]>
gitweb.michael.orlitzky.com - apply-default-acl.git/blob - run-tests.sh
9 # Exit with this when a test fails.
12 # We use a few system users in the tests. If these users aren't
13 # present, we exit with a different (non-EXIT_FAILURE).
16 # Define the users and groups that we'll use in the tests below. We
17 # store the names as variables to avoid repeating them everywhere.
18 # Since GROUPS is already part of everyone's environment, we need
21 # WARNING: These must be in alphabetical order; otherwise the getfacl
22 # output will not match.
25 TESTGROUPS
=( bin daemon
)
27 # Check to see if the above users exist. If not, bail.
28 for idx
in $( seq 0 $((${#USERS[@]} - 1)) ); do
29 id
"${USERS[idx]}" >/dev
/null
2>&1
31 if [ $?
-ne $EXIT_SUCCESS ]; then
32 echo "Error: missing test user ${USERS[idx]}." 1>&2
33 exit $EXIT_MISSING_USERS
38 BIN
=$(realpath src/apply-default-acl)
40 # The directory where we'll do all the ACL manipulation.
43 # Will auto-increment.
47 # Remove any ACLs on our test directory and remove its contents.
48 setfacl
--remove-all --recursive "${TESTDIR}"
49 chmod 755 "${TESTDIR}"
54 if [[ "${ACTUAL}" == "${EXPECTED}" ]]; then
55 echo "Success (#${TESTNUM})"
58 echo "Failure (#${TESTNUM})"
59 echo 'Expected result:'
60 echo '================'
62 echo '================'
64 echo '================'
66 echo '================'
71 # Start by removing and recreating the 'acl' directory.
76 # When using a minimal ACL, the default user, group, and other
77 # permissions should all be propagated to the mode bits.
79 TARGET
="${TESTDIR}"/foo
82 setfacl
-d -m user
::r
-- "${TESTDIR}"
83 setfacl
-d -m group
::r
-- "${TESTDIR}"
84 setfacl
-d -m other
::r
-- "${TESTDIR}"
95 ACTUAL
=$(getfacl --omit-header "${TARGET}")
98 # Do the same thing as the last test, except with an extended ACL.
100 setfacl
-d -m user
::r
-- "${TESTDIR}"
101 setfacl
-d -m group
::r
-- "${TESTDIR}"
102 setfacl
-d -m other
::r
-- "${TESTDIR}"
103 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
105 chmod 777 "${TARGET}"
118 ACTUAL
=$(getfacl --omit-header "${TARGET}")
122 # A file shared by a group, should still be group-writable
126 chmod 644 "${TARGET}"
127 setfacl
-d -m group
:${USERS[0]}:rwx
"${TESTDIR}"
133 group:${USERS[0]}:rwx #effective:rw-
140 ACTUAL
=$(getfacl --omit-header "${TARGET}")
144 # Same test as before except with a directory.
146 setfacl
-d -m group
:${USERS[0]}:rwx
"${TESTDIR}"
148 chmod 755 "${TARGET}"
154 group:${USERS[0]}:rwx
159 default:group:${USERS[0]}:rwx
166 ACTUAL
=$(getfacl --omit-header "${TARGET}")
170 # With no default, things are left alone.
173 chmod 744 "${TARGET}"
185 ACTUAL
=$(getfacl --omit-header "${TARGET}")
190 # Since the default ACL will grant r-x to group/other, they will wind
194 chmod 744 "${TARGET}"
195 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
209 ACTUAL
=$(getfacl --omit-header "${TARGET}")
213 # Some named entries can be granted execute permissions as the result
217 chmod 744 "${TARGET}"
218 setfacl
-m user
:${USERS[1]}:rw
"${TARGET}"
219 # If we don't add 'x' to the mask here, nobody can execute the file.
220 # setfacl will update the mask for us under most circumstances, but
221 # note that we didn't create an entry with an 'x' bit using setfacl --
222 # therefore, setfacl won't unmask 'x' for us.
223 setfacl
-m mask
::rwx
"${TARGET}"
224 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
225 setfacl
-d -m user
:${USERS[1]}:rwx
"${TESTDIR}"
239 ACTUAL
=$(getfacl --omit-header "${TARGET}")
243 # We should not retain any entries that aren't in the default.
