]>
gitweb.michael.orlitzky.com - apply-default-acl.git/blob - run-tests.sh
9 # Exit with this when a test fails.
12 # We use a few system users in the tests. If these users aren't
13 # present, we exit with a different (non-EXIT_FAILURE).
16 # Define the users that we'll use in the tests below. We store the
17 # names as variables to avoid repeating them everywhere.
19 # WARNING: These must be in alphabetical order; otherwise the getfacl
20 # output will not match.
24 # Check to see if the above users exist. If not, bail.
25 for idx
in $( seq 0 $((${#USERS[@]} - 1)) ); do
26 id
"${USERS[idx]}" >/dev
/null
2>&1
28 if [ $?
-ne $EXIT_SUCCESS ]; then
29 echo "Error: missing test user ${USERS[idx]}." 1>&2
30 exit $EXIT_MISSING_USERS
35 BIN
=$(realpath src/apply-default-acl)
37 # The directory where we'll do all the ACL manipulation.
41 # Remove any ACLs on our test directory and remove its contents.
42 setfacl
--remove-all --recursive "${TESTDIR}"
43 chmod 755 "${TESTDIR}"
48 if [[ "${ACTUAL}" == "${EXPECTED}" ]]; then
49 echo "Success (#${TESTNUM})"
52 echo "Failure (#${TESTNUM})"
53 echo 'Expected result:'
54 echo '================'
56 echo '================'
58 echo '================'
60 echo '================'
65 # Start by removing and recreating the 'acl' directory.
70 # When using a minimal ACL, the default user, group, and other
71 # permissions should all be propagated to the mode bits.
73 TARGET
="${TESTDIR}"/foo
76 setfacl
-d -m user
::r
-- "${TESTDIR}"
77 setfacl
-d -m group
::r
-- "${TESTDIR}"
78 setfacl
-d -m other
::r
-- "${TESTDIR}"
89 ACTUAL
=$(getfacl --omit-header "${TARGET}")
92 # Do the same thing as the last test, except with an extended ACL.
94 setfacl
-d -m user
::r
-- "${TESTDIR}"
95 setfacl
-d -m group
::r
-- "${TESTDIR}"
96 setfacl
-d -m other
::r
-- "${TESTDIR}"
97 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
112 ACTUAL
=$(getfacl --omit-header "${TARGET}")
116 # A file shared by a group, should still be group-writable
120 chmod 644 "${TARGET}"
121 setfacl
-d -m group
:${USERS[0]}:rwx
"${TESTDIR}"
127 group:${USERS[0]}:rwx #effective:rw-
134 ACTUAL
=$(getfacl --omit-header "${TARGET}")
138 # Same test as before except with a directory.
140 setfacl
-d -m group
:${USERS[0]}:rwx
"${TESTDIR}"
142 chmod 755 "${TARGET}"
148 group:${USERS[0]}:rwx
153 default:group:${USERS[0]}:rwx
160 ACTUAL
=$(getfacl --omit-header "${TARGET}")
164 # With no default, things are left alone.
167 chmod 744 "${TARGET}"
179 ACTUAL
=$(getfacl --omit-header "${TARGET}")
184 # Since the default ACL will grant r-x to group/other, they will wind
188 chmod 744 "${TARGET}"
189 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
203 ACTUAL
=$(getfacl --omit-header "${TARGET}")
207 # Some named entries can be granted execute permissions as the result
211 chmod 744 "${TARGET}"
212 setfacl
-m user
:${USERS[1]}:rw
"${TARGET}"
213 # If we don't add 'x' to the mask here, nobody can execute the file.
214 # setfacl will update the mask for us under most circumstances, but
215 # note that we didn't create an entry with an 'x' bit using setfacl --
216 # therefore, setfacl won't unmask 'x' for us.
