--- /dev/null
+copied from acl-2.2.23/test/
--- /dev/null
+The cp utility should only copy ACLs if `-p' is given.
+
+ $ umask 022
+ $ mkdir d
+ $ cd d
+ $ touch f
+ $ setfacl -m u:bin:rw f
+ $ ls -l f | awk -- '{ print $1 }'
+ > -rw-rw-r--+
+
+ $ cp f g
+ $ ls -l g | awk -- '{ print $1 }'
+ > -rw-r--r--
+
+ $ rm g
+ $ cp -p f g
+ $ ls -l f | awk -- '{ print $1 }'
+ > -rw-rw-r--+
+
+ $ mkdir h
+ $ echo blubb > h/x
+ $ cp -rp h i
+ $ cat i/x
+ > blubb
+
+ $ rm -r i
+ $ setfacl -R -m u:bin:rwX h
+ $ getfacl --omit-header h/x
+ > user::rw-
+ > user:bin:rwx
+ > group::r--
+ > mask::rwx
+ > other::r--
+ >
+
+ $ cp -rp h i
+ $ getfacl --omit-header i/x
+ > user::rw-
+ > user:bin:rwx
+ > group::r--
+ > mask::rwx
+ > other::r--
+ >
+
+ $ cd ..
+ $ rm -r d
--- /dev/null
+Getfacl utility option parsing tests. This test can be run on a
+filesystem with or without ACL support.
+
+ $ mkdir test
+ $ cd test
+ $ umask 027
+ $ touch x
+ $ getfacl --omit-header x
+ > user::rw-
+ > group::r--
+ > other::---
+ >
+
+ $ getfacl --omit-header --access x
+ > user::rw-
+ > group::r--
+ > other::---
+ >
+
+ $ getfacl --omit-header -d x
+ $ getfacl --omit-header -d .
+ $ getfacl --omit-header -d /
+ > getfacl: Removing leading '/' from absolute path names
+
+ $ getfacl --skip-base x
+ $ getfacl --omit-header --all-effective x
+ > user::rw-
+ > group::r--
+ > other::---
+ >
+
+ $ getfacl --omit-header --no-effective x
+ > user::rw-
+ > group::r--
+ > other::---
+ >
+
+ $ mkdir d
+ $ touch d/y
+ $ ln -s d l
+ $ getfacl -dR . | grep file | sort
+ > # file: .
+ > # file: d
+ > # file: d/y
+ > # file: x
+
+ $ ln -s l ll
+ $ getfacl -dLR ll | grep file | sort
+ > # file: ll
+ > # file: ll/y
+
+ $ rm l ll x
+ $ rm -rf d
+ $ cd ..
+ $ rmdir test
--- /dev/null
+Pretty comprehensive ACL tests.
+
+This must be run on a filesystem with ACL support. Also, you will need
+two dummy users (bin and daemon) and a dummy group (daemon).