246 chmod 644 "${TARGET}"
247 setfacl
-m user
:${USERS[1]}:rw
"${TARGET}"
248 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
253 user:${USERS[0]}:rwx #effective:rw-
261 ACTUAL
=$(getfacl --omit-header "${TARGET}")
265 # A slightly modified version of the first test, to make sure it works.
267 TARGET
="${TESTDIR}"/foo
269 chmod 777 "${TARGET}"
270 setfacl
-d -m user
::r
-- "${TESTDIR}"
281 ACTUAL
=$(getfacl --omit-header "${TARGET}")
285 # If the default ACL mask denies execute, we should respect that
286 # regardless of the existing execute permissions.
288 TARGET
="${TESTDIR}"/foo
290 chmod 777 "${TARGET}"
291 setfacl
-m user
:${USERS[0]}:rwx
"${TESTDIR}"
292 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
293 setfacl
-d -m mask
::rw
- "${TESTDIR}"
298 user:${USERS[0]}:rwx #effective:rw-
299 group::r-x #effective:r--
306 ACTUAL
=$(getfacl --omit-header "${TARGET}")
311 # The --recursive mode should work normally if the argument is a
312 # normal file. See the first test.
314 TARGET
="${TESTDIR}"/foo
315 setfacl
-d -m user
::r
-- "${TESTDIR}"
316 setfacl
-d -m group
::r
-- "${TESTDIR}"
317 setfacl
-d -m other
::r
-- "${TESTDIR}"
319 chmod 777 "${TARGET}"
320 $BIN --recursive "${TARGET}"
330 ACTUAL
=$(getfacl --omit-header "${TARGET}")
334 # The --recursive mode should work recursively.
336 TARGET
="${TESTDIR}"/foo
338 touch "${TARGET}"/baz
339 mkdir -p "${TARGET}"/bar
340 touch "${TARGET}"/bar
/quux
341 setfacl
-d -m user
::rwx
"${TESTDIR}"
342 setfacl
-d -m group
::r
-- "${TESTDIR}"
343 setfacl
-d -m other
::r
-- "${TESTDIR}"
344 chmod -R 777 "${TARGET}"
345 $BIN --recursive "${TARGET}"
355 ACTUAL
=$(getfacl --omit-header "${TARGET}"/bar/quux)
359 # The --recursive mode should work recursively. This time
360 # check a directory, and pass the short command-line flag.
362 TARGET
="${TESTDIR}"/foo
364 touch "${TARGET}"/baz
365 mkdir -p "${TARGET}"/bar
366 touch "${TARGET}"/bar
/quux
367 setfacl
-d -m user
::rwx
"${TESTDIR}"
368 setfacl
-d -m group
::r
-- "${TESTDIR}"
369 setfacl
-d -m other
::r
-- "${TESTDIR}"
370 chmod -R 777 "${TARGET}"
384 ACTUAL
=$(getfacl --omit-header "${TARGET}"/bar)
388 # Test double application on a directory.
391 TARGET
="${TESTDIR}"/baz
393 chmod 644 "${TARGET}"
394 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
406 default:user:${USERS[0]}:rwx
414 ACTUAL
=$(getfacl --omit-header "${TARGET}")
418 # Same as previous test, with 755 initial perms.
421 TARGET
="${TESTDIR}"/baz
423 chmod 755 "${TARGET}"
424 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
436 default:user:${USERS[0]}:rwx
444 ACTUAL
=$(getfacl --omit-header "${TARGET}")
448 # Same as previous two tests, only with a file.
451 TARGET
="${TESTDIR}"/foo
453 chmod 644 "${TARGET}"
454 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
461 user:${USERS[0]}:rwx #effective:rw-
468 ACTUAL
=$(getfacl --omit-header "${TARGET}")
472 # User-executable files should not wind up exec-masked.
474 TARGET
="${TESTDIR}"/foo
476 chmod 700 "${TARGET}"
477 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
490 ACTUAL
=$(getfacl --omit-header "${TARGET}")
494 # Group-executable files should not wind up exec-masked.
