]> gitweb.michael.orlitzky.com - apply-default-acl.git/blob - run-tests.sh
projects / apply-default-acl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Use (bin,daemon) users instead of (mail,news).
[apply-default-acl.git] / run-tests.sh
1 #!/bin/bash
2
3 # The program name.
4 BIN=./src/apply-default-acl
5
6 # The directory where we'll do all the ACL manipulation.
7 TESTDIR=test
8
9 acl_reset() {
10 # Remove any ACLs on our test directory and remove its contents.
11 setfacl --remove-all --recursive "${TESTDIR}"
12 chmod 755 "${TESTDIR}"
13 rm -rf "${TESTDIR}"/*
14 }
15
16 compare() {
17 if [[ "${ACTUAL}" == "${EXPECTED}" ]]; then
18 echo "Success (#${TESTNUM})"
19 acl_reset
20 else
21 echo "Failure (#${TESTNUM})"
22 echo 'Expected result:'
23 echo '================'
24 echo "${EXPECTED}"
25 echo '================'
26 echo 'Actual result:'
27 echo '================'
28 echo "${ACTUAL}"
29 echo '================'
30 exit 1
31 fi
32 }
33
34 # Start by removing and recreating the 'acl' directory.
35 rm -rf "${TESTDIR}"
36 mkdir "${TESTDIR}"
37
38
39 # When using a minimal ACL, the default user, group, and other
40 # permissions should all be propagated to the mode bits.
41 TESTNUM=1
42 TARGET="${TESTDIR}"/foo
43 touch "${TARGET}"
44 chmod 777 "${TARGET}"
45 setfacl -d -m user::r-- "${TESTDIR}"
46 setfacl -d -m group::r-- "${TESTDIR}"
47 setfacl -d -m other::r-- "${TESTDIR}"
48 $BIN "${TARGET}"
49
50 EXPECTED=$(cat <<EOF
51 user::r--
52 group::r--
53 other::r--
54
55 EOF
56 )
57
58 ACTUAL=`getfacl --omit-header "${TARGET}"`
59 compare
60
61 # Do the same thing as the last test, except with an extended ACL.
62 TESTNUM=2
63 setfacl -d -m user::r-- "${TESTDIR}"
64 setfacl -d -m group::r-- "${TESTDIR}"
65 setfacl -d -m other::r-- "${TESTDIR}"
66 setfacl -d -m user:bin:rwx "${TESTDIR}"
67 touch "${TARGET}"
68 chmod 777 "${TARGET}"
69 $BIN "${TARGET}"
70
71 EXPECTED=$(cat <<EOF
72 user::r--
73 user:bin:rwx
74 group::r--
75 mask::rwx
76 other::r--
77
78 EOF
79 )
80
81 ACTUAL=`getfacl --omit-header "${TARGET}"`
82 compare
83
84
85 # A file shared by a group, should still be group-writable
86 # afterwards.
87 TESTNUM=3
88 touch "${TARGET}"
89 chmod 644 "${TARGET}"
90 setfacl -d -m group:bin:rwx "${TESTDIR}"
91 $BIN "${TARGET}"
92
93 EXPECTED=$(cat <<EOF
94 user::rw-
95 group::r--
96 group:bin:rwx #effective:rw-
97 mask::rw-
98 other::r--
99
100 EOF
101 )
102
103 ACTUAL=`getfacl --omit-header "${TARGET}"`
104 compare
105
106
107 # Same test as before except with a directory.
108 TESTNUM=4
109 setfacl -d -m group:bin:rwx "${TESTDIR}"
110 mkdir "${TARGET}"
111 chmod 755 "${TARGET}"
112 $BIN "${TARGET}"
113
114 EXPECTED=$(cat <<EOF
115 user::rwx
116 group::r-x
117 group:bin:rwx
118 mask::rwx
119 other::r-x
120 default:user::rwx
121 default:group::r-x
122 default:group:bin:rwx
123 default:mask::rwx
124 default:other::r-x
125
126 EOF
127 )
128
129 ACTUAL=`getfacl --omit-header "${TARGET}"`
130 compare
131
132
133 # With no default, things are left alone.
