From 0c36574b5bb9d52e5d5c62f3f8c08977553b143c Mon Sep 17 00:00:00 2001 From: ericm Date: Fri, 3 Jun 2005 02:52:55 +0000 Subject: [PATCH] add more and adjust acl test script. --- lustre/tests/acl/README | 1 + lustre/tests/acl/cp.test | 46 ++++ lustre/tests/acl/getfacl-noacl.test | 55 +++++ lustre/tests/acl/misc.test | 426 ++++++++++++++++++++++++++++++++++++ lustre/tests/acl/permissions.test | 279 +++++++++++++++++++++++ lustre/tests/acl/run | 273 +++++++++++++++++++++++ lustre/tests/acl/setfacl.test | 144 ++++++++++++ lustre/tests/sanity-sec.sh | 24 +- 8 files changed, 1236 insertions(+), 12 deletions(-) create mode 100644 lustre/tests/acl/README create mode 100644 lustre/tests/acl/cp.test create mode 100644 lustre/tests/acl/getfacl-noacl.test create mode 100644 lustre/tests/acl/misc.test create mode 100644 lustre/tests/acl/permissions.test create mode 100755 lustre/tests/acl/run create mode 100644 lustre/tests/acl/setfacl.test diff --git a/lustre/tests/acl/README b/lustre/tests/acl/README new file mode 100644 index 0000000..cb98f79 --- /dev/null +++ b/lustre/tests/acl/README @@ -0,0 +1 @@ +copied from acl-2.2.23/test/ diff --git a/lustre/tests/acl/cp.test b/lustre/tests/acl/cp.test new file mode 100644 index 0000000..980002c --- /dev/null +++ b/lustre/tests/acl/cp.test @@ -0,0 +1,46 @@ +The cp utility should only copy ACLs if `-p' is given. + + $ umask 022 + $ mkdir d + $ cd d + $ touch f + $ setfacl -m u:bin:rw f + $ ls -l f | awk -- '{ print $1 }' + > -rw-rw-r--+ + + $ cp f g + $ ls -l g | awk -- '{ print $1 }' + > -rw-r--r-- + + $ rm g + $ cp -p f g + $ ls -l f | awk -- '{ print $1 }' + > -rw-rw-r--+ + + $ mkdir h + $ echo blubb > h/x + $ cp -rp h i + $ cat i/x + > blubb + + $ rm -r i + $ setfacl -R -m u:bin:rwX h + $ getfacl --omit-header h/x + > user::rw- + > user:bin:rwx + > group::r-- + > mask::rwx + > other::r-- + > + + $ cp -rp h i + $ getfacl --omit-header i/x + > user::rw- + > user:bin:rwx + > group::r-- + > mask::rwx + > other::r-- + > + + $ cd .. + $ rm -r d diff --git a/lustre/tests/acl/getfacl-noacl.test b/lustre/tests/acl/getfacl-noacl.test new file mode 100644 index 0000000..6d730c4 --- /dev/null +++ b/lustre/tests/acl/getfacl-noacl.test @@ -0,0 +1,55 @@ +Getfacl utility option parsing tests. This test can be run on a +filesystem with or without ACL support. + + $ mkdir test + $ cd test + $ umask 027 + $ touch x + $ getfacl --omit-header x + > user::rw- + > group::r-- + > other::--- + > + + $ getfacl --omit-header --access x + > user::rw- + > group::r-- + > other::--- + > + + $ getfacl --omit-header -d x + $ getfacl --omit-header -d . + $ getfacl --omit-header -d / + > getfacl: Removing leading '/' from absolute path names + + $ getfacl --skip-base x + $ getfacl --omit-header --all-effective x + > user::rw- + > group::r-- + > other::--- + > + + $ getfacl --omit-header --no-effective x + > user::rw- + > group::r-- + > other::--- + > + + $ mkdir d + $ touch d/y + $ ln -s d l + $ getfacl -dR . | grep file | sort + > # file: . + > # file: d + > # file: d/y + > # file: x + + $ ln -s l ll + $ getfacl -dLR ll | grep file | sort + > # file: ll + > # file: ll/y + + $ rm l ll x + $ rm -rf d + $ cd .. + $ rmdir test diff --git a/lustre/tests/acl/misc.test b/lustre/tests/acl/misc.test new file mode 100644 index 0000000..7c62c64 --- /dev/null +++ b/lustre/tests/acl/misc.test @@ -0,0 +1,426 @@ +Pretty comprehensive ACL tests. + +This must be run on a filesystem with ACL support. Also, you will need +two dummy users (bin and daemon) and a dummy group (daemon). + + $ umask 027 + $ touch f + +Only change a base ACL: + $ setfacl -m u::r f + $ setfacl -m u::rw,u:bin:rw f + $ ls -dl f | awk '{print $1}' + > -rw-rw----+ + + $ getfacl --omit-header