[patch 0/5] acl: test/ improvements and integrate with make

[patch 0/5] acl: test/ improvements and integrate with make

[brandon]

Hello-

This series makes some improvements to the acl tests to integrate them
into make and add a few testing features to the harness.

The most useful feature is being able to run `make test` from the root
of the source tree to build the tree to run a generic set of tests.

Cheers,

	Brandon

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[patch 1/5] [PATCH] acl: add make test target and use make to run tests

[brandon]

[-- Attachment #1: acl-add-make-test-target-and-use-make-to-run-tests.patch --]
[-- Type: text/plain, Size: 2222 bytes --]

The tests are difficult to run. So, this patch adds a Make target that
sets up the path and runs *.test files in the test/ directory.

nfs specific tests can be ran from the test directory by running
`make nfs`

tests requiring root can be ran from the test directory by running
`make nfs`

Signed-off-by: Brandon Philips <bphilips@suse.de>

---
 Makefile      |    6 +++++-
 test/Makefile |   26 +++++++++++++++++++-------
 2 files changed, 24 insertions(+), 8 deletions(-)

Index: acl-2.2.47/test/Makefile
===================================================================
--- acl-2.2.47.orig/test/Makefile
+++ acl-2.2.47/test/Makefile
@@ -2,13 +2,25 @@
 # Copyright (c) 2001-2002 Silicon Graphics, Inc.  All Rights Reserved.
 #
 
-TOPDIR = ..
-include $(TOPDIR)/include/builddefs
+TEST = $(wildcard *.test)
+ROOT = $(wildcard root/*.test)
+NFS = $(wildcard nfs/*.test)
 
-LSRCFILES = run make-tree \
-	    cp.test getfacl-noacl.test misc.test nfs-dir.test \
-	    nfsacl.test permissions.test setfacl.test
+PATH := $(abspath ../getfacl/):$(abspath ../setfacl/):$(abspath ../chacl/):$(PATH)
 
-include $(BUILDRULES)
+all: $(TEST)
+root: $(ROOT)
+nfs: $(NFS)
 
-default install install-dev install-lib:
+
+$(TEST):
+	@echo "*** $@ ***"; perl run $@
+
+$(NFS):
+	@echo "NFS specific tests"; @echo "*** $@ ***"; perl run $@
+
+$(ROOT):
+	@echo "Note: Tests must run as root"; @echo "*** $@ ***"; perl run $@
+
+.PHONY: $(TEST) $(ROOT) $(NFS) default
+.NOTPARALLEL:
Index: acl-2.2.47/Makefile
===================================================================
--- acl-2.2.47.orig/Makefile
+++ acl-2.2.47/Makefile
@@ -17,7 +17,7 @@ LDIRT = config.log .dep config.status co
 	Logs/* built .census install.* install-dev.* install-lib.* *.gz
 
 SUBDIRS = include libmisc libacl getfacl setfacl chacl m4 man doc po \
-	  test examples build debian
+	  examples build debian
 
 default: $(CONFIGURE)
 ifeq ($(HAVE_BUILDDEFS), no)
@@ -65,3 +65,7 @@ install-lib: default
 realclean distclean: clean
 	rm -f $(LDIRT) $(CONFIGURE)
 	rm -rf autom4te.cache Logs
+
+.PHONY: test
+test: default
+	$(MAKE) -C test/

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[patch 2/5] [PATCH] acl: various improvements for test/run

[brandon]

[-- Attachment #1: acl-various-improvements-for-test-run.patch --]
[-- Type: text/plain, Size: 4328 bytes --]

First move process_test to avoid a warning:

main::process_test() called too early to check prototype at ./run line 47.
main::process_test() called too early to check prototype at ./run line 60.

Create two ENV variables TUSER and TGROUP to get the user/group
running the test.

Add a | test line that is similar to > but is interpreted as a regular
expression.

Signed-off-by: Brandon Philips <bphilips@suse.de>

---
 test/run |   99 ++++++++++++++++++++++++++++++++-------------------------------
 1 file changed, 51 insertions(+), 48 deletions(-)

Index: acl-2.2.47/test/run
===================================================================
--- acl-2.2.47.orig/test/run
+++ acl-2.2.47/test/run
@@ -25,26 +25,69 @@ if (isatty(fileno(STDOUT))) {
 	$FAILED = "\033[31m\033[1m" . $FAILED . "\033[m";
 }
 
+$ENV{"TUSER"} = getpwuid($>);
+$ENV{"TGROUP"} = getgrgid($));
+
 sub exec_test($$);
 
-my ($prog, $in, $out) = ([], [], []);
+my ($prog, $in, $out, $outmatch) = ([], [], [], []);
 my $line_number = 0;
 my $prog_line;
 my ($tests, $failed) = (0,0);
 