496 TARGET
="${TESTDIR}"/foo
498 chmod 670 "${TARGET}"
499 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
512 ACTUAL
=$(getfacl --omit-header "${TARGET}")
516 # Other-executable files should not wind up exec-masked.
518 TARGET
="${TESTDIR}"/foo
520 chmod 607 "${TARGET}"
521 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
534 ACTUAL
=$(getfacl --omit-header "${TARGET}")
540 # Make sure a mask with an execute bit doesn't count as being
544 TARGET
="${TESTDIR}"/foo
546 chmod 644 "${TARGET}"
547 setfacl
-m user
::rw
"${TARGET}"
548 setfacl
-m group
::rw
"${TARGET}"
549 # Even though the mask has an 'x' bit, nobody can execute it.
550 setfacl
-m mask
::rwx
"${TARGET}"
551 setfacl
-d -m user
::rwx
"${TESTDIR}"
552 setfacl
-d -m group
::rwx
"${TESTDIR}"
564 ACTUAL
=$(getfacl --omit-header "${TARGET}")
568 # Same as the second test, except we pass multiple files on the
569 # command line and check the result of the first one.
571 setfacl
-d -m user
::r
-- "${TESTDIR}"
572 setfacl
-d -m group
::r
-- "${TESTDIR}"
573 setfacl
-d -m other
::r
-- "${TESTDIR}"
574 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
575 DUMMY
="${TESTDIR}/dummy"
579 chmod 777 "${TARGET}"
580 $BIN "${TARGET}" "${DUMMY}"
592 ACTUAL
=$(getfacl --omit-header "${TARGET}")
597 # Same as the previous test with the argument order switched.
599 setfacl
-d -m user
::r
-- "${TESTDIR}"
600 setfacl
-d -m group
::r
-- "${TESTDIR}"
601 setfacl
-d -m other
::r
-- "${TESTDIR}"
602 setfacl
-d -m user
:${USERS[0]}:rwx
"${TESTDIR}"
603 DUMMY
="${TESTDIR}/dummy"
607 chmod 777 "${TARGET}"
608 $BIN "${DUMMY}" "${TARGET}"
620 ACTUAL
=$(getfacl --omit-header "${TARGET}")
624 # If we call apply-default-acl on a single file that does not exist,
625 # we get the expected error.
627 ACTUAL
=$( "${BIN}" test/nonexistent 2>&1 )
628 EXPECTED
="test/nonexistent: No such file or directory"
632 # Same as the previous test, but with --recursive.
634 ACTUAL
=$( "${BIN}" --recursive test/nonexistent 2>&1 )
635 EXPECTED
="test/nonexistent: No such file or directory"
639 # If we call apply-default-acl on more than one file, it should report any
640 # that don't exist (but proceed to operate on the others).
642 DUMMY1
="${TESTDIR}/dummy1"
643 DUMMY2
="${TESTDIR}/dummy2"
644 touch "${DUMMY1}" "${DUMMY2}"
645 ACTUAL
=$( "${BIN}" "${DUMMY1}" test/nonexistent "${DUMMY2}" 2>&1 )
646 EXPECTED
="test/nonexistent: No such file or directory"
650 # Ensure that symlinks are not followed.
652 TARGET
="${TESTDIR}/foo"
653 LINK2TARGET
="${TESTDIR}/foo-sym"
655 ln -s "${TARGET#${TESTDIR}/}" "${LINK2TARGET}"
656 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}"
657 "${BIN}" "${LINK2TARGET}"
658 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
669 # Ensure that symlinks are not followed in subdirectories (recursively).
671 TARGET
="${TESTDIR}/bar"
673 mkdir "${TESTDIR}/foo"
674 LINK2TARGET
="${TESTDIR}/foo/bar-sym"
675 ln -s "../bar" "${LINK2TARGET}"
676 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}/foo"
677 EXPECTED
=$(getfacl --omit-header "${TARGET}")
678 "${BIN}" --recursive "${TESTDIR}/foo"
679 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
683 # Ensure that hard links are ignored.