217 setfacl
-m mask
::rwx
"${TARGET}"
218 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
219 setfacl
-d -m user
:${USERS[1]}:rwx
"${TESTDIR}"
233 ACTUAL
=$(getfacl --omit-header "${TARGET}")
237 # We should not retain any entries that aren't in the default.
240 chmod 644 "${TARGET}"
241 setfacl
-m user
:${USERS[1]}:rw
"${TARGET}"
242 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
247 user:${USERS[0]}:rwx #effective:rw-
255 ACTUAL
=$(getfacl --omit-header "${TARGET}")
259 # A slightly modified test #1 to make sure it works right.
261 TARGET
="${TESTDIR}"/foo
263 chmod 777 "${TARGET}"
264 setfacl
-d -m user
::r
-- "${TESTDIR}"
275 ACTUAL
=$(getfacl --omit-header "${TARGET}")
279 # If the default ACL mask denies execute, we should respect that
280 # regardless of the existing execute permissions.
282 TARGET
="${TESTDIR}"/foo
284 chmod 777 "${TARGET}"
285 setfacl
-m user
:${USERS[0]}:rwx
"${TESTDIR}"
286 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
287 setfacl
-d -m mask
::rw
- "${TESTDIR}"
292 user:${USERS[0]}:rwx #effective:rw-
293 group::r-x #effective:r--
300 ACTUAL
=$(getfacl --omit-header "${TARGET}")
305 # The --recursive mode should work normally if the argument is a
306 # normal file. See Test #1.
308 TARGET
="${TESTDIR}"/foo
309 setfacl
-d -m user
::r
-- "${TESTDIR}"
310 setfacl
-d -m group
::r
-- "${TESTDIR}"
311 setfacl
-d -m other
::r
-- "${TESTDIR}"
313 chmod 777 "${TARGET}"
314 $BIN --recursive "${TARGET}"
324 ACTUAL
=$(getfacl --omit-header "${TARGET}")
328 # The --recursive mode should work recursively.
330 TARGET
="${TESTDIR}"/foo
332 touch "${TARGET}"/baz
333 mkdir -p "${TARGET}"/bar
334 touch "${TARGET}"/bar
/quux
335 setfacl
-d -m user
::rwx
"${TESTDIR}"
336 setfacl
-d -m group
::r
-- "${TESTDIR}"
337 setfacl
-d -m other
::r
-- "${TESTDIR}"
338 chmod -R 777 "${TARGET}"
339 $BIN --recursive "${TARGET}"
349 ACTUAL
=$(getfacl --omit-header "${TARGET}"/bar/quux)
353 # The --recursive mode should work recursively. This time
354 # check a directory, and pass the short command-line flag.
356 TARGET
="${TESTDIR}"/foo
358 touch "${TARGET}"/baz
359 mkdir -p "${TARGET}"/bar
360 touch "${TARGET}"/bar
/quux
361 setfacl
-d -m user
::rwx
"${TESTDIR}"
362 setfacl
-d -m group
::r
-- "${TESTDIR}"
363 setfacl
-d -m other
::r
-- "${TESTDIR}"
364 chmod -R 777 "${TARGET}"
378 ACTUAL
=$(getfacl --omit-header "${TARGET}"/bar)
382 # Test double application on a directory.
385 TARGET
="${TESTDIR}"/baz
387 chmod 644 "${TARGET}"
388 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
400 default:user:${USERS[0]}:rwx
408 ACTUAL
=$(getfacl --omit-header "${TARGET}")
412 # Same as previous test, with 755 initial perms.
415 TARGET
="${TESTDIR}"/baz
417 chmod 755 "${TARGET}"
418 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
430 default:user:${USERS[0]}:rwx
438 ACTUAL
=$(getfacl --omit-header "${TARGET}")
442 # Same as previous two tests, only with a file.
445 TARGET
="${TESTDIR}"/foo
447 chmod 644 "${TARGET}"
448 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
455 user:${USERS[0]}:rwx #effective:rw-
462 ACTUAL
=$(getfacl --omit-header "${TARGET}")
466 # User-executable files should not wind up exec-masked.