+sub process_test($$$$$) {
+  my ($prog, $prog_line, $in, $out, $outmatch) = @_;
+
+  return unless @$prog;
+
+       my $p = [ @$prog ];
+       print "[$prog_line] \$ ", join(' ',
+             map { s/\s/\\$&/g; $_ } @$p), " -- ";
+       my $result = exec_test($prog, $in);
+       my $good = 1;
+       my $nmax = (@$outmatch > @$result) ? @$outmatch : @$result;
+       for (my $n=0; $n < $nmax; $n++) {
+	 if (!defined($outmatch->[$n]) || !defined($result->[$n]) ||
+	      $result->[$n] !~ /($outmatch->[$n])/) {
+		 $good = 0;
+	 }
+       }
+       $tests++;
+       $failed++ unless $good;
+       print $good ? $OK : $FAILED, "\n";
+       if (!$good) {
+         for (my $n=0; $n < $nmax; $n++) {
+	   my $l = defined($out->[$n]) ? $out->[$n] : "~";
+	   chomp $l;
+	   my $r = defined($result->[$n]) ? $result->[$n] : "~";
+	   chomp $r;
+	   print sprintf("%-37s %s %-39s\n", $l, $l eq $r ? "|" : "?", $r);
+         }
+       } elsif ($opt_v) {
+	 print join('', @$result);
+       }
+}
+
+
+
 for (;;) {
   my $line = <>; $line_number++;
   if (defined $line) {
     # Substitute %VAR and %{VAR} with environment variables.
-    $line =~ s[%(?:(\w+)|\{(\w+)\})][$ENV{"$1$2"}]eg;
+    $line =~ s[%\{(\w+)\}][$ENV{"$1"}]eg;
+    $line =~ s[%(\w+)][$ENV{"$1"}]eg;
   }
   if (defined $line) {
     if ($line =~ s/^\s*< ?//) {
       push @$in, $line;
-    } elsif ($line =~ s/^\s*> ?//) {
+    } elsif ($line =~ s/^\s*> ?//) { # explicit matching
+      push @$outmatch, "^(\Q$line\E)\$";
+      push @$out, $line;
+    } elsif ($line =~ s/^\s*\| ?//) { # regex case
+      push @$outmatch, $line;
       push @$out, $line;
     } else {
-      process_test($prog, $prog_line, $in, $out);
+      process_test($prog, $prog_line, $in, $out, $outmatch);
 
       $prog = [];
       $prog_line = 0;
@@ -55,9 +98,10 @@ for (;;) {
       $prog_line = $line_number;
       $in = [];
       $out = [];
+      $outmatch = [];
     }
   } else {
-    process_test($prog, $prog_line, $in, $out);
+    process_test($prog, $prog_line, $in, $out, $outmatch);
     last;
   }
 }
@@ -75,39 +119,6 @@ print $status, "\n";
 exit $failed ? 1 : 0;
 
 
-sub process_test($$$$) {
-  my ($prog, $prog_line, $in, $out) = @_;
-
-  return unless @$prog;
-
-       my $p = [ @$prog ];
-       print "[$prog_line] \$ ", join(' ',
-             map { s/\s/\\$&/g; $_ } @$p), " -- ";
-       my $result = exec_test($prog, $in);
-       my $good = 1;
-       my $nmax = (@$out > @$result) ? @$out : @$result;
-       for (my $n=0; $n < $nmax; $n++) {
-	 if (!defined($out->[$n]) || !defined($result->[$n]) ||
-	     $out->[$n] ne $result->[$n]) {
-		 $good = 0;
-	 }
-       }
-       $tests++;
-       $failed++ unless $good;
-       print $good ? $OK : $FAILED, "\n";
-       if (!$good) {
-         for (my $n=0; $n < $nmax; $n++) {
-	   my $l = defined($out->[$n]) ? $out->[$n] : "~";
-	   chomp $l;
-	   my $r = defined($result->[$n]) ? $result->[$n] : "~";
-	   chomp $r;
-	   print sprintf("%-37s %s %-39s\n", $l, $l eq $r ? "|" : "?", $r);
-         }
-       } elsif ($opt_v) {
-	 print join('', @$result);
-       }
-}
-
 
 sub su($) {
   my ($user) = @_;

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[patch 3/5] [PATCH] acl: move root tests to their own folder

[brandon]

[-- Attachment #1: acl-move-root-tests-to-their-own-folder.patch --]
[-- Type: text/plain, Size: 18303 bytes --]

Since these tests require root perms to run move them into a seperate
folder so they don't run by default.

Signed-off-by: Brandon Philips <bphilips@suse.de>

---
 test/permissions.test      |  279 ---------------------------------------------
 test/root/permissions.test |  279 +++++++++++++++++++++++++++++++++++++++++++++
 test/root/setfacl.test     |  144 +++++++++++++++++++++++
 test/setfacl.test          |  144 -----------------------
 4 files changed, 423 insertions(+), 423 deletions(-)