685 TARGET
="${TESTDIR}/foo"
686 LINK2TARGET
="${TESTDIR}/bar"
688 ln "${TARGET}" "${LINK2TARGET}"
689 setfacl
--default --modify user
:${USERS[0]}:rwx
"${TESTDIR}"
690 "${BIN}" "${LINK2TARGET}"
691 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
702 # We should be able to run the tool with a relative path from within a
703 # directory that contains a symlink, so long as the relative path
704 # doesn't contain one.
706 TARGET
="${TESTDIR}/foo/bar"
707 LINK2TARGET
="${TESTDIR}/baz"
708 mkdir -p $(dirname "${TARGET}")
710 ln -s foo
"${TESTDIR}/baz"
711 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
712 pushd "${TESTDIR}/baz" > /dev
/null
715 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
728 # Ensure that symlinks in non-terminal path components are not followed.
730 TARGET
="${TESTDIR}/foo/bar/baz"
731 LINK2FOO
="${TESTDIR}/quux"
732 mkdir -p $(dirname "${TARGET}")
734 ln -s foo
"${LINK2FOO}"
735 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
736 EXPECTED
=$(getfacl --omit-header "${TARGET}")
737 "${BIN}" "${LINK2FOO}/bar/baz"
738 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
742 # Test that our exit code succeeds on a single, normal path.
744 TARGET
="${TESTDIR}/foo"
746 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
753 # Test that our exit code fails on a symlink.
755 TARGET
="${TESTDIR}/bar"
756 touch "${TESTDIR}/foo"
757 ln -s foo
"${TARGET}"
758 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
765 # The previous test should fail, even if we use --recursive.
767 TARGET
="${TESTDIR}/bar"
768 touch "${TESTDIR}/foo"
769 ln -s foo
"${TARGET}"
770 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
771 "${BIN}" --recursive "${TARGET}"
777 # Test the return value for nonexistent paths.
779 TARGET
="${TESTDIR}/foo"
780 "${BIN}" "${TARGET}" &>/dev
/null
786 # Test that one "failure" exit code overrides two "successes"
787 # We need a default ACL on ${TESTDIR} because otherwise we do
788 # nothing, successfully, on the symlink path.
790 mkdir "${TESTDIR}/foo"
791 ln -s foo
"${TESTDIR}/bar"
792 mkdir "${TESTDIR}/baz"
793 setfacl
--default --modify user
:${USERS[0]}:rw
"${TESTDIR}"
794 "${BIN}" "${TESTDIR}/foo" "${TESTDIR}/bar" "${TESTDIR}/baz"
800 # The failure should prevail when using --recursive, too.
802 mkdir "${TESTDIR}/foo"
803 ln -s foo
"${TESTDIR}/bar"
804 mkdir "${TESTDIR}/baz"
805 "${BIN}" --recursive "${TESTDIR}"
811 # We should get "Not a directory" if we stick a trailing slash on the
812 # end of the path to a file.
814 TARGET
="${TESTDIR}/foo"
816 ACTUAL
=$( "${BIN}" "${TARGET}/" 2>&1 )
817 EXPECTED
="${TARGET}/: Not a directory"
821 # We should be a no-op on files contained in directories that have no
824 TARGET
="${TESTDIR}/foo"
826 setfacl
--modify user
:${USERS[0]}:rw
"${TARGET}"
827 EXPECTED
=$( getfacl --omit-header "${TARGET}" )
829 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
833 # We should be a no-op on directories contained in directories that
834 # have no default ACL (same as the previous test, but with a directory).
836 TARGET
="${TESTDIR}/foo"
838 setfacl
--modify user
:${USERS[0]}:rw
"${TARGET}"
839 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
840 EXPECTED
=$( getfacl --omit-header "${TARGET}" )
841 "${BIN}" --recursive "${TARGET}"
842 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
846 # Make sure we descend into subdirectories that don't have default ACLs.
848 TARGET
="${TESTDIR}/foo/bar/baz"
849 mkdir -p $(dirname "${TARGET}")
851 touch "${TARGET}-direct"
852 setfacl
--default --modify user
:${USERS[0]}:rw
$(dirname "${TARGET}")
853 "${BIN}" "${TARGET}-direct"
854 EXPECTED
=$( getfacl --omit-header "${TARGET}-direct" )
855 "${BIN}" --recursive "${TESTDIR}"
856 ACTUAL
=$( getfacl --omit-header "${TARGET}" )
860 # Ensure that we don't get "error" results for symlinks encountered
861 # during a recursive traversal.