468 TARGET
="${TESTDIR}"/foo
470 chmod 700 "${TARGET}"
471 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
484 ACTUAL
=$(getfacl --omit-header "${TARGET}")
488 # Group-executable files should not wind up exec-masked.
490 TARGET
="${TESTDIR}"/foo
492 chmod 670 "${TARGET}"
493 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
506 ACTUAL
=$(getfacl --omit-header "${TARGET}")
510 # Other-executable files should not wind up exec-masked.
512 TARGET
="${TESTDIR}"/foo
514 chmod 607 "${TARGET}"
515 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
528 ACTUAL
=$(getfacl --omit-header "${TARGET}")
533 # Test #16's setup repeated with the --no-exec-mask flag.
536 TARGET
="${TESTDIR}"/foo
538 chmod 644 "${TARGET}"
539 # The directory allows execute for user, group, and other, so the file
540 # should actually inherit them regardless of its initial mode when the
541 # --no-exec-mask flag is passed.
542 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
544 $BIN --no-exec-mask "${TARGET}"
555 ACTUAL
=$(getfacl --omit-header "${TARGET}")
560 # Test #20 repeated recursively to make sure the flags play nice
563 PARENT_DIR
="${TESTDIR}"/foo
564 TARGET
="${PARENT_DIR}"/bar
565 mkdir "${PARENT_DIR}"
567 chmod 644 "${TARGET}"
568 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
570 $BIN --recursive --no-exec-mask "${PARENT_DIR}"
581 ACTUAL
=$(getfacl --omit-header "${TARGET}")
585 # Make sure a mask with an execute bit doesn't count as being
589 TARGET
="${TESTDIR}"/foo
591 chmod 644 "${TARGET}"
592 setfacl
-m user
::rw
"${TARGET}"
593 setfacl
-m group
::rw
"${TARGET}"
594 # Even though the mask has an 'x' bit, nobody can execute it.
595 setfacl
-m mask
::rwx
"${TARGET}"
596 setfacl
-d -m user
::rwx
"${TESTDIR}"
597 setfacl
-d -m group
::rwx
"${TESTDIR}"
609 ACTUAL
=$(getfacl --omit-header "${TARGET}")
613 # Same as test #2, except we pass multiple files on the command
614 # line and check the result of the first one.
616 setfacl
-d -m user
::r
-- "${TESTDIR}"
617 setfacl
-d -m group
::r
-- "${TESTDIR}"
618 setfacl
-d -m other
::r
-- "${TESTDIR}"
619 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
620 DUMMY
="${TESTDIR}/dummy"
624 chmod 777 "${TARGET}"
625 $BIN "${TARGET}" "${DUMMY}"
637 ACTUAL
=$(getfacl --omit-header "${TARGET}")
642 # Same as the previous test with the argument order switched.
644 setfacl
-d -m user
::r
-- "${TESTDIR}"
645 setfacl
-d -m group
::r
-- "${TESTDIR}"
646 setfacl
-d -m other
::r
-- "${TESTDIR}"
647 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
648 DUMMY
="${TESTDIR}/dummy"
652 chmod 777 "${TARGET}"
653 $BIN "${DUMMY}" "${TARGET}"
665 ACTUAL
=$(getfacl --omit-header "${TARGET}")
669 # If we call apply-default-acl on a single file that does not exist,
670 # we get the expected error.
672 ACTUAL
=$( "${BIN}" test/nonexistent 2>&1 )
673 EXPECTED
="test/nonexistent: No such file or directory"
676 # Same as the previous test, but with --recursive.
678 ACTUAL
=$( "${BIN}" --recursive test/nonexistent 2>&1 )
679 EXPECTED
="test/nonexistent: No such file or directory"
682 # If we call apply-default-acl on more than one file, it should report any
683 # that don't exist (but proceed to operate on the others).