Index: acl-2.2.47/test/permissions.test
===================================================================
--- acl-2.2.47.orig/test/permissions.test
+++ /dev/null
@@ -1,279 +0,0 @@
-This script tests if file permissions are properly checked with and
-without ACLs. The script must be run as root to allow switching users.
-The following users are required. They must be a member in the groups
-listed in parentheses.
-
-	bin (bin)
-	daemon (bin, daemon)
-
-
-Cry immediately if we are not running as root.
-
-	$ id -u
-	> 0
-
-
-First, set up a temporary directory and create a regular file with
-defined permissions.
-
-	$ mkdir d
-	$ cd d
-	$ umask 027
-	$ touch f
-	$ ls -l f | awk -- '{ print $1, $3, $4 }'
-	> -rw-r----- root root
-
-
-Make sure root has access to the file.  Verify that user daemon does not
-have access to the file owned by root.
-
-	$ echo root > f
-
-	$ su daemon
-	$ echo daemon >> f
-	> f: Permission denied
-
-	$ su
-
-
-Now, change the ownership of the file to bin:bin and verify that this
-gives user bin write access.
-
-	$ chown bin:bin f
-	$ ls -l f | awk -- '{ print $1, $3, $4 }'
-	> -rw-r----- bin bin
-	$ su bin
-	$ echo bin >> f
-
-
-User daemon is a member in the owning group, which has only read access.
-Verify this.
-
-	$ su daemon
-	$ cat f
-	> root
-	> bin
-
-	$ echo daemon >> f
-	> f: Permission denied
-
-
-Now, add an ACL entry for user daemon that grants him rw- access. File
-owners and users capable of CAP_FOWNER are allowed to change ACLs.
-
-	$ su bin
-	$ setfacl -m u:daemon:rw f
-	$ getfacl --omit-header f
-	> user::rw-
-	> user:daemon:rw-
-	> group::r--
-	> mask::rw-
-	> other::---
-	>
-
-
-Verify that the additional ACL entry grants user daemon write access.
-
-	$ su daemon
-	$ echo daemon >> f
-	$ cat f
-	> root
-	> bin
-	> daemon
-
-
-Remove write access from the group class permission bits, and
-verify that this masks daemon's write permission.
-
-	$ su bin
-	$ chmod g-w f
-	$ getfacl --omit-header f
-	> user::rw-
-	> user:daemon:rw-	#effective:r--
-	> group::r--
-	> mask::r--
-	> other::---
-	>
-
-	$ su daemon
-	$ echo daemon >> f
-	> f: Permission denied
-
-
-Add an entry for group daemon with rw- access, and change the
-permissions for user daemon to r--. Also change the others permissions t
-rw-. The user entry should take precedence, so daemon should be denied
-access.
-
-	$ su bin
-	$ setfacl -m u:daemon:r,g:daemon:rw-,o::rw- f
-
-	$ su daemon
-	$ echo daemon >> f
-	> f: Permission denied
-
-
-Remove the entry for user daemon. The group daemon permissions should
-now give user daemon rw- access.
-
-	$ su bin
-	$ setfacl -x u:daemon f
-
-	$ su daemon
-	$ echo daemon2 >> f
-	$ cat f
-	> root
-	> bin
-	> daemon
-	> daemon2
-
-
-Set the group daemon permissions to r-- and verify that after than, user
-daemon does not have write access anymore.
-
-	$ su bin
-	$ setfacl -m g:daemon:r f
-
-	$ su daemon
-	$ echo daemon3 >> f
-	> f: Permission denied
-
-
-Now, remove the group daemon entry. Because user daemon is a member in
-the owning group, he should still have no write access.
-
-	$ su bin
-	$ setfacl -x g:daemon f
-
-	$ su daemon
-	$ echo daemon4 >> f
-	> f: Permission denied
-
-
-Change the owning group. The other permissions should now grant user
-daemon write access.
-
-	$ su
-	$ chgrp root f
-
-	$ su daemon
-	$ echo daemon5 >> f
-	$ cat f
-	> root
-	> bin
-	> daemon
-	> daemon2
-	> daemon5
-
-
-Verify that permissions in separate matching ACL entries do not
-accumulate.
-
-	$ su
-	$ setfacl -m g:bin:r,g:daemon:w f
-
-	$ su daemon
-	$ : < f	 # open for reading
-	$ : > f  # open for writing
-	$ : <> f  # open for read-write
-	> f: Permission denied
-
-
-Test if directories can have ACLs.  We assume that only one access check
-algorithm is used for all file types the file system, so these tests
-only need to verify that ACL permissions make a difference.
-
-	$ su
-	$ mkdir -m 750 e
-	$ touch e/h
-
-	$ su bin
-	$ shopt -s nullglob ; echo e/*
-	>
-
-	$ echo i > e/i
-	> e/i: Permission denied
-
-	$ su
-	$ setfacl -m u:bin:rx e
-
-	$ su bin
-	$ echo e/*
-	> e/h
-	$ echo i > e/i
-	> e/i: Permission denied
-
-	$ su
-	$ setfacl -m u:bin:rwx e
-
-	$ su bin
-	$ echo i > e/i
-
-
-Test if symlinks are properly followed.
-
-	$ su
-	$ touch g
-	$ ln -s g l
-	$ setfacl -m u:bin:rw l
-	$ ls -l g | awk -- '{ print $1, $3, $4 }'
