA=$MDT_LPROC/$MDT/capa
136 CAPA_TIMEOUT=$MDT_LPROC/$MDT/capa_timeout
140 if [ -z "$(grep remote $LLITE_LPROC/*/client_type 2>/dev/null)" ]; then
152 sec_log "== test $1 $2= `date +%H:%M:%S` ($BEFORE)"
153 export TESTNAME=test_$1
154 test_$1 || sec_error "exit with rc=$?"
156 sec_pass "($((`date +%s` - $BEFORE))s)"
159 build_test_filter() {
160 for O in $SEC_ONLY; do
161 eval SEC_ONLY_${O}=true
163 for E in $SEC_EXCEPT; do
164 eval SEC_EXCEPT_${E}=true
173 IFS=abcdefghijklmnopqrstuvwxyz _basetest $1
178 if [ "$SEC_ONLY" ]; then
180 if [ ${!testname}x != x ]; then
184 testname=SEC_ONLY_$base
185 if [ ${!testname}x != x ]; then
192 testname=SEC_EXCEPT_$1
193 if [ ${!testname}x != x ]; then
194 echo "skipping excluded test $1"
197 testname=SEC_EXCEPT_$base
198 if [ ${!testname}x != x ]; then
199 echo "skipping excluded test $1 (base $base)"
212 if ! $RUNAS -u $user krb5_login.sh; then
213 echo "$user login kerberos failed."
217 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null; then
218 $RUNAS -u $user lfs flushctx -k
219 $RUNAS -u $user krb5_login.sh
220 if ! $RUNAS -u $user -g $group ls $DIR > /dev/null; then
221 echo "init $user $group failed."
228 if [ ! -z "$MDT" ]; then
229 do_facet $SINGLEMDS echo $ENABLE_IDENTITY > $IDENTITY_UPCALL
230 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
233 if ! $RUNAS -u $ID1 ls $DIR > /dev/null 2>&1; then
234 sec_login $USER1 $USER1
237 if ! $RUNAS -u $ID2 ls $DIR > /dev/null 2>&1; then
238 sec_login $USER2 $USER2
243 # run as different user
248 chown $USER1 $DIR/d0 || sec_error
249 $RUNAS -u $ID1 ls $DIR || sec_error
250 $RUNAS -u $ID1 touch $DIR/f0 && sec_error
251 $RUNAS -u $ID1 touch $DIR/d0/f1 || sec_error
252 $RUNAS -u $ID2 touch $DIR/d0/f2 && sec_error
253 touch $DIR/d0/f3 || sec_error
257 $RUNAS -u $ID1 touch $DIR/d0/f4 || sec_error
258 $RUNAS -u $ID2 touch $DIR/d0/f5 && sec_error
259 touch $DIR/d0/f6 || sec_error
263 sec_run_test 0 "uid permission ============================="
267 [ $GSS_SUP = 0 ] && sec_skip "without GSS support." && return
268 [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
270 do_facet $SINGLEMDS rm -f $PERM_CONF
271 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
276 chown $USER1 $DIR/d1 || sec_error
277 $RUNAS -u $ID2 -v $ID1 touch $DIR/d1/f0 && sec_error
278 do_facet $SINGLEMDS echo "\* $ID2 setuid" > $PERM_CONF
279 echo "enable uid $ID2 setuid"
280 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
281 $RUNAS -u $ID2 -v $ID1 touch $DIR/d1/f1 || sec_error
286 $RUNAS -u $ID2 -g $ID2 touch $DIR/d1/f2 && sec_error
287 $RUNAS -u $ID2 -g $ID2 -j $ID1 touch $DIR/d1/f3 && sec_error
288 do_facet $SINGLEMDS echo "\* $ID2 setuid,setgid" > $PERM_CONF
289 echo "enable uid $ID2 setuid,setgid"
290 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
291 $RUNAS -u $ID2 -g $ID2 -j $ID1 touch $DIR/d1/f4 || sec_error
292 $RUNAS -u $ID2 -v $ID1 -g $ID2 -j $ID1 touch $DIR/d1/f5 || sec_error
296 do_facet $SINGLEMDS rm -f $PERM_CONF
297 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
299 sec_run_test 1 "setuid/gid ============================="
302 # for remote client only
304 [ "$CLIENT_TYPE" = "local" ] && \
305 sec_skip "remote_acl for remote client only" && return
306 [ -z "$(grep ^acl $MDC_LPROC/*-mdc-*/connect_flags)" ] && \
307 sec_skip "must have acl enabled" && return
308 [ -z "$(which setfacl 2>/dev/null)" ] && \
309 sec_skip "could not find setfacl" && return
310 [ "$UID" != 0 ] && sec_skip "must run as root" && return
315 echo xxx > $DIR/d2/f0
318 $LFS getfacl $DIR/d2/f0 || sec_error
319 $RUNAS -u $ID1 cat $DIR/d2/f0 || sec_error
320 $RUNAS -u $ID1 touch $DIR/d2/f0 && sec_error
322 $LFS setfacl -m u:$USER1:w $DIR/d2/f0 || sec_error
323 $LFS getfacl $DIR/d2/f0 || sec_error
324 echo "set user $USER1 write permission on file $DIR/d2/f0"
325 $RUNAS -u $ID1 touch $DIR/d2/f0 || sec_error
326 $RUNAS -u $ID1 cat $DIR/d2/f0 && sec_error
330 sec_run_test 2 "rmtacl ============================="
333 # for remote mdt only
335 [ $GSS_SUP = 0 ] && sec_skip "without GSS support." && return
336 [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
337 [ "$MDT_TYPE" = "local" ] && sec_skip "rootsquash for remote mdt only" && return
339 do_facet $SINGLEMDS echo "-\*" > $NOSQUASH_NIDS
340 do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_UID
341 do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_GID
347 do_facet $SINGLEMDS echo $ID1 > $ROOTSQUASH_UID
348 echo "set rootsquash uid = $ID1"
349 touch $DIR/f3_0 && sec_error
350 touch $DIR/d3/f3_1 || sec_error
352 do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_UID
353 echo "disable rootsquash"
358 do_facet $SINGLEMDS echo $ID1 > $ROOTSQUASH_UID
359 echo "set rootsquash uid = $ID1"
360 touch $DIR/d3/f3_2 && sec_error
361 do_facet $SINGLEMDS echo $ID2 > $ROOTSQUASH_GID
362 echo "set rootsquash gid = $ID2"
363 touch $DIR/d3/f3_3 || sec_error
365 do_facet $SINGLEMDS echo "+\*" > $NOSQUASH_NIDS
366 echo "add host in rootsquash skip list"
367 touch $DIR/f3_4 || sec_error
369 do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_UID
370 do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_GID
371 do_facet $SINGLEMDS echo "-\*" > $NOSQUASH_NIDS
375 sec_run_test 3 "rootsquash ============================="
377 # bug 3285 - supplementary group should always succeed.
378 # NB: the supplementary groups are set for local client only,
379 # as for remote client, the groups of the specified uid on MDT
380 # will be obtained by upcall /sbin/l_getidentity and used.
386 $RUNAS -u $ID1 ls $DIR/d4 || sec_error "setgroups(1) failed"
387 if [ "$CLIENT_TYPE" != "remote" ]; then
388 if [ ! -z "$MDT" ]; then
389 do_facet $SINGLEMDS echo "\* $ID2 setgrp" > $PERM_CONF
390 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
392 $RUNAS -u $ID2 -G1,2,$ID1 ls $DIR/d4 || sec_error "setgroups(2) failed"
393 if [ ! -z "$MDT" ]; then
394 do_facet $SINGLEMDS rm -f $PERM_CONF
395 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
398 $RUNAS -u $ID2 -G1,2 ls $DIR/d4 && sec_error "setgroups(3) failed"
401 sec_run_test 4 "set supplementary group ==============="
403 mds_capability_timeout() {
404 [ $# -lt 1 ] && echo "Miss mds capability timeout value" && return 1
406 echo "Set mds capability timeout as $1 seconds"
407 do_facet $SINGLEMDS echo $1 > $CAPA_TIMEOUT
411 mds_capability_switch() {
412 [ $# -lt 1 ] && echo "Miss mds capability switch value" && return 1
415 0) echo "Turn off mds capability";;
416 3) echo "Turn on mds capability";;
417 *) echo "Invalid mds capability switch value" && return 2;;
420 do_facet $SINGLEMDS echo $1 > $MDSCAPA
424 oss_capability_switch() {
425 [ $# -lt 1 ] && echo "Miss oss capability switch value" && return 1
428 0) echo "Turn off oss capability";;
429 1) echo "Turn on oss capability";;
430 *) echo "Invalid oss capability switch value" && return 2;;
434 while [ $i -lt $OST_COUNT ]; do
437 OST="`do_facet ost$i ls -l $OST_LPROC/ | grep OST | awk '{print $9}' | grep $j$`"
438 do_facet ost$i echo $1 > $OST_LPROC/$OST/capa
443 turn_capability_on() {
444 local capa_timeout=${1:-"1800"}
446 # To turn on fid capability for the system,
447 # there is a requirement that fid capability
448 # is turned on on all MDS/OSS servers before
451 umount $MOUNT || return 1
453 mds_capability_switch 3 || return 2
454 oss_capability_switch 1 || return 3
455 mds_capability_timeout $capa_timeout || return 4
457 mount_client $MOUNT || return 5
461 turn_capability_off() {
462 # to turn off fid capability, you can just do
463 # it in a live system. But, please turn off
464 # capability of all OSS servers before MDS servers.
466 oss_capability_switch 0 || return 1
467 mds_capability_switch 0 || return 2
471 # We demonstrate that access to the objects in the filesystem are not
472 # accessible without supplying secrets from the MDS by disabling a
473 # proc variable on the mds so that it does not supply secrets. We then
474 # try and access objects which result in failure.
478 [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
482 # Disable proc variable
483 mds_capability_switch 0 || return 1
484 oss_capability_switch 1 || return 2
486 # proc variable disabled -- access to the objects in the filesystem
488 echo "Should get Write error here : (proc variable are disabled "\
489 "-- access to the objects in the filesystem is denied."
492 echo "Write worked well even though secrets not supplied."
496 turn_capability_on || return 4
499 # proc variable enabled, secrets supplied -- write should work now
500 echo "Should not fail here : (proc variable enabled, secrets supplied "\
501 "-- write should work now)."
504 echo "Write failed even though secrets supplied."
511 sec_run_test 5 "capa secrets ========================="
513 # Expiry: A test program is performing I/O on a file. It has credential
514 # with an expiry half a minute later. While the program is running the
515 # credentials expire and no automatic extensions or renewals are
516 # enabled. The program will demonstrate an I/O failure.
520 [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
524 turn_capability_on 30 || return 1
526 $WTL $file 60 || return 2
528 # Reset MDS capability timeout
529 mds_capability_timeout 30 || exit 3
534 # To disable automatic renew, only need turn capa off on MDS.
535 mds_capability_switch 0 || return 4
537 echo "We expect I/O failure."
540 echo "no I/O failure got."
547 sec_run_test 6 "capa expiry ========================="
549 log "cleanup: ======================================================"
552 if [ ! -z "$MDT" ]; then
553 do_facet $SINGLEMDS echo $IDENTITY_UPCALL_BAK > $IDENTITY_UPCALL
554 do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
557 $RUNAS -u $ID1 ls $DIR
558 $RUNAS -u $ID2 ls $DIR
563 if [ "$S_MOUNTED" = "yes" ]; then
564 cleanupall -f || sec_error "cleanup failed"
569 echo '=========================== finished ==============================='
570 [ -f "$SANITYSECLOG" ] && \
571 cat $SANITYSECLOG && grep -q FAIL $SANITYSECLOG && exit 1 || true