run-tests.sh

   1 #!/bin/bash
   2
   3 #
   4 # Exit codes
   5 #
   6
   7 # Exit with this when a test fails.
   8 EXIT_FAILURE=1
   9
  10 # We use a few system users in the tests. If these users aren't
  11 # present, we exit with a different (non-EXIT_FAILURE).
  12 EXIT_MISSING_USERS=2
  13
  14 # Define the users that we'll use in the tests below. We store the
  15 # names as variables to avoid repeating them everywhere.
  16 #
  17 # WARNING: These must be in alphabetical order; otherwise the getfacl
  18 # output will not match.
  19 #
  20 USERS=( bin daemon )
  21
  22 # Check to see if the above users exist. If not, bail.
  23 for idx in $( seq 0 $((${#USERS[@]} - 1)) ); do
  24     id ${USERS[idx]} >/dev/null 2>&1 || exit $EXIT_MISSING_USERS
  25 done
  26
  27 # The program name.
  28 BIN=src/apply-default-acl
  29
  30 # The directory where we'll do all the ACL manipulation.
  31 TESTDIR=test
  32
  33 acl_reset() {
  34     # Remove any ACLs on our test directory and remove its contents.
  35     setfacl --remove-all --recursive "${TESTDIR}"
  36     chmod 755 "${TESTDIR}"
  37     rm -rf "${TESTDIR}"/*
  38 }
  39
  40 compare() {
  41     if [[ "${ACTUAL}" == "${EXPECTED}" ]]; then
  42         echo "Success (#${TESTNUM})"
  43         acl_reset
  44     else
  45         echo "Failure (#${TESTNUM})"
  46         echo 'Expected result:'
  47         echo '================'
  48         echo "${EXPECTED}"
  49         echo '================'
  50         echo 'Actual result:'
  51         echo '================'
  52         echo "${ACTUAL}"
  53         echo '================'
  54         exit $EXIT_FAILURE
  55     fi
  56 }
  57
  58 # Start by removing and recreating the 'acl' directory.
  59 rm -rf "${TESTDIR}"
  60 mkdir "${TESTDIR}"
  61
  62
  63 # When using a minimal ACL, the default user, group, and other
  64 # permissions should all be propagated to the mode bits.
  65 TESTNUM=1
  66 TARGET="${TESTDIR}"/foo
  67 touch "${TARGET}"
  68 chmod 777 "${TARGET}"
  69 setfacl -d -m user::r--  "${TESTDIR}"
  70 setfacl -d -m group::r-- "${TESTDIR}"
  71 setfacl -d -m other::r-- "${TESTDIR}"
  72 $BIN "${TARGET}"
  73
  74 EXPECTED=$(cat <<EOF
  75 user::r--
  76 group::r--
  77 other::r--
  78
  79 EOF
  80 )
  81
  82 ACTUAL=`getfacl --omit-header "${TARGET}"`
  83 compare
  84
  85 # Do the same thing as the last test, except with an extended ACL.
  86 TESTNUM=2
  87 setfacl -d -m user::r--     "${TESTDIR}"
  88 setfacl -d -m group::r--    "${TESTDIR}"
  89 setfacl -d -m other::r--    "${TESTDIR}"
  90 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
  91 touch "${TARGET}"
  92 chmod 777 "${TARGET}"
  93 $BIN "${TARGET}"
  94
  95 EXPECTED=$(cat <<EOF
  96 user::r--
  97 user:${USERS[0]}:rwx
  98 group::r--
  99 mask::rwx
 100 other::r--
 101
 102 EOF
 103 )
 104
 105 ACTUAL=`getfacl --omit-header "${TARGET}"`
 106 compare
 107
 108
 109 # A file shared by a group, should still be group-writable
 110 # afterwards.
 111 TESTNUM=3
 112 touch "${TARGET}"
 113 chmod 644 "${TARGET}"
 114 setfacl -d -m group:${USERS[0]}:rwx "${TESTDIR}"
 115 $BIN "${TARGET}"
 116
 117 EXPECTED=$(cat <<EOF
 118 user::rw-
 119 group::r--
 120 group:${USERS[0]}:rwx   #effective:rw-
 121 mask::rw-
 122 other::r--
 123
 124 EOF
 125 )
 126
 127 ACTUAL=`getfacl --omit-header "${TARGET}"`
 128 compare
 129
 130
 131 # Same test as before except with a directory.