f + > user::rw- + > user:bin:rw- + > group::r-- + > mask::rw- + > other::--- + > + + $ rm f + $ umask 022 + $ touch f + $ setfacl -m u:bin:rw f + $ ls -dl f | awk '{print $1}' + > -rw-rw-r--+ + + $ getfacl --omit-header f + > user::rw- + > user:bin:rw- + > group::r-- + > mask::rw- + > other::r-- + > + + $rm f + $ umask 027 + $ mkdir d + $ setfacl -m u:bin:rwx d + $ ls -dl d | awk '{print $1}' + > drwxrwx---+ + + $ getfacl --omit-header d + > user::rwx + > user:bin:rwx + > group::r-x + > mask::rwx + > other::--- + > + + $ rmdir d + $ umask 022 + $ mkdir d + $ setfacl -m u:bin:rwx d + $ ls -dl d | awk '{print $1}' + > drwxrwxr-x+ + + $ getfacl --omit-header d + > user::rwx + > user:bin:rwx + > group::r-x + > mask::rwx + > other::r-x + > + + $ rmdir d + + +Multiple users + + $ umask 022 + $ touch f + $ setfacl -m u:bin:rw,u:daemon:r f + $ ls -dl f | awk '{print $1}' + > -rw-rw-r--+ + + $ getfacl --omit-header f + > user::rw- + > user:bin:rw- + > user:daemon:r-- + > group::r-- + > mask::rw- + > other::r-- + > + +Multiple groups + + $ setfacl -m g:users:rw,g:daemon:r f + $ ls -dl f | awk '{print $1}' + > -rw-rw-r--+ + + $ getfacl --omit-header f + > user::rw- + > user:bin:rw- + > user:daemon:r-- + > group::r-- + > group:daemon:r-- + > group:users:rw- + > mask::rw- + > other::r-- + > + +Remove one group + + $ setfacl -x g:users f + $ ls -dl f | awk '{print $1}' + > -rw-rw-r--+ + + $ getfacl --omit-header f + > user::rw- + > user:bin:rw- + > user:daemon:r-- + > group::r-- + > group:daemon:r-- + > mask::rw- + > other::r-- + > + +Remove one user + + $ setfacl -x u:daemon f + $ ls -dl f | awk '{print $1}' + > -rw-rw-r--+ + + $ getfacl --omit-header f + > user::rw- + > user:bin:rw- + > group::r-- + > group:daemon:r-- + > mask::rw- + > other::r-- + > + + $ rm f + +Default ACL + + $ umask 027 + $ mkdir d + $ setfacl -m u:bin:rwx,u:daemon:rw,d:u:bin:rwx,d:m:rx d + $ ls -dl d | awk '{print $1}' + > drwxrwx---+ + + $ getfacl --omit-header d + > user::rwx + > user:bin:rwx + > user:daemon:rw- + > group::r-x + > mask::rwx + > other::--- + > default:user::rwx + > default:user:bin:rwx #effective:r-x + > default:group::r-x + > default:mask::r-x + > default:other::--- + > + +Umask now ignored? + + $ umask 027 + $ touch d/f + $ ls -dl d/f | awk '{print $1}' + > -rw-r-----+ + + $ getfacl --omit-header d/f + > user::rw- + > user:bin:rwx #effective:r-- + > group::r-x #effective:r-- + > mask::r-- + > other::--- + > + + $ rm d/f + $ umask 022 + $ touch d/f + $ ls -dl d/f | awk '{print $1}' + > -rw-r-----+ + + $ getfacl --omit-header d/f + > user::rw- + > user:bin:rwx #effective:r-- + > group::r-x #effective:r-- + > mask::r-- + > other::--- + > + + $ rm d/f + +Default ACL copying + + $ umask 000 + $ mkdir d/d + $ ls -dl d/d | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d/d + > user::rwx + > user:bin:rwx #effective:r-x + > group::r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:rwx #effective:r-x + > default:group::r-x + > default:mask::r-x + > default:other::--- + > + + $ rmdir d/d + $ umask 022 + $ mkdir d/d + $ ls -dl d/d | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d/d + > user::rwx + > user:bin:rwx #effective:r-x + > group::r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:rwx #effective:r-x + > default:group::r-x + > default:mask::r-x + > default:other::--- + > + +Add some users and groups + + $ setfacl -nm u:daemon:rx,d:u:daemon:rx,g:users:rx,g:daemon:rwx d/d + $ ls -dl d/d | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d/d + > user::rwx + > user:bin:rwx #effective:r-x + > user:daemon:r-x + > group::r-x + > group:daemon:rwx #effective:r-x + > group:users:r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:rwx #effective:r-x + > default:user:daemon:r-x + > default:group::r-x + > default:mask::r-x + > default:other::--- + > + +Symlink in directory with default ACL? + + $ ln -s d d/l + $ ls -dl d/l | awk '{print $1}' + > lrwxrwxrwx + + $ ls -dl -L d/l | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d/l + > user::rwx + > user:bin:rwx #effective:r-x + > user:daemon:r-x + > group::r-x + > group:daemon:rwx #effective:r-x + > group:users:r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:rwx #effective:r-x + > default:user:daemon:r-x + > default:group::r-x + > default:mask::r-x + > default:other::--- + > + + $ rm d/l + +Does mask manipulation work? + + $ setfacl -m g:daemon:rx,u:bin:rx d/d + $ ls -dl d/d | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d/d + > user::rwx + > user:bin:r-x + > user:daemon:r-x + > group::r-x + > group:daemon:r-x + > group:users:r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:rwx #effective:r-x + > default:user:daemon:r-x + > default:group::r-x + > default:mask::r-x + > default:other::--- + > + + $ setfacl -m d:u:bin:rwx d/d + $ ls -dl d/d | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d/d + > user::rwx + > user:bin:r-x + > user:daemon:r-x + > group::r-x + > group:daemon:r-x + > group:users:r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:rwx + > default:user:daemon:r-x + > default:group::r-x + > default:mask::rwx + > default:other::--- + > + + $ rmdir d/d + +Remove the default ACL + + $ setfacl -k d + $ ls -dl d | awk '{print $1}' + > drwxrwx---+ + + $ getfacl --omit-header d + > user::rwx + > user:bin:rwx + > user:daemon:rw- + > group::r-x + > mask::rwx + > other::--- + > + +Reset to base entries + + $ setfacl -b d + $ ls -dl d | awk '{print $1}' + > drwxr-x--- + + $ getfacl --omit-header d + > user::rwx + > group::r-x + > other::--- + > + +Now, chmod should change the group_obj entry + + $ chmod 775 d + $ ls -dl d | awk '{print $1}' + > drwxrwxr-x + + $ getfacl --omit-header d + > user::rwx + > group::rwx + > other::r-x + > + + $ rmdir d + $ umask 002 + $ mkdir d + $ setfacl -m u:daemon:rwx,u:bin:rx,d:u:daemon:rwx,d:u:bin:rx d + $ ls -dl d | awk '{print $1}' + > drwxrwxr-x+ + + $ getfacl --omit-header d + > user::rwx + > user:bin:r-x + > user:daemon:rwx + > group::rwx + > mask::rwx + > other::r-x + > default:user::rwx + > default:user:bin:r-x + > default:user:daemon:rwx + > default:group::rwx + > default:mask::rwx + > default:other::r-x + > + + $ chmod 750 d + $ ls -dl d | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d + > user::rwx + > user:bin:r-x + > user:daemon:rwx #effective:r-x + > group::rwx #effective:r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:r-x + > default:user:daemon:rwx + > default:group::rwx + > default:mask::rwx + > default:other::r-x + > + + $ chmod 750 d + $ ls -dl d | awk '{print $1}' + > drwxr-x---+ + + $ getfacl --omit-header d + > user::rwx + > user:bin:r-x + > user:daemon:rwx #effective:r-x + > group::rwx #effective:r-x + > mask::r-x + > other::--- + > default:user::rwx + > default:user:bin:r-x + > default:user:daemon:rwx + > default:group::rwx + > default:mask::rwx + > default:other::r-x + > + + $ rmdir d diff --git a/lustre/tests/acl/permissions.test b/lustre/tests/acl/permissions.test new file mode 100644 index 0000000..17f696e --- /dev/null +++ b/lustre/tests/acl/permissions.test @@ -0,0 +1,279 @@ +This script tests if file permissions are properly checked with and +without ACLs. The script must be run as root to allow switching users. +The following users are required. They must be a member in the groups +listed in parentheses. + + bin (bin) + daemon (bin, daemon) + + +Cry immediately if we are not running as root. + + $ id -u + > 0 + + +First, set up a