+
+ $ umask 027
+ $ touch f
+
+Only change a base ACL:
+ $ setfacl -m u::r f
+ $ setfacl -m u::rw,u:bin:rw f
+ $ ls -dl f | awk '{print $1}'
+ > -rw-rw----+
+
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:bin:rw-
+ > group::r--
+ > mask::rw-
+ > other::---
+ >
+
+ $ rm f
+ $ umask 022
+ $ touch f
+ $ setfacl -m u:bin:rw f
+ $ ls -dl f | awk '{print $1}'
+ > -rw-rw-r--+
+
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:bin:rw-
+ > group::r--
+ > mask::rw-
+ > other::r--
+ >
+
+ $rm f
+ $ umask 027
+ $ mkdir d
+ $ setfacl -m u:bin:rwx d
+ $ ls -dl d | awk '{print $1}'
+ > drwxrwx---+
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > user:bin:rwx
+ > group::r-x
+ > mask::rwx
+ > other::---
+ >
+
+ $ rmdir d
+ $ umask 022
+ $ mkdir d
+ $ setfacl -m u:bin:rwx d
+ $ ls -dl d | awk '{print $1}'
+ > drwxrwxr-x+
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > user:bin:rwx
+ > group::r-x
+ > mask::rwx
+ > other::r-x
+ >
+
+ $ rmdir d
+
+
+Multiple users
+
+ $ umask 022
+ $ touch f
+ $ setfacl -m u:bin:rw,u:daemon:r f
+ $ ls -dl f | awk '{print $1}'
+ > -rw-rw-r--+
+
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:bin:rw-
+ > user:daemon:r--
+ > group::r--
+ > mask::rw-
+ > other::r--
+ >
+
+Multiple groups
+
+ $ setfacl -m g:users:rw,g:daemon:r f
+ $ ls -dl f | awk '{print $1}'
+ > -rw-rw-r--+
+
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:bin:rw-
+ > user:daemon:r--
+ > group::r--
+ > group:daemon:r--
+ > group:users:rw-
+ > mask::rw-
+ > other::r--
+ >
+
+Remove one group
+
+ $ setfacl -x g:users f
+ $ ls -dl f | awk '{print $1}'
+ > -rw-rw-r--+
+
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:bin:rw-
+ > user:daemon:r--
+ > group::r--
+ > group:daemon:r--
+ > mask::rw-
+ > other::r--
+ >
+
+Remove one user
+
+ $ setfacl -x u:daemon f
+ $ ls -dl f | awk '{print $1}'
+ > -rw-rw-r--+
+
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:bin:rw-
+ > group::r--
+ > group:daemon:r--
+ > mask::rw-
+ > other::r--
+ >
+
+ $ rm f
+
+Default ACL
+
+ $ umask 027
+ $ mkdir d
+ $ setfacl -m u:bin:rwx,u:daemon:rw,d:u:bin:rwx,d:m:rx d
+ $ ls -dl d | awk '{print $1}'
+ > drwxrwx---+
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > user:bin:rwx
+ > user:daemon:rw-
+ > group::r-x
+ > mask::rwx
+ > other::---
+ > default:user::rwx
+ > default:user:bin:rwx #effective:r-x
+ > default:group::r-x
+ > default:mask::r-x
+ > default:other::---
+ >
+
+Umask now ignored?
+
+ $ umask 027
+ $ touch d/f
+ $ ls -dl d/f | awk '{print $1}'
+ > -rw-r-----+
+
+ $ getfacl --omit-header d/f
+ > user::rw-
+ > user:bin:rwx #effective:r--
+ > group::r-x #effective:r--
+ > mask::r--
+ > other::---
+ >
+
+ $ rm d/f
+ $ umask 022
+ $ touch d/f
+ $ ls -dl d/f | awk '{print $1}'
+ > -rw-r-----+
+
+ $ getfacl --omit-header d/f
+ > user::rw-
+ > user:bin:rwx #effective:r--
+ > group::r-x #effective:r--
+ > mask::r--
+ > other::---
+ >
+
+ $ rm d/f
+
+Default ACL copying
+
+ $ umask 000
+ $ mkdir d/d
+ $ ls -dl d/d | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d/d
+ > user::rwx
+ > user:bin:rwx #effective:r-x
+ > group::r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:rwx #effective:r-x
+ > default:group::r-x
+ > default:mask::r-x
+ > default:other::---
+ >
+
+ $ rmdir d/d
+ $ umask 022
+ $ mkdir d/d
+ $ ls -dl d/d | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d/d
+ > user::rwx
+ > user:bin:rwx #effective:r-x
+ > group::r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:rwx #effective:r-x
+ > default:group::r-x
+ > default:mask::r-x
+ > default:other::---
+ >
+
+Add some users and groups
+
+ $ setfacl -nm u:daemon:rx,d:u:daemon:rx,g:users:rx,g:daemon:rwx d/d
+ $ ls -dl d/d | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d/d
+ > user::rwx
+ > user:bin:rwx #effective:r-x
+ > user:daemon:r-x
+ > group::r-x
+ > group:daemon:rwx #effective:r-x
+ > group:users:r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:rwx #effective:r-x
+ > default:user:daemon:r-x
+ > default:group::r-x
+ > default:mask::r-x
+ > default:other::---
+ >
+
+Symlink in directory with default ACL?
