1 This script tests if file permissions are properly checked with and
2 without ACLs. The script must be run as root to allow switching users.
3 The following users are required. They must be a member in the groups
10 Cry immediately if we are not running as root.
16 First, set up a temporary directory and create a regular file with
23 $ ls -l f | awk -- '{ print $1, $3, $4 }'
24 > -rw-r----- root root
27 Make sure root has access to the file. Verify that user daemon does not
28 have access to the file owned by root.
34 > f: Permission denied
39 Now, change the ownership of the file to bin:bin and verify that this
40 gives user bin write access.
43 $ ls -l f | awk -- '{ print $1, $3, $4 }'
49 User daemon is a member in the owning group, which has only read access.
58 > f: Permission denied
61 Now, add an ACL entry for user daemon that grants him rw- access. File
62 owners and users capable of CAP_FOWNER are allowed to change ACLs.
65 $ setfacl -m u:daemon:rw f
66 $ getfacl --omit-header f
75 Verify that the additional ACL entry grants user daemon write access.
85 Remove write access from the group class permission bits, and
86 verify that this masks daemon's write permission.
90 $ getfacl --omit-header f
92 > user:daemon:rw- #effective:r--
100 > f: Permission denied
103 Add an entry for group daemon with rw- access, and change the
104 permissions for user daemon to r--. Also change the others permissions t
105 rw-. The user entry should take precedence, so daemon should be denied
109 $ setfacl -m u:daemon:r,g:daemon:rw-,o::rw- f
113 > f: Permission denied
116 Remove the entry for user daemon. The group daemon permissions should
117 now give user daemon rw- access.
120 $ setfacl -x u:daemon f
131 Set the group daemon permissions to r-- and verify that after than, user
132 daemon does not have write access anymore.
135 $ setfacl -m g:daemon:r f
139 > f: Permission denied
142 Now, remove the group daemon entry. Because user daemon is a member in
143 the owning group, he should still have no write access.
146 $ setfacl -x g:daemon f
150 > f: Permission denied
153 Change the owning group. The other permissions should now grant user
169 Verify that permissions in separate matching ACL entries do not
173 $ setfacl -m g:bin:r,g:daemon:w f
176 $ : < f # open for reading
177 $ : > f # open for writing
178 $ : <> f # open for read-write
179 > f: Permission denied
182 Test if directories can have ACLs. We assume that only one access check
183 algorithm is used for all file types the file system, so these tests
184 only need to verify that ACL permissions make a difference.
191 $ shopt -s nullglob ; echo e/*
195 > e/i: Permission denied
198 $ setfacl -m u:bin:rx e
204 > e/i: Permission denied
207 $ setfacl -m u:bin:rwx e
213 Test if symlinks are properly followed.
218 $ setfacl -m u:bin:rw l
219 $ ls -l g | awk -- '{ print $1, $3, $4 }'
220 > -rw-rw----+ root root
223 Test if ACLs are effective for block and character special files, fifos,
224 sockets. This is done by creating special files locally. The devices do
225 not need to exist: The access check is earlier in the code path than the
226 test if the device exists.
229 $ mknod -m 0660 hdt b 91 64 # /dev/hdt
230 $ mknod -m 0660 null c 1 3 # /dev/null
231 $ mkfifo -m 0660 fifo
235 > hdt: Permission denied
237 > null: Permission denied
239 > fifo: Permission denied
242 $ setfacl -m u:bin:rw hdt null fifo
246 > hdt: No such device or address
248 $ ( echo blah > fifo & ) ; cat fifo
252 Test if CAP_FOWNER is properly honored for directories. This addresses a
253 specific bug in XFS 1.2, which does not grant root access to files in
254 directories if the file has an ACL and only CAP_FOWNER would grant them.
258 $ chown daemon:daemon x
260 $ ls -l x/j | awk -- '{ print $1, $3, $4 }'
261 > -rw-r----- root root
263 $ setfacl -m u:daemon:r x
265 $ ls -l x/j | awk -- '{ print $1, $3, $4 }'
266 > -rw-r----- root root
267 (With the bug this gives: `ls: x/j: Permission denied'.)
270 (With the bug this gives: `x/k: Permission denied'.)