-	> -rw-rw----+ root root
-
-
-Test if ACLs are effective for block and character special files, fifos,
-sockets. This is done by creating special files locally. The devices do
-not need to exist: The access check is earlier in the code path than the
-test if the device exists.
-
-
-	$ mknod -m 0660 hdt b 91 64	# /dev/hdt
-	$ mknod -m 0660 null c 1 3	# /dev/null
-	$ mkfifo -m 0660 fifo
-
-	$ su bin
-	$ : < hdt
-	> hdt: Permission denied
-	$ : < null
-	> null: Permission denied
-	$ : < fifo
-	> fifo: Permission denied
-
-	$ su
-	$ setfacl -m u:bin:rw hdt null fifo
-
-	$ su bin
-	$ : < hdt
-	> hdt: No such device or address
-	$ : < null
-	$ ( echo blah > fifo & ) ; cat fifo
-	> blah
-
-
-Test if CAP_FOWNER is properly honored for directories. This addresses a
-specific bug in XFS 1.2, which does not grant root access to files in
-directories if the file has an ACL and only CAP_FOWNER would grant them.
-
-	$ su
-	$ mkdir -m 600 x
-	$ chown daemon:daemon x
-	$ echo j > x/j
-	$ ls -l x/j | awk -- '{ print $1, $3, $4 }'
-	> -rw-r----- root root
-
-	$ setfacl -m u:daemon:r x
-
-	$ ls -l x/j | awk -- '{ print $1, $3, $4 }'
-	> -rw-r----- root root
-	(With the bug this gives: `ls: x/j: Permission denied'.)
-
-	$ echo k > x/k
-	(With the bug this gives: `x/k: Permission denied'.)
-
-	$ chmod 750 x
-
-
-Clean up.
-
-	$ su
-	$ cd ..
-	$ rm -rf d
Index: acl-2.2.47/test/setfacl.test
===================================================================
--- acl-2.2.47.orig/test/setfacl.test
+++ /dev/null
@@ -1,144 +0,0 @@
-Setfacl utility tests. Run these tests on a filesystem with ACL support.
- 
- 	$ mkdir d
-	$ chown bin:bin d
-	$ cd d
-
-	$ su bin
-	$ sg bin
-	$ umask 027
-	$ touch g
-	$ ls -dl g | awk '{print $1}'
-	> -rw-r-----
-	
-	$ setfacl -m m:- g
-	$ ls -dl g | awk '{print $1}'
-	> -rw-------+
-	
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rw-
-	> group::r--	#effective:---
-	> mask::---
-	> other::---
-	> 
-	
-	$ setfacl -x m g
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rw-
-	> group::r--
-	> other::---
-	> 
-	
-	$ setfacl -m u:daemon:rw g
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rw-
-	> user:daemon:rw-
-	> group::r--
-	> mask::rw-
-	> other::---
-	> 
-	
-	$ setfacl -m u::rwx,g::r-x,o:- g
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rwx
-	> user:daemon:rw-
-	> group::r-x
-	> mask::rwx
-	> other::---
-	> 
-	
-	$ setfacl -m u::rwx,g::r-x,o:-,m:- g
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rwx
-	> user:daemon:rw-	#effective:---
-	> group::r-x	#effective:---
-	> mask::---
-	> other::---
-	> 
-	
-	$ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rwx
-	> user:root:---
-	> user:daemon:rw-	#effective:---
-	> group::r-x	#effective:---
-	> mask::---
-	> other::---
-	> 
-	
-	$ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rwx
-	> user:root:---
-	> user:daemon:rw-	#effective:---
-	> group::r-x	#effective:---
-	> mask::---
-	> other::---
-	> 
-	
-	$ setfacl -m u::rwx,g::r-x,o:-,u:root:- g
-	$ getfacl g
-	> # file: g
-	> # owner: bin
-	> # group: bin
-	> user::rwx
-	> user:root:---
-	> user:daemon:rw-
-	> group::r-x
-	> mask::rwx
-	> other::---
-	> 
-	
-	$ setfacl --test -x u: g
-	> setfacl: g: Malformed access ACL `user:root:---,user:daemon:rw-,group::r-x,mask::rwx,other::---': Missing or wrong entry at entry 1
-	
-	$ setfacl --test -x u:x
-	> setfacl: Option -x: Invalid argument near character 3
-	
-	$ setfacl -m d:u:root:rwx g
-	> setfacl: g: Only directories can have default ACLs
-	
-	$ setfacl -x m g
-	> setfacl: g: Malformed access ACL `user::rwx,user:root:---,user:daemon:rw-,group::r-x,other::---': Missing or wrong entry at entry 5
-	 setfacl --test -m d:u:daemon:rwx setfacl
-	 setfacl --test -n -m d:u:daemon:rwx setfacl
-	
-Check if the mask is properly recalculated
- 
-	$ mkdir d
-	$ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,o::--- d
-	> d: u::rwx,u:bin:rwx,g::r-x,m::rwx,o::---,*
-	
-	$ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
-	> d: u::rwx,u:bin:rwx,g::r-x,m::---,o::---,*
-	
-	$ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,o::--- d
-	> d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::rwx,d:o::---
-	
-	$ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
-	> d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::---,d:o::---
-	
-	$ su
-	$ cd ..
-	$ rm -r d
Index: acl-2.2.47/test/root/permissions.test