temporary directory and create a regular file with +defined permissions. + + $ mkdir d + $ cd d + $ umask 027 + $ touch f + $ ls -l f | awk -- '{ print $1, $3, $4 }' + > -rw-r----- root root + + +Make sure root has access to the file. Verify that user daemon does not +have access to the file owned by root. + + $ echo root > f + + $ su daemon + $ echo daemon >> f + > f: Permission denied + + $ su + + +Now, change the ownership of the file to bin:bin and verify that this +gives user bin write access. + + $ chown bin:bin f + $ ls -l f | awk -- '{ print $1, $3, $4 }' + > -rw-r----- bin bin + $ su bin + $ echo bin >> f + + +User daemon is a member in the owning group, which has only read access. +Verify this. + + $ su daemon + $ cat f + > root + > bin + + $ echo daemon >> f + > f: Permission denied + + +Now, add an ACL entry for user daemon that grants him rw- access. File +owners and users capable of CAP_FOWNER are allowed to change ACLs. + + $ su bin + $ setfacl -m u:daemon:rw f + $ getfacl --omit-header f + > user::rw- + > user:daemon:rw- + > group::r-- + > mask::rw- + > other::--- + > + + +Verify that the additional ACL entry grants user daemon write access. + + $ su daemon + $ echo daemon >> f + $ cat f + > root + > bin + > daemon + + +Remove write access from the group class permission bits, and +verify that this masks daemon's write permission. + + $ su bin + $ chmod g-w f + $ getfacl --omit-header f + > user::rw- + > user:daemon:rw- #effective:r-- + > group::r-- + > mask::r-- + > other::--- + > + + $ su daemon + $ echo daemon >> f + > f: Permission denied + + +Add an entry for group daemon with rw- access, and change the +permissions for user daemon to r--. Also change the others permissions t +rw-. The user entry should take precedence, so daemon should be denied +access. + + $ su bin + $ setfacl -m u:daemon:r,g:daemon:rw-,o::rw- f + + $ su daemon + $ echo daemon >> f + > f: Permission denied + + +Remove the entry for user daemon. The group daemon permissions should +now give user daemon rw- access. + + $ su bin + $ setfacl -x u:daemon f + + $ su daemon + $ echo daemon2 >> f + $ cat f + > root + > bin + > daemon + > daemon2 + + +Set the group daemon permissions to r-- and verify that after than, user +daemon does not have write access anymore. + + $ su bin + $ setfacl -m g:daemon:r f + + $ su daemon + $ echo daemon3 >> f + > f: Permission denied + + +Now, remove the group daemon entry. Because user daemon is a member in +the owning group, he should still have no write access. + + $ su bin + $ setfacl -x g:daemon f + + $ su daemon + $ echo daemon4 >> f + > f: Permission denied + + +Change the owning group. The other permissions should now grant user +daemon write access. + + $ su + $ chgrp root f + + $ su daemon + $ echo daemon5 >> f + $ cat f + > root + > bin + > daemon + > daemon2 + > daemon5 + + +Verify that permissions in separate matching ACL entries do not +accumulate. + + $ su + $ setfacl -m g:bin:r,g:daemon:w f + + $ su daemon + $ : < f # open for reading + $ : > f # open for writing + $ : <> f # open for read-write + > f: Permission denied + + +Test if directories can have ACLs. We assume that only one access check +algorithm is used for all file types the file system, so these tests +only need to verify that ACL permissions make a difference. + + $ su + $ mkdir -m 750 e + $ touch e/h + + $ su bin + $ shopt -s nullglob ; echo e/* + > + + $ echo i > e/i + > e/i: Permission denied + + $ su + $ setfacl -m u:bin:rx e + + $ su bin + $ echo e/* + > e/h + $ echo i > e/i + > e/i: Permission denied + + $ su + $ setfacl -m u:bin:rwx e + + $ su bin + $ echo i > e/i + + +Test if symlinks are properly followed. + + $ su + $ touch g + $ ln -s g l + $ setfacl -m u:bin:rw l + $ ls -l g | awk -- '{ print $1, $3, $4 }' + > -rw-rw----+ root root + + +Test if ACLs are effective for block and character special files, fifos, +sockets. This is done by creating special files locally. The devices do +not need to exist: The access check is earlier in the code path than the +test if the device exists. + + + $ mknod -m 0660 hdt b 91 64 # /dev/hdt + $ mknod -m 0660 null c 1 3 # /dev/null + $ mkfifo -m 0660 fifo + + $ su bin + $ : < hdt + > hdt: Permission denied + $ : < null + > null: Permission denied + $ : < fifo + > fifo: Permission denied + + $ su + $ setfacl -m u:bin:rw hdt null fifo + + $ su bin + $ : < hdt + > hdt: No such device or address + $ : < null + $ ( echo blah > fifo & ) ; cat fifo + > blah + + +Test if CAP_FOWNER is properly honored for directories. This addresses a +specific bug in XFS 1.2, which does not grant root access to files in +directories if the file has an ACL and only CAP_FOWNER would grant them. + + $ su + $ mkdir -m 600 x + $ chown daemon:daemon x + $ echo j > x/j + $ ls -l x/j | awk -- '{ print $1, $3, $4 }' + > -rw-r----- root root + + $ setfacl -m u:daemon:r x + + $ ls -l x/j | awk -- '{ print $1, $3, $4 }' + > -rw-r----- root root + (With the bug this gives: `ls: x/j: Permission denied'.) + + $ echo k > x/k + (With the bug this gives: `x/k: Permission denied'.) + + $ chmod 750 x + + +Clean up. + + $ su + $ cd .. + $ rm -rf d diff --git a/lustre/tests/acl/run b/lustre/tests/acl/run new file mode 100755 index 0000000..c4d017a --- /dev/null +++ b/lustre/tests/acl/run @@ -0,0 +1,273 @@ +#!/usr/bin/perl -w -U + +# +# Possible improvements: +# +# - distinguish stdout and stderr output +# - add environment variable like assignments +# - run up to a specific line +# - resume at a specific line +# + +use strict; +use FileHandle; +use Getopt::Std; +use POSIX qw(isatty setuid); +use vars qw($opt_v); + +no warnings qw(taint); + +getopts('v'); + +my ($OK, $FAILED) = ("ok", "failed"); +if (isatty(fileno(STDOUT))) { + $OK = "\033[32m" . $OK . "\033[m"; + $FAILED = "\033[31m\033[1m" . $FAILED . "\033[m"; +} + +sub exec_test($$); + +my ($prog, $in, $out) = ([], [], []); +my $line_number = 0; +my $prog_line; +my ($tests, $failed) = (0,0); + +for (;;) { + my $line = <>; $line_number++; + if (defined $line) { + # Substitute %VAR and %{VAR} with environment variables. + $line =~ s[%(?:(\w+)|\{(\w+)\})][$ENV{"$1$2"}]eg; + } + if (defined $line) { + if ($line =~ s/^\s*< ?//) { + push @$in, $line; + } elsif ($line =~ s/^\s*> ?//) { + push @$out, $line; + } else { + process_test($prog, $prog_line, $in, $out); + + $prog = []; + $prog_line = 0; + } + if ($line =~ s/^\s*\$ ?//) { + $line =~ s/\s+#.*//; # remove comments here... + $prog = [ map { s/\\(.)/$1/g; $_ } split /(? @$result) ? @$out : @$result; + for (my $n=0; $n < $nmax; $n++) { + if (!defined($out->[$n]) || !defined($result->[$n]) || + $out->[$n] ne $result->[$n]) { + $good = 0; + } + } + $tests++; + $failed++ unless $good; + print $good ? $OK : $FAILED, "\n"; + if (!$good) { + for (my $n=0; $n < $nmax; $n++) { + my $l = defined($out->[$n]) ? $out->[$n] : "~"; + chomp $l; + my $r = defined($result->[$n]) ? $result->[$n] : "~"; + chomp $r; + print sprintf("%-37s %s %-39s\n", $l, $l eq $r ? "|" : "?", $r); + } + } elsif ($opt_v) { + print join('', @$result); + } +} + + +sub su($) { + my ($user) = @_; + + $user ||= "root"; + + my ($login, $pass, $uid, $gid) = getpwnam($user) + or return [ "su: user $user does not exist\n" ]; + my @groups = (); + my $fh = new FileHandle("/etc/group") + or return [ "opening /etc/group: $!