864 mkdir "${TARGET}/foo"
865 mkdir "${TARGET}/bar"
866 ln -s "../foo" "${TARGET}/bar/baz"
867 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
869 "${BIN}" --recursive "${TARGET}"
874 # Ensure that "." works as an argument.
877 mkdir "${TARGET}/foo"
878 mkdir "${TARGET}/bar"
879 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
880 "${BIN}" "${TARGET}/foo"
881 EXPECTED
=$( getfacl --omit-header "${TARGET}/foo" )
882 pushd "${TARGET}/bar" > /dev
/null
884 ACTUAL
=$( getfacl --omit-header "." )
888 # Ensure that "." works as an argument (recursive).
891 mkdir -p "${TARGET}/foo/baz"
892 mkdir -p "${TARGET}/bar/baz"
893 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
894 "${BIN}" --recursive "${TARGET}/foo"
895 EXPECTED
=$( getfacl --omit-header "${TARGET}/foo/baz" )
896 pushd "${TARGET}/bar" > /dev
/null
897 "${BIN}" --recursive "."
898 ACTUAL
=$( getfacl --omit-header "./baz" )
902 # Ensure that "./" works as an argument.
905 mkdir "${TARGET}/foo"
906 mkdir "${TARGET}/bar"
907 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
908 "${BIN}" "${TARGET}/foo"
909 EXPECTED
=$( getfacl --omit-header "${TARGET}/foo" )
910 pushd "${TARGET}/bar" > /dev
/null
912 ACTUAL
=$( getfacl --omit-header "./" )
916 # Ensure that ".." works as an argument.
919 mkdir "${TARGET}/foo"
920 mkdir -p "${TARGET}/bar/baz"
921 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
922 "${BIN}" "${TARGET}/foo"
923 EXPECTED
=$( getfacl --omit-header "${TARGET}/foo" )
924 pushd "${TARGET}/bar/baz" > /dev
/null
926 ACTUAL
=$( getfacl --omit-header ".." )
930 # Ensure that ".." works as an argument (recursive).
933 mkdir -p "${TARGET}/foo/baz"
934 mkdir -p "${TARGET}/bar/baz"
935 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
936 "${BIN}" --recursive "${TARGET}/foo"
937 EXPECTED
=$( getfacl --omit-header "${TARGET}/foo/baz" )
938 pushd "${TARGET}/bar/baz" > /dev
/null
939 "${BIN}" --recursive ".."
940 ACTUAL
=$( getfacl --omit-header "." )
944 # Ensure that "../" works as an argument.
947 mkdir "${TARGET}/foo"
948 mkdir -p "${TARGET}/bar/baz"
949 setfacl
--default --modify user
:${USERS[0]}:rw
"${TARGET}"
950 "${BIN}" "${TARGET}/foo"
951 EXPECTED
=$( getfacl --omit-header "${TARGET}/foo" )
952 pushd "${TARGET}/bar/baz" > /dev
/null
954 ACTUAL
=$( getfacl --omit-header "../" )
959 # Ensure that multiple named-user and named-group entries all get
960 # applied individually rather than the last one taking precedence.
961 # This is a regression test against a bug that made it into a release
962 # and was reported by MichaĆ Bartoszkiewicz.
965 TARGET
="${TESTDIR}"/foo
967 setfacl
-d -m user
:${USERS[0]}:rw
- "${TESTDIR}"
968 setfacl
-d -m group
:${TESTGROUPS[0]}:rw
- "${TESTDIR}"
969 setfacl
-d -m user
:${USERS[1]}:--- "${TESTDIR}"
970 setfacl
-d -m group
:${TESTGROUPS[1]}:--- "${TESTDIR}"
977 group:${TESTGROUPS[0]}:rw-
978 group:${TESTGROUPS[1]}:---
984 ACTUAL
=$( getfacl --omit-header "${TARGET}" )