===================================================================
--- /dev/null
+++ acl-2.2.47/test/root/permissions.test
@@ -0,0 +1,279 @@
+This script tests if file permissions are properly checked with and
+without ACLs. The script must be run as root to allow switching users.
+The following users are required. They must be a member in the groups
+listed in parentheses.
+
+	bin (bin)
+	daemon (bin, daemon)
+
+
+Cry immediately if we are not running as root.
+
+	$ id -u
+	> 0
+
+
+First, set up a temporary directory and create a regular file with
+defined permissions.
+
+	$ mkdir d
+	$ cd d
+	$ umask 027
+	$ touch f
+	$ ls -l f | awk -- '{ print $1, $3, $4 }'
+	> -rw-r----- root root
+
+
+Make sure root has access to the file.  Verify that user daemon does not
+have access to the file owned by root.
+
+	$ echo root > f
+
+	$ su daemon
+	$ echo daemon >> f
+	| f: Permission denied$
+
+	$ su
+
+
+Now, change the ownership of the file to bin:bin and verify that this
+gives user bin write access.
+
+	$ chown bin:bin f
+	$ ls -l f | awk -- '{ print $1, $3, $4 }'
+	> -rw-r----- bin bin
+	$ su bin
+	$ echo bin >> f
+
+
+User daemon is a member in the owning group, which has only read access.
+Verify this.
+
+	$ su daemon
+	$ cat f
+	> root
+	> bin
+
+	$ echo daemon >> f
+	| f: Permission denied$
+
+
+Now, add an ACL entry for user daemon that grants him rw- access. File
+owners and users capable of CAP_FOWNER are allowed to change ACLs.
+
+	$ su bin
+	$ setfacl -m u:daemon:rw f
+	$ getfacl --omit-header f
+	> user::rw-
+	> user:daemon:rw-
+	> group::r--
+	> mask::rw-
+	> other::---
+	>
+
+
+Verify that the additional ACL entry grants user daemon write access.
+
+	$ su daemon
+	$ echo daemon >> f
+	$ cat f
+	> root
+	> bin
+	> daemon
+
+
+Remove write access from the group class permission bits, and
+verify that this masks daemon's write permission.
+
+	$ su bin
+	$ chmod g-w f
+	$ getfacl --omit-header f
+	> user::rw-
+	> user:daemon:rw-	#effective:r--
+	> group::r--
+	> mask::r--
+	> other::---
+	>
+
+	$ su daemon
+	$ echo daemon >> f
+	| f: Permission denied$
+
+
+Add an entry for group daemon with rw- access, and change the
+permissions for user daemon to r--. Also change the others permissions t
+rw-. The user entry should take precedence, so daemon should be denied
+access.
+
+	$ su bin
+	$ setfacl -m u:daemon:r,g:daemon:rw-,o::rw- f
+
+	$ su daemon
+	$ echo daemon >> f
+	| f: Permission denied$
+
+
+Remove the entry for user daemon. The group daemon permissions should
+now give user daemon rw- access.
+
+	$ su bin
+	$ setfacl -x u:daemon f
+
+	$ su daemon
+	$ echo daemon2 >> f
+	$ cat f
+	> root
+	> bin
+	> daemon
+	> daemon2
+
+
+Set the group daemon permissions to r-- and verify that after than, user
+daemon does not have write access anymore.
+
+	$ su bin
+	$ setfacl -m g:daemon:r f
+
+	$ su daemon
+	$ echo daemon3 >> f
+	| f: Permission denied$
+
+
+Now, remove the group daemon entry. Because user daemon is a member in
+the owning group, he should still have no write access.
+
+	$ su bin
+	$ setfacl -x g:daemon f
+
+	$ su daemon
+	$ echo daemon4 >> f
+	| f: Permission denied$
+
+
+Change the owning group. The other permissions should now grant user
+daemon write access.
+
+	$ su
+	$ chgrp root f
+
+	$ su daemon
+	$ echo daemon5 >> f
+	$ cat f
+	> root
+	> bin
+	> daemon
+	> daemon2
+	> daemon5
+
+
+Verify that permissions in separate matching ACL entries do not
+accumulate.
+
+	$ su
+	$ setfacl -m g:bin:r,g:daemon:w f
+
+	$ su daemon
+	$ : < f	 # open for reading
+	$ : > f  # open for writing
+	$ : <> f  # open for read-write
+	| f: Permission denied$
+
+
+Test if directories can have ACLs.  We assume that only one access check
+algorithm is used for all file types the file system, so these tests
+only need to verify that ACL permissions make a difference.
+
+	$ su
+	$ mkdir -m 750 e
+	$ touch e/h
+
+	$ su bin
+	$ shopt -s nullglob ; echo e/*
+	>
+
+	$ echo i > e/i
+	| e/i: Permission denied$
+
+	$ su
+	$ setfacl -m u:bin:rx e
+
+	$ su bin
+	$ echo e/*
+	> e/h
+	$ echo i > e/i
+	| e/i: Permission denied$
+
+	$ su
+	$ setfacl -m u:bin:rwx e
+
+	$ su bin
+	$ echo i > e/i
+
+
+Test if symlinks are properly followed.
+
+	$ su
+	$ touch g
+	$ ln -s g l
+	$ setfacl -m u:bin:rw l
+	$ ls -l g | awk -- '{ print $1, $3, $4 }'
+	> -rw-rw----+ root root