134 TESTNUM=5
135 touch "${TARGET}"
136 chmod 744 "${TARGET}"
137 $BIN "${TARGET}"
138
139
140 EXPECTED=$(cat <<EOF
141 user::rwx
142 group::r--
143 other::r--
144
145 EOF
146 )
147
148 ACTUAL=`getfacl --omit-header "${TARGET}"`
149 compare
150
151
152
153 # Since the default ACL will grant r-x to group/other, they will wind
154 # up with it.
155 TESTNUM=6
156 touch "${TARGET}"
157 chmod 744 "${TARGET}"
158 setfacl -d -m user:bin:rwx "${TESTDIR}"
159 $BIN "${TARGET}"
160
161
162 EXPECTED=$(cat <<EOF
163 user::rwx
164 user:bin:rwx
165 group::r-x
166 mask::rwx
167 other::r-x
168
169 EOF
170 )
171
172 ACTUAL=`getfacl --omit-header "${TARGET}"`
173 compare
174
175
176 # Some named entries can be granted execute permissions as the result
177 # of reapplication.
178 TESTNUM=7
179 touch "${TARGET}"
180 chmod 744 "${TARGET}"
181 setfacl -m user:daemon:rw "${TARGET}"
182 # If we don't add 'x' to the mask here, nobody can execute the file.
183 # setfacl will update the mask for us under most circumstances, but
184 # note that we didn't create an entry with an 'x' bit using setfacl --
185 # therefore, setfacl won't unmask 'x' for us.
186 setfacl -m mask::rwx "${TARGET}"
187 setfacl -d -m user:bin:rwx "${TESTDIR}"
188 setfacl -d -m user:daemon:rwx "${TESTDIR}"
189 $BIN "${TARGET}"
190
191
192 EXPECTED=$(cat <<EOF
193 user::rwx
194 user:bin:rwx
195 user:daemon:rwx
196 group::r-x
197 mask::rwx
198 other::r-x
199
200 EOF
201 )
202
203 ACTUAL=`getfacl --omit-header "${TARGET}"`
204 compare
205
206
207 # We should not retain any entries that aren't in the default.
208 TESTNUM=8
209 touch "${TARGET}"
210 chmod 644 "${TARGET}"
211 setfacl -m user:daemon:rw "${TARGET}"
212 setfacl -d -m user:bin:rwx "${TESTDIR}"
213 $BIN "${TARGET}"
214
215
216 EXPECTED=$(cat <<EOF
217 user::rw-
218 user:bin:rwx #effective:rw-
219 group::r--
220 mask::rw-
221 other::r--
222
223 EOF
224 )
225
226 ACTUAL=`getfacl --omit-header "${TARGET}"`
227 compare
228
229
230 # A slightly modified test #1 to make sure it works right.
231 TESTNUM=9
232 TARGET="${TESTDIR}"/foo
233 touch "${TARGET}"
234 chmod 777 "${TARGET}"
235 setfacl -d -m user::r-- "${TESTDIR}"
236 $BIN "${TARGET}"
237
238 EXPECTED=$(cat <<EOF
239 user::r--
240 group::r-x
241 other::r-x
242
243 EOF
244 )
245
246 ACTUAL=`getfacl --omit-header "${TARGET}"`
247 compare
248
249
250 # If the default ACL mask denies execute, we should respect that
251 # regardless of the existing execute permissions.
252 TESTNUM=10
253 TARGET="${TESTDIR}"/foo
254 touch "${TARGET}"
255 chmod 777 "${TARGET}"
256 setfacl -m user:bin:rwx "${TESTDIR}"
257 setfacl -d -m user:bin:rwx "${TESTDIR}"
258 setfacl -d -m mask::rw- "${TESTDIR}"
259 $BIN "${TARGET}"
260
261 EXPECTED=$(cat <<EOF
262 user::rwx
263 user:bin:rwx #effective:rw-
264 group::r-x #effective:r--
265 mask::rw-
266 other::r-x
267
268 EOF
269 )
270
271 ACTUAL=`getfacl --omit-header "${TARGET}"`
272 compare
273
274
275
276 # The --recursive mode should work normally if the argument is a
277 # normal file. See Test #1.