685 DUMMY1
="${TESTDIR}/dummy1"
686 DUMMY2
="${TESTDIR}/dummy2"
687 touch "${DUMMY1}" "${DUMMY2}"
688 ACTUAL
=$( "${BIN}" "${DUMMY1}" test/nonexistent "${DUMMY2}" 2>&1 )
689 EXPECTED
="test/nonexistent: No such file or directory"
693 # Ensure that symlinks are not followed.
695 TARGET
="${TESTDIR}/foo"
696 LINK2TARGET
="${TESTDIR}/foo-sym"
698 ln -s "${TARGET#${TESTDIR}/}" "${LINK2TARGET}"
699 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}"
700 "${BIN}" "${LINK2TARGET}"
701 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
712 # Ensure that symlinks are not followed in subdirectories
715 TARGET
="${TESTDIR}/bar"
717 mkdir "${TESTDIR}/foo"
718 LINK2TARGET
="${TESTDIR}/foo/bar-sym"
719 ln -s "../bar" "${LINK2TARGET}"
720 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}/foo"
721 "${BIN}" --recursive "${TESTDIR}/foo"
722 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
733 # Ensure that hard links are ignored.
735 TARGET
="${TESTDIR}/foo"
736 LINK2TARGET
="${TESTDIR}/bar"
738 ln "${TARGET}" "${LINK2TARGET}"
739 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}"
740 "${BIN}" "${LINK2TARGET}"
741 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
752 # We should be able to run the tool with a relative path from within a
753 # directory that contains a symlink, so long as the relative path
754 # doesn't contain one.
756 TARGET
="${TESTDIR}/foo/bar"
757 LINK2TARGET
="${TESTDIR}/baz"
758 mkdir -p $(dirname "${TARGET}")
760 ln -s foo
"${TESTDIR}/baz"
761 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
762 pushd "${TESTDIR}/baz" > /dev
/null
765 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
778 # Ensure that symlinks in non-terminal path components are not followed.
780 TARGET
="${TESTDIR}/foo/bar/baz"
781 LINK2FOO
="${TESTDIR}/quux"
782 mkdir -p $(dirname "${TARGET}")
784 ln -s foo
"${LINK2FOO}"
785 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
786 "${BIN}" "${LINK2FOO}/bar/baz"
787 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
798 # Test that our exit code succeeds on a single, normal path.
800 TARGET
="${TESTDIR}/foo"
802 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
809 # Test that our exit code fails on a symlink.
811 TARGET
="${TESTDIR}/bar"
812 touch "${TESTDIR}/foo"
813 ln -s foo
"${TARGET}"
814 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
821 # The previous test should "succeed" if we use --recursive. This is
822 # buggy, but it's documented.
824 TARGET
="${TESTDIR}/bar"
825 touch "${TESTDIR}/foo"
826 ln -s foo
"${TARGET}"
827 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
828 "${BIN}" --recursive "${TARGET}"
834 # Test the return value for nonexistent paths.
836 TARGET
="${TESTDIR}/foo"
837 "${BIN}" "${TARGET}" &>/dev
/null
843 # Test that one "failure" exit code overrides two "successes"
844 # We need a default ACL on ${TESTDIR} because otherwise we do
845 # nothing, successfully, on the symlink path.
847 mkdir "${TESTDIR}/foo"
848 ln -s foo
"${TESTDIR}/bar"
849 mkdir "${TESTDIR}/baz"
850 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
851 "${BIN}" "${TESTDIR}/foo" "${TESTDIR}/bar" "${TESTDIR}/baz"
857 # And test the buggy behavior again; the previous test should return
858 # success (ignoring the failure) when --recursive is used.
860 mkdir "${TESTDIR}/foo"
861 ln -s foo
"${TESTDIR}/bar"
862 mkdir "${TESTDIR}/baz"
863 "${BIN}" --recursive "${TESTDIR}"