+
+
+Test if ACLs are effective for block and character special files, fifos,
+sockets. This is done by creating special files locally. The devices do
+not need to exist: The access check is earlier in the code path than the
+test if the device exists.
+
+
+	$ mknod -m 0660 hdt b 91 64	# /dev/hdt
+	$ mknod -m 0660 null c 1 3	# /dev/null
+	$ mkfifo -m 0660 fifo
+
+	$ su bin
+	$ : < hdt
+	| hdt: Permission denied$
+	$ : < null
+	| null: Permission denied$
+	$ : < fifo
+	| fifo: Permission denied$
+
+	$ su
+	$ setfacl -m u:bin:rw hdt null fifo
+
+	$ su bin
+	$ : < hdt
+	| hdt: No such device or address$
+	$ : < null
+	$ ( echo blah > fifo & ) ; cat fifo
+	> blah
+
+
+Test if CAP_FOWNER is properly honored for directories. This addresses a
+specific bug in XFS 1.2, which does not grant root access to files in
+directories if the file has an ACL and only CAP_FOWNER would grant them.
+
+	$ su
+	$ mkdir -m 600 x
+	$ chown daemon:daemon x
+	$ echo j > x/j
+	$ ls -l x/j | awk -- '{ print $1, $3, $4 }'
+	> -rw-r----- root root
+
+	$ setfacl -m u:daemon:r x
+
+	$ ls -l x/j | awk -- '{ print $1, $3, $4 }'
+	> -rw-r----- root root
+	(With the bug this gives: `ls: x/j: Permission denied'.)
+
+	$ echo k > x/k
+	(With the bug this gives: `x/k: Permission denied'.)
+
+	$ chmod 750 x
+
+
+Clean up.
+
+	$ su
+	$ cd ..
+	$ rm -rf d
Index: acl-2.2.47/test/root/setfacl.test
===================================================================
--- /dev/null
+++ acl-2.2.47/test/root/setfacl.test
@@ -0,0 +1,144 @@
+Setfacl utility tests. Run these tests on a filesystem with ACL support.
+
+ 	$ mkdir d
+	$ chown bin:bin d
+	$ cd d
+
+	$ su bin
+	$ sg bin
+	$ umask 027
+	$ touch g
+	$ ls -dl g | awk '{print $1}'
+	> -rw-r-----
+
+	$ setfacl -m m:- g
+	$ ls -dl g | awk '{print $1}'
+	> -rw-------+
+
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rw-
+	> group::r--	#effective:---
+	> mask::---
+	> other::---
+	>
+
+	$ setfacl -x m g
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rw-
+	> group::r--
+	> other::---
+	>
+
+	$ setfacl -m u:daemon:rw g
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rw-
+	> user:daemon:rw-
+	> group::r--
+	> mask::rw-
+	> other::---
+	>
+
+	$ setfacl -m u::rwx,g::r-x,o:- g
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rwx
+	> user:daemon:rw-
+	> group::r-x
+	> mask::rwx
+	> other::---
+	>
+
+	$ setfacl -m u::rwx,g::r-x,o:-,m:- g
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rwx
+	> user:daemon:rw-	#effective:---
+	> group::r-x	#effective:---
+	> mask::---
+	> other::---
+	>
+
+	$ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rwx
+	> user:root:---
+	> user:daemon:rw-	#effective:---
+	> group::r-x	#effective:---
+	> mask::---
+	> other::---
+	>
+
+	$ setfacl -m u::rwx,g::r-x,o:-,u:root:-,m:- g
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rwx
+	> user:root:---
+	> user:daemon:rw-	#effective:---
+	> group::r-x	#effective:---
+	> mask::---
+	> other::---
+	>
+
+	$ setfacl -m u::rwx,g::r-x,o:-,u:root:- g
+	$ getfacl g
+	> # file: g
+	> # owner: bin
+	> # group: bin
+	> user::rwx
+	> user:root:---
+	> user:daemon:rw-
+	> group::r-x
+	> mask::rwx
+	> other::---
+	>
+
+	$ setfacl --test -x u: g
+	> setfacl: g: Malformed access ACL `user:root:---,user:daemon:rw-,group::r-x,mask::rwx,other::---': Missing or wrong entry at entry 1
+
+	$ setfacl --test -x u:x
+	> setfacl: Option -x: Invalid argument near character 3
+
+	$ setfacl -m d:u:root:rwx g
+	> setfacl: g: Only directories can have default ACLs
+
+	$ setfacl -x m g
+	> setfacl: g: Malformed access ACL `user::rwx,user:root:---,user:daemon:rw-,group::r-x,other::---': Missing or wrong entry at entry 5
+	 setfacl --test -m d:u:daemon:rwx setfacl
+	 setfacl --test -n -m d:u:daemon:rwx setfacl
+
+Check if the mask is properly recalculated
+
+	$ mkdir d
+	$ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,o::--- d
+	> d: u::rwx,u:bin:rwx,g::r-x,m::rwx,o::---,*
+
+	$ setfacl --test -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
+	> d: u::rwx,u:bin:rwx,g::r-x,m::---,o::---,*
+
+	$ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,o::--- d
+	> d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::rwx,d:o::---
+
+	$ setfacl --test -d -m u::rwx,u:bin:rwx,g::r-x,m::---,o::--- d
+	> d: *,d:u::rwx,d:u:bin:rwx,d:g::r-x,d:m::---,d:o::---
+
+	$ su
+	$ cd ..
+	$ rm -r d