278 TESTNUM=11
279 TARGET="${TESTDIR}"/foo
280 setfacl -d -m user::r-- "${TESTDIR}"
281 setfacl -d -m group::r-- "${TESTDIR}"
282 setfacl -d -m other::r-- "${TESTDIR}"
283 touch "${TARGET}"
284 chmod 777 "${TARGET}"
285 $BIN --recursive "${TARGET}"
286
287 EXPECTED=$(cat <<EOF
288 user::r--
289 group::r--
290 other::r--
291
292 EOF
293 )
294
295 ACTUAL=`getfacl --omit-header "${TARGET}"`
296 compare
297
298
299 # The --recursive mode should work recursively.
300 TESTNUM=12
301 TARGET="${TESTDIR}"/foo
302 mkdir -p "${TARGET}"
303 touch "${TARGET}"/baz
304 mkdir -p "${TARGET}"/bar
305 touch "${TARGET}"/bar/quux
306 setfacl -d -m user::rwx "${TESTDIR}"
307 setfacl -d -m group::r-- "${TESTDIR}"
308 setfacl -d -m other::r-- "${TESTDIR}"
309 chmod -R 777 "${TARGET}"
310 $BIN --recursive "${TARGET}"
311
312 EXPECTED=$(cat <<EOF
313 user::rwx
314 group::r--
315 other::r--
316
317 EOF
318 )
319
320 ACTUAL=`getfacl --omit-header "${TARGET}"/bar/quux`
321 compare
322
323
324 # The --recursive mode should work recursively. This time
325 # check a directory, and pass the short command-line flag.
326 TESTNUM=13
327 TARGET="${TESTDIR}"/foo
328 mkdir -p "${TARGET}"
329 touch "${TARGET}"/baz
330 mkdir -p "${TARGET}"/bar
331 touch "${TARGET}"/bar/quux
332 setfacl -d -m user::rwx "${TESTDIR}"
333 setfacl -d -m group::r-- "${TESTDIR}"
334 setfacl -d -m other::r-- "${TESTDIR}"
335 chmod -R 777 "${TARGET}"
336 $BIN -r "${TARGET}"
337
338 EXPECTED=$(cat <<EOF
339 user::rwx
340 group::r--
341 other::r--
342 default:user::rwx
343 default:group::r--
344 default:other::r--
345
346 EOF
347 )
348
349 ACTUAL=`getfacl --omit-header "${TARGET}"/bar`
350 compare
351
352
353 # Test double application on a directory.
354 #
355 TESTNUM=14
356 TARGET="${TESTDIR}"/baz
357 mkdir "${TARGET}"
358 chmod 644 "${TARGET}"
359 setfacl -d -m user:bin:rwx "${TESTDIR}"
360
361 $BIN "${TARGET}"
362 $BIN "${TARGET}"
363
364 EXPECTED=$(cat <<EOF
365 user::rwx
366 user:bin:rwx
367 group::r-x
368 mask::rwx
369 other::r-x
370 default:user::rwx
371 default:user:bin:rwx
372 default:group::r-x
373 default:mask::rwx
374 default:other::r-x
375
376 EOF
377 )
378
379 ACTUAL=`getfacl --omit-header "${TARGET}"`
380 compare
381
382
383 # Same as previous test, with 755 initial perms.
384 #
385 TESTNUM=15
386 TARGET="${TESTDIR}"/baz
387 mkdir "${TARGET}"
388 chmod 755 "${TARGET}"
389 setfacl -d -m user:bin:rwx "${TESTDIR}"
390
391 $BIN "${TARGET}"
392 $BIN "${TARGET}"
393
394 EXPECTED=$(cat <<EOF
395 user::rwx
396 user:bin:rwx
397 group::r-x
398 mask::rwx
399 other::r-x
400 default:user::rwx
401 default:user:bin:rwx
402 default:group::r-x
403 default:mask::rwx
404 default:other::r-x
405
406 EOF
407 )
408
409 ACTUAL=`getfacl --omit-header "${TARGET}"`
410 compare
411
412
413 # Same as previous two tests, only with a file.
414 #
415 TESTNUM=16
416 TARGET="${TESTDIR}"/foo
417 touch "${TARGET}"
418 chmod 644 "${TARGET}"
419 setfacl -d -m user:bin:rwx "${TESTDIR}"
420
421 $BIN "${TARGET}"
422 $BIN "${TARGET}"
423
424 EXPECTED=$(cat <<EOF
425 user::rw-
426 user:bin:rwx #effective:rw-
427 group::r--
428 mask::rw-
429 other::r--
430 EOF
431 )
432
433 ACTUAL=`getfacl --omit-header "${TARGET}"`
434 compare
435
436
437 # User-executable files should not wind up exec-masked.
438 TESTNUM=17
439 TARGET="${TESTDIR}"/foo
440 touch "${TARGET}"
441 chmod 700 "${TARGET}"
442 setfacl -d -m user:bin:rwx "${TESTDIR}"
443 $BIN "${TARGET}"
444
445 EXPECTED=$(cat <<EOF
446 user::rwx
447 user:bin:rwx
448 group::r-x
449 mask::rwx
450 other::r-x
451
452 EOF
453 )
454
455 ACTUAL=`getfacl --omit-header "${TARGET}"`
456 compare
457
458
459 # Group-executable files should not wind up exec-masked.
460 TESTNUM=18
461 TARGET="${TESTDIR}"/foo
462 touch "${TARGET}"
463 chmod 670 "${TARGET}"
464 setfacl -d -m user:bin:rwx "${TESTDIR}"
465 $BIN "${TARGET}"
466
467 EXPECTED=$(cat <<EOF
468 user::rwx
469 user:bin:rwx
470 group::r-x
471 mask::rwx
472 other::r-x
473
474 EOF
475 )
476
477 ACTUAL=`getfacl --omit-header "${TARGET}"`
478 compare
479
480
481 # Other-executable files should not wind up exec-masked.
482 TESTNUM=19
483 TARGET="${TESTDIR}"/foo
484 touch "${TARGET}"
485 chmod 607 "${TARGET}"
486 setfacl -d -m user:bin:rwx "${TESTDIR}"
487 $BIN "${TARGET}"
488
489 EXPECTED=$(cat <<EOF
490 user::rwx
491 user:bin:rwx
492 group::r-x
493 mask::rwx
494 other::r-x
495
496 EOF
497 )
498
499 ACTUAL=`getfacl --omit-header "${TARGET}"`
500 compare
501
502
503
504 # Test #16's setup repeated with the --no-exec-mask flag.
505 #
506 TESTNUM=20
507 TARGET="${TESTDIR}"/foo
508 touch "${TARGET}"
509 chmod 644 "${TARGET}"
510 # The directory allows execute for user, group, and other, so the file
511 # should actually inherit them regardless of its initial mode when the
512 # --no-exec-mask flag is passed.
513 setfacl -d -m user:bin:rwx "${TESTDIR}"
514
515 $BIN --no-exec-mask "${TARGET}"
516
517 EXPECTED=$(cat <<EOF
518 user::rwx
519 user:bin:rwx
520 group::r-x
521 mask::rwx
522 other::r-x
523 EOF
524 )
525
526 ACTUAL=`getfacl --omit-header "${TARGET}"`
527 compare
528
529
530
531 # Test #20 repeated recursively to make sure the flags play nice
532 # together.
533 TESTNUM=21
534 PARENT_DIR="${TESTDIR}"/foo
535 TARGET="${PARENT_DIR}"/bar
536 mkdir "${PARENT_DIR}"
537 touch "${TARGET}"
538 chmod 644 "${TARGET}"
539 setfacl -d -m user:bin:rwx "${TESTDIR}"
540
541 $BIN --recursive --no-exec-mask "${PARENT_DIR}"
542
543 EXPECTED=$(cat <<EOF
544 user::rwx
545 user:bin:rwx
546 group::r-x
547 mask::rwx
548 other::r-x
549 EOF
550 )
551
552 ACTUAL=`getfacl --omit-header "${TARGET}"`
553 compare
554
Applies default POSIX ACLs to files and directories.