+# run as different user
+test_0() {
+ rm -rf $DIR/d0
+ mkdir $DIR/d0
+
+ chown $USER1 $DIR/d0 || sec_error
+ $RUNAS -u $ID1 ls $DIR || sec_error
+ $RUNAS -u $ID1 touch $DIR/f0 && sec_error
+ $RUNAS -u $ID1 touch $DIR/d0/f1 || sec_error
+ $RUNAS -u $ID2 touch $DIR/d0/f2 && sec_error
+ touch $DIR/d0/f3 || sec_error
+ chown root $DIR/d0
+ chgrp $USER1 $DIR/d0
+ chmod 775 $DIR/d0
+ $RUNAS -u $ID1 touch $DIR/d0/f4 || sec_error
+ $RUNAS -u $ID2 touch $DIR/d0/f5 && sec_error
+ touch $DIR/d0/f6 || sec_error
+
+ rm -rf $DIR/d0
+}
+sec_run_test 0 "uid permission ============================="
+
+# setuid/gid
+test_1() {
+ [ $GSS_SUP = 0 ] && sec_skip "without GSS support." && return
+ [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
+
+ do_facet $SINGLEMDS rm -f $PERM_CONF
+ do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
+
+ rm -rf $DIR/d1
+ mkdir $DIR/d1
+
+ chown $USER1 $DIR/d1 || sec_error
+ $RUNAS -u $ID2 -v $ID1 touch $DIR/d1/f0 && sec_error
+ do_facet $SINGLEMDS echo "\* $ID2 setuid" > $PERM_CONF
+ echo "enable uid $ID2 setuid"
+ do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
+ $RUNAS -u $ID2 -v $ID1 touch $DIR/d1/f1 || sec_error
+
+ chown root $DIR/d1
+ chgrp $USER1 $DIR/d1
+ chmod 770 $DIR/d1
+ $RUNAS -u $ID2 -g $ID2 touch $DIR/d1/f2 && sec_error
+ $RUNAS -u $ID2 -g $ID2 -j $ID1 touch $DIR/d1/f3 && sec_error
+ do_facet $SINGLEMDS echo "\* $ID2 setuid,setgid" > $PERM_CONF
+ echo "enable uid $ID2 setuid,setgid"
+ do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
+ $RUNAS -u $ID2 -g $ID2 -j $ID1 touch $DIR/d1/f4 || sec_error
+ $RUNAS -u $ID2 -v $ID1 -g $ID2 -j $ID1 touch $DIR/d1/f5 || sec_error
+
+ rm -rf $DIR/d1
+
+ do_facet $SINGLEMDS rm -f $PERM_CONF
+ do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
+}
+sec_run_test 1 "setuid/gid ============================="
+
+# remote_acl
+# for remote client only
+test_2 () {
+ [ "$CLIENT_TYPE" = "local" ] && \
+ sec_skip "remote_acl for remote client only" && return
+ [ -z "$(grep ^acl $MDC_LPROC/*-mdc-*/connect_flags)" ] && \
+ sec_skip "must have acl enabled" && return
+ [ -z "$(which setfacl 2>/dev/null)" ] && \
+ sec_skip "could not find setfacl" && return
+ [ "$UID" != 0 ] && sec_skip "must run as root" && return
+
+ rm -rf $DIR/d2
+ mkdir $DIR/d2
+ chmod 755 $DIR/d2
+ echo xxx > $DIR/d2/f0
+ chmod 644 $DIR/d2/f0
+
+ $LFS getfacl $DIR/d2/f0 || sec_error
+ $RUNAS -u $ID1 cat $DIR/d2/f0 || sec_error
+ $RUNAS -u $ID1 touch $DIR/d2/f0 && sec_error
+
+ $LFS setfacl -m u:$USER1:w $DIR/d2/f0 || sec_error
+ $LFS getfacl $DIR/d2/f0 || sec_error
+ echo "set user $USER1 write permission on file $DIR/d2/f0"
+ $RUNAS -u $ID1 touch $DIR/d2/f0 || sec_error
+ $RUNAS -u $ID1 cat $DIR/d2/f0 && sec_error
+
+ rm -rf $DIR/d2
+}
+sec_run_test 2 "rmtacl ============================="
+
+# rootsquash
+# for remote mdt only
+test_3() {
+ [ $GSS_SUP = 0 ] && sec_skip "without GSS support." && return
+ [ -z "$MDT" ] && sec_skip "do not support do_facet operations." && return
+ [ "$MDT_TYPE" = "local" ] && sec_skip "rootsquash for remote mdt only" && return
+
+ do_facet $SINGLEMDS echo "-\*" > $NOSQUASH_NIDS
+ do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_UID
+ do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_GID
+
+ rm -rf $DIR/d3
+ mkdir $DIR/d3
+ chown $USER1 $DIR/d3
+ chmod 700 $DIR/d3
+ do_facet $SINGLEMDS echo $ID1 > $ROOTSQUASH_UID
+ echo "set rootsquash uid = $ID1"
+ touch $DIR/f3_0 && sec_error
+ touch $DIR/d3/f3_1 || sec_error
+
+ do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_UID
+ echo "disable rootsquash"
+ chown root $DIR/d3
+ chgrp $USER2 $DIR/d3
+ chmod 770 $DIR/d3
+
+ do_facet $SINGLEMDS echo $ID1 > $ROOTSQUASH_UID
+ echo "set rootsquash uid = $ID1"
+ touch $DIR/d3/f3_2 && sec_error
+ do_facet $SINGLEMDS echo $ID2 > $ROOTSQUASH_GID
+ echo "set rootsquash gid = $ID2"
+ touch $DIR/d3/f3_3 || sec_error
+
+ do_facet $SINGLEMDS echo "+\*" > $NOSQUASH_NIDS
+ echo "add host in rootsquash skip list"
+ touch $DIR/f3_4 || sec_error
+
+ do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_UID
+ do_facet $SINGLEMDS echo 0 > $ROOTSQUASH_GID
+ do_facet $SINGLEMDS echo "-\*" > $NOSQUASH_NIDS
+ rm -rf $DIR/d3
+ rm -f $DIR/f3_?
+}
+sec_run_test 3 "rootsquash ============================="
+
+# bug 3285 - supplementary group should always succeed.
+# NB: the supplementary groups are set for local client only,
+# as for remote client, the groups of the specified uid on MDT
+# will be obtained by upcall /sbin/l_getidentity and used.
+test_4() {
+ rm -rf $DIR/d4
+ mkdir $DIR/d4
+ chmod 771 $DIR/d4
+ chgrp $ID1 $DIR/d4
+ $RUNAS -u $ID1 ls $DIR/d4 || sec_error "setgroups(1) failed"
+ if [ "$CLIENT_TYPE" != "remote" ]; then
+ if [ ! -z "$MDT" ]; then
+ do_facet $SINGLEMDS echo "\* $ID2 setgrp" > $PERM_CONF
+ do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
+ fi
+ $RUNAS -u $ID2 -G1,2,$ID1 ls $DIR/d4 || sec_error "setgroups(2) failed"
+ if [ ! -z "$MDT" ]; then
+ do_facet $SINGLEMDS rm -f $PERM_CONF
+ do_facet $SINGLEMDS echo -1 > $IDENTITY_FLUSH
+ fi
+ fi
+ $RUNAS -u $ID2 -G1,2 ls $DIR/d4 && sec_error "setgroups(3) failed"
+ rm -rf $DIR/d4
+}
+sec_run_test 4 "set supplementary group ==============="