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[patch 4/5] [PATCH] acl: move nfs tests to their own folder

[brandon]

[-- Attachment #1: acl-move-nfs-tests-to-their-own-folder.patch --]
[-- Type: text/plain, Size: 5802 bytes --]

Since these tests require nfs mounts to run move them into a seperate
folder so they don't run by default.

Signed-off-by: Brandon Philips <bphilips@suse.de>

---
 test/nfs-dir.test     |   50 --------------------------------------------------
 test/nfs/nfs-dir.test |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 test/nfs/nfsacl.test  |   42 ++++++++++++++++++++++++++++++++++++++++++
 test/nfsacl.test      |   42 ------------------------------------------
 4 files changed, 92 insertions(+), 92 deletions(-)

Index: acl-2.2.47/test/nfs-dir.test
===================================================================
--- acl-2.2.47.orig/test/nfs-dir.test
+++ /dev/null
@@ -1,50 +0,0 @@
-This is a regression test for a bug in 2.4 kernels. The test must be run
-as root on a machine that has a loopback mounted NFS export. The mount
-must have root squashing enabled. The test must be run in the root of
-the nfs mount, and requires the following environment variable:
-
-EXPORT_PATH => the path that is mounted at the working directory.
-
-	Create a test directory and file.
-	
-	$ umask 022
-	$ mkdir %{EXPORT_PATH}/test
-	$ echo blah > %{EXPORT_PATH}/test/blah
-
-	Make sure the file can be accessed before.
-	
-	$ su bin
-	$ cat test/blah
-	> blah
-
-	Set up a situation that triggers the bug.
-
-	$ su
-	$ chmod go-rwx %{EXPORT_PATH}/test
-	$ setfacl -m u:bin:rx %{EXPORT_PATH}/test
-	$ ls -dl %{EXPORT_PATH}/test | awk '{print $1, $3, $4}'
-	> drwxr-x---+ root root
-	$ getfacl --omit-header %{EXPORT_PATH}/test 2> /dev/null
-	> user::rwx
-	> user:bin:r-x
-	> group::---
-	> mask::r-x
-	> other::---
-	>
-
-	This should also succeed. With the bug, reading the file would
-	fail with "Stale NFS file handle" or "Input/output error".
-
-	$ su bin
-	$ cat test/blah
-	> blah
-	$ sleep 3
-	$ cat test/blah
-	> blah
-	$ cat test/blah
-	> blah
-
-	Clean up.
-
-	$ su
-	$ rm -rf %{EXPORT_PATH}/test
Index: acl-2.2.47/test/nfs/nfs-dir.test
===================================================================
--- /dev/null
+++ acl-2.2.47/test/nfs/nfs-dir.test
@@ -0,0 +1,50 @@
+This is a regression test for a bug in 2.4 kernels. The test must be run
+as root on a machine that has a loopback mounted NFS export. The mount
+must have root squashing enabled. The test must be run in the root of
+the nfs mount, and requires the following environment variable:
+
+EXPORT_PATH => the path that is mounted at the working directory.
+
+	Create a test directory and file.
+
+	$ umask 022
+	$ mkdir %{EXPORT_PATH}/test
+	$ echo blah > %{EXPORT_PATH}/test/blah
+
+	Make sure the file can be accessed before.
+
+	$ su bin
+	$ cat test/blah
+	> blah
+
+	Set up a situation that triggers the bug.
+
+	$ su
+	$ chmod go-rwx %{EXPORT_PATH}/test
+	$ setfacl -m u:bin:rx %{EXPORT_PATH}/test
+	$ ls -dl %{EXPORT_PATH}/test | awk '{print $1, $3, $4}'
+	> drwxr-x---+ root root
+	$ getfacl --omit-header %{EXPORT_PATH}/test 2> /dev/null
+	> user::rwx
+	> user:bin:r-x
+	> group::---
+	> mask::r-x
+	> other::---
+	>
+
+	This should also succeed. With the bug, reading the file would
+	fail with "Stale NFS file handle" or "Input/output error".
+
+	$ su bin
+	$ cat test/blah
+	> blah
+	$ sleep 3
+	$ cat test/blah
+	> blah
+	$ cat test/blah
+	> blah
+
+	Clean up.
+
+	$ su
+	$ rm -rf %{EXPORT_PATH}/test
Index: acl-2.2.47/test/nfs/nfsacl.test
===================================================================
--- /dev/null
+++ acl-2.2.47/test/nfs/nfsacl.test
@@ -0,0 +1,42 @@
+This is a regression test for bugs in the nfsacl protocol extension.
+The test should be run on an NFS export mount with ACL support.
+
+	Create a test directory and file.
+
+	$ umask 022
+	$ mkdir -p test/sub
+	$ echo blah > test/sub/blah
+
+	$ cp -rp test/sub test/sub2
+	$ find test/sub2 | sort | xargs ls -dl | awk '{print $1,$8}'
+	> drwxr-xr-x test/sub2
+	> -rw-r--r-- test/sub2/blah
+
+	$ rm -rf test/sub2
+
+	$ setfacl -m u:daemon:rwx test/sub
+	$ setfacl -dm u:daemon:rwx test/sub
+	$ getfattr -m- test/sub
+	> # file: test/sub
+	> system.posix_acl_access
+	> system.posix_acl_default
+	>
+
+	$ cp -rp test/sub test/sub2
+	$ find test/sub2 | sort | xargs ls -dl | awk '{print $1,$8}'
+	> drwxrwxr-x+ test/sub2
+	> -rw-r--r-- test/sub2/blah
+
+	$ rm -rf test/sub2
+
+	$ setfacl -m u:daemon:rw test/sub/blah
+	$ cp -rp test/sub test/sub2
+	$ find test/sub2 | sort | xargs ls -dl | awk '{print $1,$8}'
+	> drwxrwxr-x+ test/sub2
+	> -rw-rw-r--+ test/sub2/blah
+
+	$ rm -rf test/sub2
+
+	Clean up.
+
+	$ rm -rf test
Index: acl-2.2.47/test/nfsacl.test
===================================================================
--- acl-2.2.47.orig/test/nfsacl.test
+++ /dev/null
@@ -1,42 +0,0 @@
-This is a regression test for bugs in the nfsacl protocol extension.
-The test should be run on an NFS export mount with ACL support.
-
-	Create a test directory and file.
-
-	$ umask 022
-	$ mkdir -p test/sub
-	$ echo blah > test/sub/blah
-
-	$ cp -rp test/sub test/sub2
-	$ find test/sub2 | sort | xargs ls -dl | awk '{print $1,$8}'
-	> drwxr-xr-x test/sub2
-	> -rw-r--r-- test/sub2/blah
-
-	$ rm -rf test/sub2
-
-	$ setfacl -m u:daemon:rwx test/sub
-	$ setfacl -dm u:daemon:rwx test/sub
-	$ getfattr -m- test/sub
-	> # file: test/sub
-	> system.posix_acl_access
-	> system.posix_acl_default
-	>
-
-	$ cp -rp test/sub test/sub2
-	$ find test/sub2 | sort | xargs ls -dl | awk '{print $1,$8}'
-	> drwxrwxr-x+ test/sub2
-	> -rw-r--r-- test/sub2/blah
-
-	$ rm -rf test/sub2
-
-	$ setfacl -m u:daemon:rw test/sub/blah
-	$ cp -rp test/sub test/sub2
-	$ find test/sub2 | sort | xargs ls -dl | awk '{print $1,$8}'
-	> drwxrwxr-x+ test/sub2
-	> -rw-rw-r--+ test/sub2/blah
-
-	$ rm -rf test/sub2
-
-	Clean up.
-
-	$ rm -rf test