+
+ $ ln -s d d/l
+ $ ls -dl d/l | awk '{print $1}'
+ > lrwxrwxrwx
+
+ $ ls -dl -L d/l | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d/l
+ > user::rwx
+ > user:bin:rwx #effective:r-x
+ > user:daemon:r-x
+ > group::r-x
+ > group:daemon:rwx #effective:r-x
+ > group:users:r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:rwx #effective:r-x
+ > default:user:daemon:r-x
+ > default:group::r-x
+ > default:mask::r-x
+ > default:other::---
+ >
+
+ $ rm d/l
+
+Does mask manipulation work?
+
+ $ setfacl -m g:daemon:rx,u:bin:rx d/d
+ $ ls -dl d/d | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d/d
+ > user::rwx
+ > user:bin:r-x
+ > user:daemon:r-x
+ > group::r-x
+ > group:daemon:r-x
+ > group:users:r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:rwx #effective:r-x
+ > default:user:daemon:r-x
+ > default:group::r-x
+ > default:mask::r-x
+ > default:other::---
+ >
+
+ $ setfacl -m d:u:bin:rwx d/d
+ $ ls -dl d/d | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d/d
+ > user::rwx
+ > user:bin:r-x
+ > user:daemon:r-x
+ > group::r-x
+ > group:daemon:r-x
+ > group:users:r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:rwx
+ > default:user:daemon:r-x
+ > default:group::r-x
+ > default:mask::rwx
+ > default:other::---
+ >
+
+ $ rmdir d/d
+
+Remove the default ACL
+
+ $ setfacl -k d
+ $ ls -dl d | awk '{print $1}'
+ > drwxrwx---+
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > user:bin:rwx
+ > user:daemon:rw-
+ > group::r-x
+ > mask::rwx
+ > other::---
+ >
+
+Reset to base entries
+
+ $ setfacl -b d
+ $ ls -dl d | awk '{print $1}'
+ > drwxr-x---
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > group::r-x
+ > other::---
+ >
+
+Now, chmod should change the group_obj entry
+
+ $ chmod 775 d
+ $ ls -dl d | awk '{print $1}'
+ > drwxrwxr-x
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > group::rwx
+ > other::r-x
+ >
+
+ $ rmdir d
+ $ umask 002
+ $ mkdir d
+ $ setfacl -m u:daemon:rwx,u:bin:rx,d:u:daemon:rwx,d:u:bin:rx d
+ $ ls -dl d | awk '{print $1}'
+ > drwxrwxr-x+
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > user:bin:r-x
+ > user:daemon:rwx
+ > group::rwx
+ > mask::rwx
+ > other::r-x
+ > default:user::rwx
+ > default:user:bin:r-x
+ > default:user:daemon:rwx
+ > default:group::rwx
+ > default:mask::rwx
+ > default:other::r-x
+ >
+
+ $ chmod 750 d
+ $ ls -dl d | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > user:bin:r-x
+ > user:daemon:rwx #effective:r-x
+ > group::rwx #effective:r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:r-x
+ > default:user:daemon:rwx
+ > default:group::rwx
+ > default:mask::rwx
+ > default:other::r-x
+ >
+
+ $ chmod 750 d
+ $ ls -dl d | awk '{print $1}'
+ > drwxr-x---+
+
+ $ getfacl --omit-header d
+ > user::rwx
+ > user:bin:r-x
+ > user:daemon:rwx #effective:r-x
+ > group::rwx #effective:r-x
+ > mask::r-x
+ > other::---
+ > default:user::rwx
+ > default:user:bin:r-x
+ > default:user:daemon:rwx
+ > default:group::rwx
+ > default:mask::rwx
+ > default:other::r-x
+ >
+
+ $ rmdir d
--- /dev/null
+This script tests if file permissions are properly checked with and
+without ACLs. The script must be run as root to allow switching users.
+The following users are required. They must be a member in the groups
+listed in parentheses.
+
+ bin (bin)
+ daemon (bin, daemon)
+
+
+Cry immediately if we are not running as root.
+
+ $ id -u
+ > 0
+
+
+First, set up a temporary directory and create a regular file with
+defined permissions.
+
+ $ mkdir d
+ $ cd d
+ $ umask 027
+ $ touch f
+ $ ls -l f | awk -- '{ print $1, $3, $4 }'
+ > -rw-r----- root root
+
+
+Make sure root has access to the file. Verify that user daemon does not
+have access to the file owned by root.
+
+ $ echo root > f
+
+ $ su daemon
+ $ echo daemon >> f
+ > f: Permission denied
+
+ $ su
+
+
+Now, change the ownership of the file to bin:bin and verify that this
+gives user bin write access.
+
+ $ chown bin:bin f
+ $ ls -l f | awk -- '{ print $1, $3, $4 }'
+ > -rw-r----- bin bin
+ $ su bin
+ $ echo bin >> f
+
+
+User daemon is a member in the owning group, which has only read access.
+Verify this.
+
+ $ su daemon
+ $ cat f
+ > root
+ > bin
+
+ $ echo daemon >> f
+ > f: Permission denied
+
+
+Now, add an ACL entry for user daemon that grants him rw- access. File
+owners and users capable of CAP_FOWNER are allowed to change ACLs.
+
+ $ su bin
+ $ setfacl -m u:daemon:rw f
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:daemon:rw-
+ > group::r--
+ > mask::rw-
+ > other::---
+ >
+
+
+Verify that the additional ACL entry grants user daemon write access.
+
+ $ su daemon
+ $ echo daemon >> f
+ $ cat f
+ > root
+ > bin
+ > daemon
+
+
+Remove write access from the group class permission bits, and
+verify that this masks daemon's write permission.
+
+ $ su bin
+ $ chmod g-w f
+ $ getfacl --omit-header f
+ > user::rw-
+ > user:daemon:rw- #effective:r--
+ > group::r--
+ > mask::r--
+ > other::---
+ >
+
+ $ su daemon
+ $ echo daemon >> f
+ > f: Permission denied
+
+
+Add an entry for group daemon with rw- access, and change the
+permissions for user daemon to r--. Also change the others permissions t
+rw-. The user entry should take precedence, so daemon should be denied
+access.
+
+ $ su bin
+ $ setfacl -m u:daemon:r,g:daemon:rw-,o::rw- f
+
+ $ su daemon
+ $ echo daemon >> f
+ > f: Permission denied
+
+
+Remove the entry for user daemon. The group daemon permissions should
+now give user daemon rw- access.
+
+ $ su bin
+ $ setfacl -x u:daemon f
+
+ $ su daemon
+ $ echo daemon2 >> f
+ $ cat f
+ > root
+ > bin
+ > daemon
+ > daemon2
+
+
+Set the group daemon permissions to r-- and verify that after than, user
+daemon does not have write access anymore.
+
+ $ su bin
+ $ setfacl -m g:daemon:r f
+
+ $ su daemon
+ $ echo daemon3 >> f
+ > f: Permission denied
+
+
+Now, remove the group daemon entry. Because user daemon is a member in
+the owning group, he should still have no write access.
+
+ $ su bin
+ $ setfacl -x g:daemon f
+
+ $ su daemon
+ $ echo daemon4 >> f
+ > f: Permission denied
+
+
+Change the owning group. The other permissions should now grant user
+daemon write access.
+
+ $ su
+ $ chgrp root f
+
+ $ su daemon
+ $ echo daemon5 >> f
+ $ cat f
+ > root
+ > bin
+ > daemon
+ > daemon2
+ > daemon5
+
+
+Verify that permissions in separate matching ACL entries do not
+accumulate.
+
+ $ su
+ $ setfacl -m g:bin:r,g:daemon:w f
+
+ $ su daemon
+ $ : < f # open for reading
+ $ : > f # open for writing
+ $ : <> f # open for read-write
+ > f: Permission denied
+
+
+Test if directories can have ACLs. We assume that only one access check
+algorithm is used for all file types the file system, so these tests
+only need to verify that ACL permissions make a difference.
+
+ $ su
+ $ mkdir -m 750 e
+ $ touch e/h
+
+ $ su bin
+ $ shopt -s nullglob ; echo e/*
+ >
+
+ $ echo i > e/i
+ > e/i: Permission denied
+
+ $ su
+ $ setfacl -m u:bin:rx e
+
+ $ su bin
+ $ echo e/*
+ > e/h
+ $ echo i > e/i
+ > e/i: Permission denied
+
+ $ su
+ $ setfacl -m u:bin:rwx e
+
+ $ su bin
+ $ echo i > e/i
+
+
+Test if symlinks are properly followed.
+
+ $ su
+ $ touch g
+ $ ln -s g l
+ $ setfacl -m u:bin:rw l
+ $ ls -l g | awk -- '{ print $1, $3, $4 }'
+ > -rw-rw----+ root root
+
+
+Test if ACLs are effective for block and character special files, fifos,
+sockets. This is done by creating special files locally. The devices do
+not need to exist: The access check is earlier in the code path than the
+test if the device exists.
+
+
+ $ mknod -m 0660 hdt b 91 64 # /dev/hdt
+ $ mknod -m 0660 null c 1 3 # /dev/null
+ $ mkfifo -m 0660 fifo
+
+ $ su bin
+ $ : < hdt
+ > hdt: Permission denied
+ $ : < null
+ > null: Permission denied
+ $ : < fifo
+ > fifo: Permission denied
+
+ $ su
+ $ setfacl -m u:bin:rw hdt null fifo
+
+ $ su bin
+ $ : < hdt
+ > hdt: No such device or address
+ $ : < null
+ $ ( echo blah > fifo & ) ; cat fifo
+ > blah
+
+
+Test if CAP_FOWNER is properly honored for directories. This addresses a
+specific bug in XFS 1.2, which does not grant root access to files in
+directories if the file has an ACL and only CAP_FOWNER would grant them.
+
+ $ su
+ $ mkdir -m 600 x
+ $ chown daemon:daemon x
+ $ echo j > x/j
+ $ ls -l x/j | awk -- '{ print $1, $3, $4 }'
+ > -rw-r----- root root
+
+ $ setfacl -m u:daemon:r x
+
+ $ ls -l x/j | awk -- '{ print $1, $3, $4 }'
+ > -rw-r----- root root
+ (With the bug this gives: `ls: x/j: Permission denied'.)
+
+ $ echo k > x/k
+ (With the bug this gives: `x/k: Permission denied'.)
+
+ $ chmod 750 x
+
+
+Clean up.
+
+ $ su
+ $ cd ..
+ $ rm -rf d
--- /dev/null
+#!/usr/bin/perl -w -U
+
+#
+# Possible improvements:
+#
+# - distinguish stdout and stderr output
+# - add environment variable like assignments
+# - run up to a specific line
+# - resume at a specific line
+#
+
+use strict;
+use FileHandle;
+use Getopt::Std;
+use POSIX qw(isatty setuid);
+use vars qw($opt_v);
+
+no warnings qw(taint);
+
+getopts('v');
+
+my ($OK, $FAILED) = ("ok", "failed");
+if (isatty(fileno(STDOUT))) {
+ $OK = "\033[32m" . $OK . "\033[m";
+ $FAILED = "\033[31m\033[1m" . $FAILED . "\033[m";
+}
+
+sub exec_test($$);
+
+my ($prog, $in, $out) = ([], [], []);
+my $line_number = 0;
+my $prog_line;
+my ($tests, $failed) = (0,0);
+
+for (;;) {
+ my $line = <>; $line_number++;
+ if (defined $line) {
+ # Substitute %VAR and %{VAR} with environment variables.
+ $line =~ s[%(?:(\w+)|\{(\w+)\})][$ENV{"$1$2"}]eg;
+ }
+ if (defined $line) {
+ if ($line =~ s/^\s*< ?//) {
+ push @$in, $line;
+ } elsif ($line =~ s/^\s*> ?//) {
+ push @$out, $line;
+ } else {
+ process_test($prog, $prog_line, $in, $out);
+
+ $prog = [];
+ $prog_line = 0;
+ }
+ if ($line =~ s/^\s*\$ ?//) {
+ $line =~ s/\s+#.*//; # remove comments here...
+ $prog = [ map { s/\\(.)/$1/g; $_ } split /(?<!\\)\s+/, $line ];
+ $prog_line = $line_number;
+ $in = [];
+ $out = [];
+ }
+ } else {
+ process_test($prog, $prog_line, $in, $out);
+ last;
+ }
+}
+
+my $status = sprintf("%d commands (%d passed, %d failed)",
+ $tests, $tests-$failed, $failed);
+if (isatty(fileno(STDOUT))) {
+ if ($failed) {
+ $status = "\033[31m\033[1m" . $status . "\033[m";
+ } else {
+ $status = "\033[32m" . $status . "\033[m";
+ }
+}
+print $status, "\n";
+exit $failed ? 1 : 0;
+
+
+sub process_test($$$$) {
+ my ($prog, $prog_line, $in, $out) = @_;
+
+ return unless @$prog;
+
+ my $p = [ @$prog ];
+ print "[$prog_line] \$ ", join(' ',
+ map { s/\s/\\$&/g; $_ } @$p), " -- ";
+ my $result = exec_test($prog, $in);
+ my $good = 1;
+ my $nmax = (@$out > @$result) ? @$out : @$result;
+ for (my $n=0; $n < $nmax; $n++) {
+ if (!defined($out->[$n]) || !defined($result->[$n]) ||
+ $out->[$n] ne $result->[$n]) {
+ $good = 0;
+ }
+ }
+ $tests++;
+ $failed++ unless $good;
+ print $good ? $OK : $FAILED, "\n";
+ if (!$good) {
+ for (my $n=0; $n < $nmax; $n++) {
+ my $l = defined($out->[$n]) ? $out->[$n] : "~";
+ chomp $l;
+ my $r = defined($result->[$n]) ? $result->[$n] : "~";
+ chomp $r;
+ print sprintf("%-37s %s %-39s\n", $l, $l eq $r ? "|" : "?", $r);
+ }
+ } elsif ($opt_v) {
+ print join('', @$result);
+ }
+}
+
+
+sub su($) {
+ my ($user) = @_;
+
+ $user ||= "root";
+
+ my ($login, $pass, $uid, $gid) = getpwnam($user)
+ or return [ "su: user $user does not exist\n" ];
+ my @groups = ();
+ my $fh = new FileHandle("/etc/group")
+ or return [ "opening /etc/group: $!\n" ];
+ while (<$fh>) {
+ chomp;
+ my ($group, $passwd, $gid, $users) = split /:/;
+ foreach my $u (split /,/, $users) {
+ push @groups, $gid
+ if ($user eq $u);
+ }
+ }
+ $fh->close;
+
+ my $groups = join(" ", ($gid, $gid, @groups));
+ #print STDERR "[[$groups]]\n";
+ $! = 0; # reset errno
+ $> = 0;
+ $( = $gid;
+ $) = $groups;
+ if ($!) {
+ return [ "su: $!\n" ];
+ }
+ if ($uid != 0) {
+ $> = $uid;
+ #$< = $uid;
+ if ($!) {
+ return [ "su: $prog->[1]: $!\n" ];
+ }
+ }
+ #print STDERR "[($>,$<)($(,$))]";
+ return [];
+}
+
+
+sub sg($) {
+ my ($group) = @_;
+
+ my $gid = getgrnam($group)
+ or return [ "sg: group $group does not exist\n" ];