 132 TESTNUM=4
 133 setfacl -d -m group:${USERS[0]}:rwx "${TESTDIR}"
 134 mkdir "${TARGET}"
 135 chmod 755 "${TARGET}"
 136 $BIN "${TARGET}"
 137
 138 EXPECTED=$(cat <<EOF
 139 user::rwx
 140 group::r-x
 141 group:${USERS[0]}:rwx
 142 mask::rwx
 143 other::r-x
 144 default:user::rwx
 145 default:group::r-x
 146 default:group:${USERS[0]}:rwx
 147 default:mask::rwx
 148 default:other::r-x
 149
 150 EOF
 151 )
 152
 153 ACTUAL=`getfacl --omit-header "${TARGET}"`
 154 compare
 155
 156
 157 # With no default, things are left alone.
 158 TESTNUM=5
 159 touch "${TARGET}"
 160 chmod 744 "${TARGET}"
 161 $BIN "${TARGET}"
 162
 163
 164 EXPECTED=$(cat <<EOF
 165 user::rwx
 166 group::r--
 167 other::r--
 168
 169 EOF
 170 )
 171
 172 ACTUAL=`getfacl --omit-header "${TARGET}"`
 173 compare
 174
 175
 176
 177 # Since the default ACL will grant r-x to group/other, they will wind
 178 # up with it.
 179 TESTNUM=6
 180 touch "${TARGET}"
 181 chmod 744 "${TARGET}"
 182 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 183 $BIN "${TARGET}"
 184
 185
 186 EXPECTED=$(cat <<EOF
 187 user::rwx
 188 user:${USERS[0]}:rwx
 189 group::r-x
 190 mask::rwx
 191 other::r-x
 192
 193 EOF
 194 )
 195
 196 ACTUAL=`getfacl --omit-header "${TARGET}"`
 197 compare
 198
 199
 200 # Some named entries can be granted execute permissions as the result
 201 # of reapplication.
 202 TESTNUM=7
 203 touch "${TARGET}"
 204 chmod 744 "${TARGET}"
 205 setfacl -m user:${USERS[1]}:rw "${TARGET}"
 206 # If we don't add 'x' to the mask here, nobody can execute the file.
 207 # setfacl will update the mask for us under most circumstances, but
 208 # note that we didn't create an entry with an 'x' bit using setfacl --
 209 # therefore, setfacl won't unmask 'x' for us.
 210 setfacl -m mask::rwx "${TARGET}"
 211 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 212 setfacl -d -m user:${USERS[1]}:rwx "${TESTDIR}"
 213 $BIN "${TARGET}"
 214
 215
 216 EXPECTED=$(cat <<EOF
 217 user::rwx
 218 user:${USERS[0]}:rwx
 219 user:${USERS[1]}:rwx
 220 group::r-x
 221 mask::rwx
 222 other::r-x
 223
 224 EOF
 225 )
 226
 227 ACTUAL=`getfacl --omit-header "${TARGET}"`
 228 compare
 229
 230
 231 # We should not retain any entries that aren't in the default.
 232 TESTNUM=8
 233 touch "${TARGET}"
 234 chmod 644 "${TARGET}"
 235 setfacl -m user:${USERS[1]}:rw "${TARGET}"
 236 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 237 $BIN "${TARGET}"
 238
 239
 240 EXPECTED=$(cat <<EOF
 241 user::rw-
 242 user:${USERS[0]}:rwx    #effective:rw-
 243 group::r--
 244 mask::rw-
 245 other::r--
 246
 247 EOF
 248 )
 249
 250 ACTUAL=`getfacl --omit-header "${TARGET}"`
 251 compare
 252
 253
 254 # A slightly modified test #1 to make sure it works right.
 255 TESTNUM=9
 256 TARGET="${TESTDIR}"/foo
 257 touch "${TARGET}"
 258 chmod 777 "${TARGET}"
 259 setfacl -d -m user::r--  "${TESTDIR}"
 260 $BIN "${TARGET}"
 261
 262 EXPECTED=$(cat <<EOF
 263 user::r--
 264 group::r-x
 265 other::r-x
 266
 267 EOF
 268 )
 269
 270 ACTUAL=`getfacl --omit-header "${TARGET}"`
 271 compare
 272
 273
 274 # If the default ACL mask denies execute, we should respect that
 275 # regardless of the existing execute permissions.
