Michał Bartoszkiewicz just reported a very bad bug in the latest
release. When multiple named-user and named-group entries exist, the
later entries clobber earlier ones in the list. So if there are two
default ACL entries on a parent directory for group:bar and group:foo,
then apply-default-acl will create two entries on a child but both
wind up with the permissions of the group:foo entry. The full test
case he provided is as follows:
$ getfacl -n .
# file: .
# owner: 1000
# group: 1000
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:1:---
default:group:2:rw-
default:mask::rwx
default:other::r-x
$ touch foo
$ getfacl -n foo
# file: foo
# owner: 1000
# group: 1000
user::rw-
group::r-x #effective:r--
group:1:---
group:2:rw-
mask::rw-
other::r--
$ apply-default-acl foo
$ getfacl -n foo
# file: foo
# owner: 1000
# group: 1000
user::rw-
group::r--
group:1:rw-
group:2:rw-
mask::rw-
other::r--
This commit adds a new regression test that creates multiple default
named-user and named-group entries at once (with different
permissions!) and checks that they get applied correctly.
# present, we exit with a different (non-EXIT_FAILURE).
EXIT_MISSING_USERS=2
# present, we exit with a different (non-EXIT_FAILURE).
EXIT_MISSING_USERS=2
-# Define the users that we'll use in the tests below. We store the
-# names as variables to avoid repeating them everywhere.
+# Define the users and groups that we'll use in the tests below. We
+# store the names as variables to avoid repeating them everywhere.
+# Since GROUPS is already part of everyone's environment, we need
+# a different name.
#
# WARNING: These must be in alphabetical order; otherwise the getfacl
# output will not match.
#
USERS=( bin daemon )
#
# WARNING: These must be in alphabetical order; otherwise the getfacl
# output will not match.
#
USERS=( bin daemon )
+TESTGROUPS=( bin daemon )
# Check to see if the above users exist. If not, bail.
for idx in $( seq 0 $((${#USERS[@]} - 1)) ); do
# Check to see if the above users exist. If not, bail.
for idx in $( seq 0 $((${#USERS[@]} - 1)) ); do
ACTUAL=$( getfacl --omit-header "../" )
popd > /dev/null
compare
ACTUAL=$( getfacl --omit-header "../" )
popd > /dev/null
compare
+
+
+# Ensure that multiple named-user and named-group entries all get
+# applied individually rather than the last one taking precedence.
+# This is a regression test against a bug that made it into a release
+# and was reported by Michał Bartoszkiewicz.
+((TESTNUM++))
+TARGET="${TESTDIR}"
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rw- "${TESTDIR}"
+setfacl -d -m group:${TESTGROUPS[0]}:rw- "${TESTDIR}"
+setfacl -d -m user:${USERS[1]}:--- "${TESTDIR}"
+setfacl -d -m group:${TESTGROUPS[1]}:--- "${TESTDIR}"
+"${BIN}" "${TARGET}"
+EXPECTED=$(cat <<EOF
+user::rw-
+user:${USERS[0]}:rw-
+user:${USERS[1]}:---
+group::r--
+group:${TESTGROUPS[0]}:rw-
+group:${TESTGROUPS[1]}:---
+mask::rw-
+other::r--
+
+EOF
+)
+ACTUAL=$( getfacl --omit-header "${TARGET}" )
+compare