+ my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $));
+
+ #print STDERR "<<", join("/", keys %groups), ">>\n";
+ my $groups = join(" ", ($gid, $gid, keys %groups));
+ #print STDERR "[[$groups]]\n";
+ $! = 0; # reset errno
+ if ($> != 0) {
+ my $uid = $>;
+ $> = 0;
+ $( = $gid;
+ $) = $groups;
+ $> = $uid;
+ } else {
+ $( = $gid;
+ $) = $groups;
+ }
+ if ($!) {
+ return [ "sg: $!\n" ];
+ }
+ print STDERR "[($>,$<)($(,$))]";
+ return [];
+}
+
+
+sub exec_test($$) {
+ my ($prog, $in) = @_;
+ local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2);
+ my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/);
+
+ if ($prog->[0] eq "umask") {
+ umask oct $prog->[1];
+ return [];
+ } elsif ($prog->[0] eq "cd") {
+ if (!chdir $prog->[1]) {
+ return [ "chdir: $prog->[1]: $!\n" ];
+ }
+ return [];
+ } elsif ($prog->[0] eq "su") {
+ return su($prog->[1]);
+ } elsif ($prog->[0] eq "sg") {
+ return sg($prog->[1]);
+ }
+
+ pipe *IN2, *OUT
+ or die "Can't create pipe for reading: $!";
+ open *IN_DUP, "<&STDIN"
+ or *IN_DUP = undef;
+ open *STDIN, "<&IN2"
+ or die "Can't duplicate pipe for reading: $!";
+ close *IN2;
+
+ open *OUT_DUP, ">&STDOUT"
+ or die "Can't duplicate STDOUT: $!";
+ pipe *IN, *OUT2
+ or die "Can't create pipe for writing: $!";
+ open *STDOUT, ">&OUT2"
+ or die "Can't duplicate pipe for writing: $!";
+ close *OUT2;
+
+ *STDOUT->autoflush();
+ *OUT->autoflush();
+
+ if (fork()) {
+ # Server
+ if (*IN_DUP) {
+ open *STDIN, "<&IN_DUP"
+ or die "Can't duplicate STDIN: $!";
+ close *IN_DUP
+ or die "Can't close STDIN duplicate: $!";
+ }
+ open *STDOUT, ">&OUT_DUP"
+ or die "Can't duplicate STDOUT: $!";
+ close *OUT_DUP
+ or die "Can't close STDOUT duplicate: $!";
+
+ foreach my $line (@$in) {
+ #print "> $line";
+ print OUT $line;
+ }
+ close *OUT
+ or die "Can't close pipe for writing: $!";
+
+ my $result = [];
+ while (<IN>) {
+ #print "< $_";
+ if ($needs_shell) {
+ s#^/bin/sh: line \d+: ##;
+ }
+ push @$result, $_;
+ }
+ return $result;
+ } else {
+ # Client
+ $< = $>;
+ close IN
+ or die "Can't close read end for input pipe: $!";
+ close OUT
+ or die "Can't close write end for output pipe: $!";
+ close OUT_DUP
+ or die "Can't close STDOUT duplicate: $!";
+ local *ERR_DUP;
+ open ERR_DUP, ">&STDERR"
+ or die "Can't duplicate STDERR: $!";
+ open STDERR, ">&STDOUT"
+ or die "Can't join STDOUT and STDERR: $!";
+
+ if ($needs_shell) {
+ exec ('/bin/sh', '-c', join(" ", @$prog));
+ } else {
+ exec @$prog;
+ }
+ print STDERR $prog->[0], ": $!\n";
+ exit;
+ }
+}
+
--- /dev/null
+Setfacl utility tests. Run these tests on a filesystem with ACL support.