 276 TESTNUM=10
 277 TARGET="${TESTDIR}"/foo
 278 touch "${TARGET}"
 279 chmod 777 "${TARGET}"
 280 setfacl -m user:${USERS[0]}:rwx "${TESTDIR}"
 281 setfacl -d -m user:${USERS[0]}:rwx  "${TESTDIR}"
 282 setfacl -d -m mask::rw-  "${TESTDIR}"
 283 $BIN "${TARGET}"
 284
 285 EXPECTED=$(cat <<EOF
 286 user::rwx
 287 user:${USERS[0]}:rwx    #effective:rw-
 288 group::r-x      #effective:r--
 289 mask::rw-
 290 other::r-x
 291
 292 EOF
 293 )
 294
 295 ACTUAL=`getfacl --omit-header "${TARGET}"`
 296 compare
 297
 298
 299
 300 # The --recursive mode should work normally if the argument is a
 301 # normal file. See Test #1.
 302 TESTNUM=11
 303 TARGET="${TESTDIR}"/foo
 304 setfacl -d -m user::r--  "${TESTDIR}"
 305 setfacl -d -m group::r-- "${TESTDIR}"
 306 setfacl -d -m other::r-- "${TESTDIR}"
 307 touch "${TARGET}"
 308 chmod 777 "${TARGET}"
 309 $BIN --recursive "${TARGET}"
 310
 311 EXPECTED=$(cat <<EOF
 312 user::r--
 313 group::r--
 314 other::r--
 315
 316 EOF
 317 )
 318
 319 ACTUAL=`getfacl --omit-header "${TARGET}"`
 320 compare
 321
 322
 323 # The --recursive mode should work recursively.
 324 TESTNUM=12
 325 TARGET="${TESTDIR}"/foo
 326 mkdir -p "${TARGET}"
 327 touch "${TARGET}"/baz
 328 mkdir -p "${TARGET}"/bar
 329 touch "${TARGET}"/bar/quux
 330 setfacl -d -m user::rwx  "${TESTDIR}"
 331 setfacl -d -m group::r-- "${TESTDIR}"
 332 setfacl -d -m other::r-- "${TESTDIR}"
 333 chmod -R 777 "${TARGET}"
 334 $BIN --recursive "${TARGET}"
 335
 336 EXPECTED=$(cat <<EOF
 337 user::rwx
 338 group::r--
 339 other::r--
 340
 341 EOF
 342 )
 343
 344 ACTUAL=`getfacl --omit-header "${TARGET}"/bar/quux`
 345 compare
 346
 347
 348 # The --recursive mode should work recursively. This time
 349 # check a directory, and pass the short command-line flag.
 350 TESTNUM=13
 351 TARGET="${TESTDIR}"/foo
 352 mkdir -p "${TARGET}"
 353 touch "${TARGET}"/baz
 354 mkdir -p "${TARGET}"/bar
 355 touch "${TARGET}"/bar/quux
 356 setfacl -d -m user::rwx  "${TESTDIR}"
 357 setfacl -d -m group::r-- "${TESTDIR}"
 358 setfacl -d -m other::r-- "${TESTDIR}"
 359 chmod -R 777 "${TARGET}"
 360 $BIN -r "${TARGET}"
 361
 362 EXPECTED=$(cat <<EOF
 363 user::rwx
 364 group::r--
 365 other::r--
 366 default:user::rwx
 367 default:group::r--
 368 default:other::r--
 369
 370 EOF
 371 )
 372
 373 ACTUAL=`getfacl --omit-header "${TARGET}"/bar`
 374 compare
 375
 376
 377 # Test double application on a directory.
 378 #
 379 TESTNUM=14
 380 TARGET="${TESTDIR}"/baz
 381 mkdir "${TARGET}"
 382 chmod 644 "${TARGET}"
 383 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 384
 385 $BIN "${TARGET}"
 386 $BIN "${TARGET}"
 387
 388 EXPECTED=$(cat <<EOF
 389 user::rwx
 390 user:${USERS[0]}:rwx
 391 group::r-x
 392 mask::rwx
 393 other::r-x
 394 default:user::rwx
 395 default:user:${USERS[0]}:rwx
 396 default:group::r-x
 397 default:mask::rwx
 398 default:other::r-x
 399
 400 EOF
 401 )
 402
 403 ACTUAL=`getfacl --omit-header "${TARGET}"`
 404 compare
 405
 406
 407 # Same as previous test, with 755 initial perms.
 408 #
 409 TESTNUM=15
 410 TARGET="${TESTDIR}"/baz
 411 mkdir "${TARGET}"
 412 chmod 755 "${TARGET}"
 413 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 414
 415 $BIN "${TARGET}"
 416 $BIN "${TARGET}"
 417
 418 EXPECTED=$(cat <<EOF
 419 user::rwx
 420 user:${USERS[0]}:rwx
 421 group::r-x
 422 mask::rwx
 423 other::r-x
 424 default:user::rwx
 425 default:user:${USERS[0]}:rwx
 426 default:group::r-x
 427 default:mask::rwx
 428 default:other::r-x
 429
 430 EOF
 431 )
 432
 433 ACTUAL=`getfacl --omit-header "${TARGET}"`
 434 compare
 435
 436
 437 # Same as previous two tests, only with a file.