\n" ]; + while (<$fh>) { + chomp; + my ($group, $passwd, $gid, $users) = split /:/; + foreach my $u (split /,/, $users) { + push @groups, $gid + if ($user eq $u); + } + } + $fh->close; + + my $groups = join(" ", ($gid, $gid, @groups)); + #print STDERR "[[$groups]]\n"; + $! = 0; # reset errno + $> = 0; + $( = $gid; + $) = $groups; + if ($!) { + return [ "su: $!\n" ]; + } + if ($uid != 0) { + $> = $uid; + #$< = $uid; + if ($!) { + return [ "su: $prog->[1]: $!\n" ]; + } + } + #print STDERR "[($>,$<)($(,$))]"; + return []; +} + + +sub sg($) { + my ($group) = @_; + + my $gid = getgrnam($group) + or return [ "sg: group $group does not exist\n" ]; + my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $)); + + #print STDERR "<<", join("/", keys %groups), ">>\n"; + my $groups = join(" ", ($gid, $gid, keys %groups)); + #print STDERR "[[$groups]]\n"; + $! = 0; # reset errno + if ($> != 0) { + my $uid = $>; + $> = 0; + $( = $gid; + $) = $groups; + $> = $uid; + } else { + $( = $gid; + $) = $groups; + } + if ($!) { + return [ "sg: $!\n" ]; + } + print STDERR "[($>,$<)($(,$))]"; + return []; +} + + +sub exec_test($$) { + my ($prog, $in) = @_; + local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2); + my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/); + + if ($prog->[0] eq "umask") { + umask oct $prog->[1]; + return []; + } elsif ($prog->[0] eq "cd") { + if (!chdir $prog->[1]) { + return [ "chdir: $prog->[1]: $!\n" ]; + } + return []; + } elsif ($prog->[0] eq "su") { + return su($prog->[1]); + } elsif ($prog->[0] eq "sg") { + return sg($prog->[1]); + } + + pipe *IN2, *OUT + or die "Can't create pipe for reading: $!"; + open *IN_DUP, "<&STDIN" + or *IN_DUP = undef; + open *STDIN, "<&IN2" + or die "Can't duplicate pipe for reading: $!"; + close *IN2; + + open *OUT_DUP, ">&STDOUT" + or die "Can't duplicate STDOUT: $!"; + pipe *IN, *OUT2 + or die "Can't create pipe for writing: $!"; + open *STDOUT, ">&OUT2" + or die "Can't duplicate pipe for writing: $!"; + close *OUT2; + + *STDOUT->autoflush(); + *OUT->autoflush(); + + if (fork()) { + # Server + if (*IN_DUP) { + open *STDIN, "<&IN_DUP" + or die "Can't duplicate STDIN: $!"; + close *IN_DUP + or die "Can't close STDIN duplicate: $!"; + } + open *STDOUT, ">&OUT_DUP" + or die "Can't duplicate STDOUT: $!"; + close *OUT_DUP + or die "Can't close STDOUT duplicate: $!"; + + foreach my $line (@$in) { + #print "> $line"; + print OUT $line; + } + close *OUT + or die "Can't close pipe for writing: $!"; + + my $result = []; + while () { + #print "< $_"; + if ($needs_shell) { + s#^/bin/sh: line \d+: ##; + } + push @$result, $_; + } + return $result; + } else { + # Client + $< = $>; + close IN + or die "Can't close read end for input pipe: $!"; + close OUT + or die "Can't close write end for output pipe: $!"; + close OUT_DUP + or die "Can't close STDOUT duplicate: $!"; + local *ERR_DUP; + open ERR_DUP, ">&STDERR" + or die "Can't duplicate STDERR: $!"; + open STDERR, ">&STDOUT" + or die "Can't join STDOUT and STDERR: $!"; + + if ($needs_shell) { + exec ('/bin/sh', '-c', join(" ", @$prog)); + } else { + exec @$prog; + } + print STDERR $prog->[0], ": $!\n"; + exit; + } +} + diff --git a/lustre/tests/acl/setfacl.test b/lustre/tests/acl/setfacl.test new file mode 100644 index 0000000..2c10bd1 --- /dev/null +++ b/lustre/tests/acl/setfacl.test @@ -0,0 +1,144 @@ +Setfacl utility tests. Run these tests on a filesystem with ACL support. + + $ mkdir d + $ chown bin:bin d + $ cd d + + $ su bin + $ sg bin + $ umask 027 + $ touch g + $ ls -dl g | awk '{print $1}' + > -rw-r----- + + $ setfacl -m m:- g + $ ls -dl g | awk '{print $1}' + > -rw-------+ + + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rw- + > group::r-- #effective:--- + > mask::--- + > other::--- + > + + $ setfacl -x m g + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rw- + > group::r-- + > other::--- + > + + $ setfacl -m u:daemon:rw g + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rw- + > user:daemon:rw- + > group::r-- + > mask::rw- + > other::--- + > + + $ setfacl -m u::rwx,g::r-x,o:- g + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rwx + > user:daemon:rw- + > group::r-x + > mask::rwx + > other::--- + > + + $ setfacl -m u::rwx,g::r-x,o:-,m:- g + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rwx + > user:daemon:rw- #effective:--- + > group::r-x #effective:--- + > mask::--- + > other::--- + > + + $ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rwx + > user:root:--- + > user:daemon:rw- #effective:--- + > group::r-x #effective:--- + > mask::--- + > other::--- + > + + $ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rwx + > user:root:--- + > user:daemon:rw- #effective:--- + > group::r-x #effective:--- + > mask::--- + > other::--- + > + + $ setfacl -m u::rwx,g::r-x,o:-,u:root:- g + $ getfacl g + > # file: g + > # owner: bin + > # group: bin + > user::rwx + > user:root:--- + > user:daemon:rw- + > group::r-x + > mask::rwx + > other::--- + > + + $ setfacl --test -x u: g + > setfacl: g: Malformed access ACL `user:root:---,user:daemon:rw-,group::r-x,mask::rwx,other::---': Missing or wrong entry at entry 1 + + $ setfacl --test -x u:x + > setfacl: Option -x: Invalid argument near character 3 + + $ setfacl -m d:u:root:rwx g + > setfacl: g: Only directories can have default ACLs + + $ setfacl -x m g + > setfacl: g: Malformed access ACL `user::rwx,user:root:---,user:daemon:rw-,group::r-x,other::---': Missing or wrong entry at entry 5 + setfacl --test -m d:u:daemon:rwx setfacl + setfacl --test -n -m d:u:daemon:rwx setfacl + +Check if the mask is properly recalculated + + $ mkdir d + $ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,o::--- d + > d: u::rwx,u:bin:rwx,g::r-x,m::rwx,o::---,* + + $ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d + > d: u::rwx,u:bin:rwx,g::r-x,m::---,o::---,* + + $ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,o::--- d + > d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::rwx,d:o::--- + + $ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d + > d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::---,d:o::--- + + $ su + $ cd .. + $ rm -r d diff --git a/lustre/tests/sanity-sec.sh b/lustre/tests/sanity-sec.sh index 73d2830..fbc8229 100644 --- a/lustre/tests/sanity-sec.sh +++ b/lustre/tests/sanity-sec.sh @@ -300,6 +300,12 @@ test_2() { } run_test 2 "set/get xattr test (trusted xattr only) ============" +run_acl_subtest() +{ + sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" \ + $SAVE_PWD/acl/$1.test | $SAVE_PWD/acl/run || error "$? $1.test failed" +} + test_3 () { SAVE_UMASK=`umask` umask 022 @@ -308,21 +314,15 @@ test_3 () { GROUP1=nobody GROUP2=users - chmod +x runacltest - chmod +x acl_mode cd $DIR - #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/setfacl.test | runacltest || -#error "$? setfacl tests failed" - - #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_asroot.test | runacltest || error "$? acl_asroot tests failed" - - #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_perm.test | runacltest || error "$? acl_perm tests failed" - - #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_misc.test | runacltest || error "$? acl_misc tests failed" - - sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_fileutil.test | runacltest || error "$? acl_fileutil tests failed" + run_acl_subtest cp + run_acl_subtest getfacl-noacl + run_acl_subtest misc + run_acl_subtest permissions + run_acl_subtest setfacl + cd $SAVED_PWD umask $SAVE_UMASK } run_test 3 "==============acl test =============" -- 1.8.3.1