+
+ $ mkdir d
+ $ chown bin:bin d
+ $ cd d
+
+ $ su bin
+ $ sg bin
+ $ umask 027
+ $ touch g
+ $ ls -dl g | awk '{print $1}'
+ > -rw-r-----
+
+ $ setfacl -m m:- g
+ $ ls -dl g | awk '{print $1}'
+ > -rw-------+
+
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rw-
+ > group::r-- #effective:---
+ > mask::---
+ > other::---
+ >
+
+ $ setfacl -x m g
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rw-
+ > group::r--
+ > other::---
+ >
+
+ $ setfacl -m u:daemon:rw g
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rw-
+ > user:daemon:rw-
+ > group::r--
+ > mask::rw-
+ > other::---
+ >
+
+ $ setfacl -m u::rwx,g::r-x,o:- g
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rwx
+ > user:daemon:rw-
+ > group::r-x
+ > mask::rwx
+ > other::---
+ >
+
+ $ setfacl -m u::rwx,g::r-x,o:-,m:- g
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rwx
+ > user:daemon:rw- #effective:---
+ > group::r-x #effective:---
+ > mask::---
+ > other::---
+ >
+
+ $ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rwx
+ > user:root:---
+ > user:daemon:rw- #effective:---
+ > group::r-x #effective:---
+ > mask::---
+ > other::---
+ >
+
+ $ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rwx
+ > user:root:---
+ > user:daemon:rw- #effective:---
+ > group::r-x #effective:---
+ > mask::---
+ > other::---
+ >
+
+ $ setfacl -m u::rwx,g::r-x,o:-,u:root:- g
+ $ getfacl g
+ > # file: g
+ > # owner: bin
+ > # group: bin
+ > user::rwx
+ > user:root:---
+ > user:daemon:rw-
+ > group::r-x
+ > mask::rwx
+ > other::---
+ >
+
+ $ setfacl --test -x u: g
+ > setfacl: g: Malformed access ACL `user:root:---,user:daemon:rw-,group::r-x,mask::rwx,other::---': Missing or wrong entry at entry 1
+
+ $ setfacl --test -x u:x
+ > setfacl: Option -x: Invalid argument near character 3
+
+ $ setfacl -m d:u:root:rwx g
+ > setfacl: g: Only directories can have default ACLs
+
+ $ setfacl -x m g
+ > setfacl: g: Malformed access ACL `user::rwx,user:root:---,user:daemon:rw-,group::r-x,other::---': Missing or wrong entry at entry 5
+ setfacl --test -m d:u:daemon:rwx setfacl
+ setfacl --test -n -m d:u:daemon:rwx setfacl
+
+Check if the mask is properly recalculated
+
+ $ mkdir d
+ $ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,o::--- d
+ > d: u::rwx,u:bin:rwx,g::r-x,m::rwx,o::---,*
+
+ $ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
+ > d: u::rwx,u:bin:rwx,g::r-x,m::---,o::---,*
+
+ $ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,o::--- d
+ > d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::rwx,d:o::---
+
+ $ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
+ > d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::---,d:o::---
+
+ $ su
+ $ cd ..
+ $ rm -r d
}
run_test 2 "set/get xattr test (trusted xattr only) ============"
+run_acl_subtest()
+{
+ sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" \
+ $SAVE_PWD/acl/$1.test | $SAVE_PWD/acl/run || error "$? $1.test failed"
+}
+
test_3 () {
SAVE_UMASK=`umask`
umask 022
GROUP1=nobody
GROUP2=users
- chmod +x runacltest
- chmod +x acl_mode
cd $DIR
- #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/setfacl.test | runacltest ||
-#error "$? setfacl tests failed"
-
- #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_asroot.test | runacltest || error "$? acl_asroot tests failed"
-
- #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_perm.test | runacltest || error "$? acl_perm tests failed"
-
- #sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_misc.test | runacltest || error "$? acl_misc tests failed"
-
- sed -e "s/joe/$USER1/g;s/lisa/$USER2/g;s/users/$GROUP1/g;s/toolies/$GROUP2/g" $SAVE_PWD/acl_fileutil.test | runacltest || error "$? acl_fileutil tests failed"
+ run_acl_subtest cp
+ run_acl_subtest getfacl-noacl
+ run_acl_subtest misc
+ run_acl_subtest permissions
+ run_acl_subtest setfacl
+ cd $SAVED_PWD
umask $SAVE_UMASK
}
run_test 3 "==============acl test ============="