d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# CDDL HEADER START
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# The contents of this file are subject to the terms of the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Common Development and Distribution License (the "License").
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# You may not use this file except in compliance with the License.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# or http://www.opensolaris.org/os/licensing.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# See the License for the specific language governing permissions
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# and limitations under the License.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# When distributing Covered Code, include this CDDL HEADER in each
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# If applicable, add the following below this CDDL HEADER, with the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# fields enclosed by brackets "[]" replaced with your own identifying
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# information: Portions Copyright [yyyy] [name of copyright owner]
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# CDDL HEADER END
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Use is subject to license terms.
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy# Copyright (c) 2012, 2016 by Delphix. All rights reserved.
327848f9b50960449ae0e73e0767b617af721690Yuri Pankov# Copyright 2016 Nexenta Systems, Inc.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy. $STF_SUITE/tests/functional/acl/acl_common.kshlib
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy. $STF_SUITE/tests/functional/acl/cifs/cifs.kshlib
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Verify the user with PRIV_FILE_FLAG_SET/PRIV_FILE_FLAG_CLEAR
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# could set/clear BSD'ish attributes.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# (Immutable, nounlink, and appendonly)
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# 1. Loop super user and non-super user to run the test case.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# 2. Create basedir and a set of subdirectores and files within it.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# 3. Grant user has PRIV_FILE_FLAG_SET/PRIV_FILE_FLAG_CLEAR separately.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# 4. Verify set/clear BSD'ish attributes should succeed.
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy rm -rf $mntpt/file $mntpt/dir >/dev/null 2>&1
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy log_must cp $orig_user_attr /etc/user_attr
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy typeset obj=$1 # The file or dir to operate on
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy typeset attr=$2 # The attribute to set or clear
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy typeset user=$3 # The user to run the command as
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy typeset priv=$4 # What privilege to run with if non-root
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy typeset op=$5 # Whether to set or clear the attribute
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy # No one can add 'q' (av_quarantine) to a directory. root can do
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy # anything else. A regular user can remove no attributes without the
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy # 'all' privilege, and can add attributes (other than 'q' on a
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy # directory) with the 'file_flag_set' or 'all' privileges.
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy if [[ $attr =~ 'q' && -d $obj && $op == $add ]]; then
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy if [[ $attr =~ 'q' && -d $obj && $op == $add ]]; then
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy if [[ $op == $add ]]; then
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy if [[ -n $priv ]]; then
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy # Can't add av_quarantine to a directory, so don't check for that
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy [[ $attr == 'q' && $op == $add && -d $obj ]] && return
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy # Extract the attribute string - just the text inside the braces
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy typeset attrstr="$(ls -d/ c $obj | sed '1d; s/.*{\(.*\)}.*/\1/g')"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy if [[ $op == $add ]]; then
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy [[ $attrstr =~ $attr ]] || log_fail "$op $attr -> $attrstr"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy [[ $attrstr =~ $attr ]] && log_fail "$op $attr -> $attrstr"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Grant the privset to the given user
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# $1: The given user
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# $2: The given privset
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy if [[ -z $user || -z $priv ]]; then
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy log_fail "User($user), Priv($priv) not defined."
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy # If we're root, don't modify /etc/user_attr
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy echo "$user::::type=normal;defaultpriv=basic$priv_mod" >> \
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# Revoke the all additional privset from the given user
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy# $1: The given user
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy if [[ -z $user ]]; then
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy cp $orig_user_attr /etc/user_attr || log_fail "Couldn't modify user_attr"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedylog_assert "Verify set/clear BSD'ish attributes will succeed while user has " \
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy "file_flag_set or all privilege"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedymntpt=$(get_prop mountpoint $TESTPOOL/$TESTFS)
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedyfor owner in root $ZFS_ACL_STAFF1 $ZFS_ACL_STAFF2; do
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy touch $mntpt/file || log_fail "Failed to create $mntpt/file"
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy mkdir $mntpt/dir || log_fail "Failed to mkdir $mntpt/dir"
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy chown $owner $mntpt/file $mntpt/dir || log_fail "Failed to chown file"
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedy log_note "Trying $owner $user $attr $priv"
1d32ba663e202c24a5a1f2e5aef83fffb447cb7fJohn Wren Kennedy rm -rf $mntpt/file $mntpt/dir || log_fail \
d583b39bfb4e2571d3e41097c5c357ffe353ad45John Wren Kennedylog_pass "Set/Clear BSD'ish attributes succeed while user has " \