 438 #
 439 TESTNUM=16
 440 TARGET="${TESTDIR}"/foo
 441 touch "${TARGET}"
 442 chmod 644 "${TARGET}"
 443 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 444
 445 $BIN "${TARGET}"
 446 $BIN "${TARGET}"
 447
 448 EXPECTED=$(cat <<EOF
 449 user::rw-
 450 user:${USERS[0]}:rwx    #effective:rw-
 451 group::r--
 452 mask::rw-
 453 other::r--
 454 EOF
 455 )
 456
 457 ACTUAL=`getfacl --omit-header "${TARGET}"`
 458 compare
 459
 460
 461 # User-executable files should not wind up exec-masked.
 462 TESTNUM=17
 463 TARGET="${TESTDIR}"/foo
 464 touch "${TARGET}"
 465 chmod 700 "${TARGET}"
 466 setfacl -d -m user:${USERS[0]}:rwx  "${TESTDIR}"
 467 $BIN "${TARGET}"
 468
 469 EXPECTED=$(cat <<EOF
 470 user::rwx
 471 user:${USERS[0]}:rwx
 472 group::r-x
 473 mask::rwx
 474 other::r-x
 475
 476 EOF
 477 )
 478
 479 ACTUAL=`getfacl --omit-header "${TARGET}"`
 480 compare
 481
 482
 483 # Group-executable files should not wind up exec-masked.
 484 TESTNUM=18
 485 TARGET="${TESTDIR}"/foo
 486 touch "${TARGET}"
 487 chmod 670 "${TARGET}"
 488 setfacl -d -m user:${USERS[0]}:rwx  "${TESTDIR}"
 489 $BIN "${TARGET}"
 490
 491 EXPECTED=$(cat <<EOF
 492 user::rwx
 493 user:${USERS[0]}:rwx
 494 group::r-x
 495 mask::rwx
 496 other::r-x
 497
 498 EOF
 499 )
 500
 501 ACTUAL=`getfacl --omit-header "${TARGET}"`
 502 compare
 503
 504
 505 # Other-executable files should not wind up exec-masked.
 506 TESTNUM=19
 507 TARGET="${TESTDIR}"/foo
 508 touch "${TARGET}"
 509 chmod 607 "${TARGET}"
 510 setfacl -d -m user:${USERS[0]}:rwx  "${TESTDIR}"
 511 $BIN "${TARGET}"
 512
 513 EXPECTED=$(cat <<EOF
 514 user::rwx
 515 user:${USERS[0]}:rwx
 516 group::r-x
 517 mask::rwx
 518 other::r-x
 519
 520 EOF
 521 )
 522
 523 ACTUAL=`getfacl --omit-header "${TARGET}"`
 524 compare
 525
 526
 527
 528 # Test #16's setup repeated with the --no-exec-mask flag.
 529 #
 530 TESTNUM=20
 531 TARGET="${TESTDIR}"/foo
 532 touch "${TARGET}"
 533 chmod 644 "${TARGET}"
 534 # The directory allows execute for user, group, and other, so the file
 535 # should actually inherit them regardless of its initial mode when the
 536 # --no-exec-mask flag is passed.
 537 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 538
 539 $BIN --no-exec-mask "${TARGET}"
 540
 541 EXPECTED=$(cat <<EOF
 542 user::rwx
 543 user:${USERS[0]}:rwx
 544 group::r-x
 545 mask::rwx
 546 other::r-x
 547 EOF
 548 )
 549
 550 ACTUAL=`getfacl --omit-header "${TARGET}"`
 551 compare
 552
 553
 554
 555 # Test #20 repeated recursively to make sure the flags play nice
 556 # together.
 557 TESTNUM=21
 558 PARENT_DIR="${TESTDIR}"/foo
 559 TARGET="${PARENT_DIR}"/bar
 560 mkdir "${PARENT_DIR}"
 561 touch "${TARGET}"
 562 chmod 644 "${TARGET}"
 563 setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
 564
 565 $BIN --recursive --no-exec-mask "${PARENT_DIR}"
 566
 567 EXPECTED=$(cat <<EOF
 568 user::rwx
 569 user:${USERS[0]}:rwx
 570 group::r-x
 571 mask::rwx
 572 other::r-x
 573 EOF
 574 )
 575
 576 ACTUAL=`getfacl --omit-header "${TARGET}"`
 577 compare
 578