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

[patch 5/5] [PATCH] acl: minor fix to cp.test

[brandon]

[-- Attachment #1: acl-minor-fix-to-cp.test.patch --]
[-- Type: text/plain, Size: 620 bytes --]

X -> x

Signed-off-by: Brandon Philips <bphilips@suse.de>

---
 test/cp.test |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: acl-2.2.47/test/cp.test
===================================================================
--- acl-2.2.47.orig/test/cp.test
+++ acl-2.2.47/test/cp.test
@@ -24,7 +24,7 @@ The cp utility should only copy ACLs if
 	> blubb
 
 	$ rm -r i
-	$ setfacl -R -m u:bin:rwX h
+	$ setfacl -R -m u:bin:rwx h
 	$ getfacl --omit-header h/x
 	> user::rw-
 	> user:bin:rwx

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [patch 2/5] [PATCH] acl: various improvements for test/run

[Andreas Gruenbacher]

Brandon,

the version of the run script in the attr and acl packages is somewhat dated; 
I have made a few improvements since. I'll move this out of {acl,attr}/test 
and put the latest version into the libmisc/ directory.

Note that I recently rewrote the run script from scratch. Unlike the old 
version, the new one runs the whole script inside the same shell. There are 
still a few problems to be solved; most importantly, user switching doesn't 
work, yet. Eventually I want to replace the old version, though.

	http://savannah.nongnu.org/projects/shrun


On Thursday, 8 January 2009 2:53:57 brandon@ifup.org wrote:
> First move process_test to avoid a warning:
>
> main::process_test() called too early to check prototype at ./run line 47.
> main::process_test() called too early to check prototype at ./run line 60.

The new version had this fixed already.

> Create two ENV variables TUSER and TGROUP to get the user/group
> running the test.

Good idea. Added.

(Stuff like this will be obsolete with shrun.)

> Add a | test line that is similar to > but is interpreted as a regular
> expression.

I have been using ">~" instead of "|" for that. I'm still not sure that 
including regular expression matching was a good idea though, so shrun 
doesn't have any of that yet. We'll se how things develop.

Thanks,
Andreas

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [patch 1/5] [PATCH] acl: add make test target and use make to run tests

[Andreas Gruenbacher]

On Thursday, 8 January 2009 2:53:56 brandon@ifup.org wrote:
> The tests are difficult to run. So, this patch adds a Make target that
> sets up the path and runs *.test files in the test/ directory.

Makes sense in principle, except that the patch removes the makefile rules 
that cause the tests to get added to the tarball :-(

Would you mind to fix that?

Thanks,
Andreas

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [patch 5/5] [PATCH] acl: minor fix to cp.test

[Andreas Gruenbacher]

On Thursday, 8 January 2009 2:54:00 brandon@ifup.org wrote:
> X -> x

Added, thanks.

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [patch 4/5] [PATCH] acl: move nfs tests to their own folder

[Andreas Gruenbacher]

On Thursday, 8 January 2009 2:53:59 brandon@ifup.org wrote:
> Since these tests require nfs mounts to run move them into a seperate
> folder so they don't run by default.

Added.

Andreas

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [patch 3/5] [PATCH] acl: move root tests to their own folder

[Andreas Gruenbacher]

On Thursday, 8 January 2009 2:53:58 brandon@ifup.org wrote:
> Since these tests require root perms to run move them into a seperate
> folder so they don't run by default.

Added.

Andreas

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [patch 2/5] [PATCH] acl: various improvements for test/run

[Greg Banks]

Andreas Gruenbacher wrote:
> Brandon,
>
> the version of the run script in the attr and acl packages is somewhat dated; 
> I have made a few improvements since. I'll move this out of {acl,attr}/test 
> and put the latest version into the libmisc/ directory.
>
> Note that I recently rewrote the run script from scratch. Unlike the old 
> version, the new one runs the whole script inside the same shell. There are 
> still a few problems to be solved; most importantly, user switching doesn't 
> work, yet.
I hope you get that feature done soon, and look forward to reviewing
it.  Let me just be Captain Obvious and say that user switching is a
critical feature for code used to drive ACL tests ;-)

>  Eventually I want to replace the old version, though.
>
> 	http://savannah.nongnu.org/projects/shrun
>
>
>
>   
>> Add a | test line that is similar to > but is interpreted as a regular
>> expression.
>>     
>
> I have been using ">~" instead of "|" for that. I'm still not sure that 
> including regular expression matching was a good idea though, so shrun 
> doesn't have any of that yet. We'll se how things develop.
>
>
>   
Regexp matching is the kind of thing that sounds like it could be quite
useful, but it's a pain to implement.  When I wrote a Python interpreter
for the shrun language for use in Newpynfs, I didn't bother implementing
the regexp feature.

-- 
Greg Banks, P.Engineer, SGI Australian Software Group.
the brightly coloured sporks of revolution.
I don't speak for SGI.

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs