#!/bin/bash
-# Our exit code.
-RESULT=0
+#
+# Exit codes
+#
+
+# Exit with this when a test fails.
+EXIT_FAILURE=1
+
+# We use a few system users in the tests. If these users aren't
+# present, we exit with a different (non-EXIT_FAILURE).
+EXIT_MISSING_USERS=2
+
+# Define the users that we'll use in the tests below. We store the
+# names as variables to avoid repeating them everywhere.
+#
+# WARNING: These must be in alphabetical order; otherwise the getfacl
+# output will not match.
+#
+USERS=( bin daemon )
+
+# Check to see if the above users exist. If not, bail.
+for idx in $( seq 0 $((${#USERS[@]} - 1)) ); do
+ id ${USERS[idx]} >/dev/null 2>&1 || exit $EXIT_MISSING_USERS
+done
+
+# The program name.
+BIN=src/apply-default-acl
# The directory where we'll do all the ACL manipulation.
TESTDIR=test
acl_reset() {
# Remove any ACLs on our test directory and remove its contents.
- setfacl --remove-all --recursive "$TESTDIR"
- rm -f "${TESTDIR}"/*
+ setfacl --remove-all --recursive "${TESTDIR}"
+ chmod 755 "${TESTDIR}"
+ rm -rf "${TESTDIR}"/*
}
compare() {
if [[ "${ACTUAL}" == "${EXPECTED}" ]]; then
- echo "Success."
+ echo "Success (#${TESTNUM})"
acl_reset
else
- echo "Failure."
- echo "Expected result:"
+ echo "Failure (#${TESTNUM})"
+ echo 'Expected result:'
+ echo '================'
echo "${EXPECTED}"
- echo "Actual result:"
+ echo '================'
+ echo 'Actual result:'
+ echo '================'
echo "${ACTUAL}"
- RESULT=1
+ echo '================'
+ exit $EXIT_FAILURE
fi
}
# When using a minimal ACL, the default user, group, and other
# permissions should all be propagated to the mode bits.
+TESTNUM=1
TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
setfacl -d -m user::r-- "${TESTDIR}"
setfacl -d -m group::r-- "${TESTDIR}"
setfacl -d -m other::r-- "${TESTDIR}"
-touch "${TARGET}"
-chmod 777 "${TARGET}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::r--
compare
# Do the same thing as the last test, except with an extended ACL.
+TESTNUM=2
setfacl -d -m user::r-- "${TESTDIR}"
setfacl -d -m group::r-- "${TESTDIR}"
setfacl -d -m other::r-- "${TESTDIR}"
-setfacl -d -m user:mail:rwx "${TESTDIR}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
touch "${TARGET}"
chmod 777 "${TARGET}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::r--
-user:mail:rwx
+user:${USERS[0]}:rwx
group::r--
mask::rwx
other::r--
ACTUAL=`getfacl --omit-header "${TARGET}"`
compare
-# A directory shared by a group, should still be group-writable
+
+# A file shared by a group, should still be group-writable
# afterwards.
-setfacl -d -m group:mail:rwx "${TESTDIR}"
+TESTNUM=3
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m group:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rw-
+group::r--
+group:${USERS[0]}:rwx #effective:rw-
+mask::rw-
+other::r--
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# Same test as before except with a directory.
+TESTNUM=4
+setfacl -d -m group:${USERS[0]}:rwx "${TESTDIR}"
+mkdir "${TARGET}"
+chmod 755 "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r-x
+group:${USERS[0]}:rwx
+mask::rwx
+other::r-x
+default:user::rwx
+default:group::r-x
+default:group:${USERS[0]}:rwx
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# With no default, things are left alone.
+TESTNUM=5
+touch "${TARGET}"
+chmod 744 "${TARGET}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+
+# Since the default ACL will grant r-x to group/other, they will wind
+# up with it.
+TESTNUM=6
+touch "${TARGET}"
+chmod 744 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# Some named entries can be granted execute permissions as the result
+# of reapplication.
+TESTNUM=7
+touch "${TARGET}"
+chmod 744 "${TARGET}"
+setfacl -m user:${USERS[1]}:rw "${TARGET}"
+# If we don't add 'x' to the mask here, nobody can execute the file.
+# setfacl will update the mask for us under most circumstances, but
+# note that we didn't create an entry with an 'x' bit using setfacl --
+# therefore, setfacl won't unmask 'x' for us.
+setfacl -m mask::rwx "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m user:${USERS[1]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+user:${USERS[1]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# We should not retain any entries that aren't in the default.
+TESTNUM=8
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -m user:${USERS[1]}:rw "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rw-
+user:${USERS[0]}:rwx #effective:rw-
+group::r--
+mask::rw-
+other::r--
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# A slightly modified test #1 to make sure it works right.
+TESTNUM=9
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+setfacl -d -m user::r-- "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+group::r-x
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# If the default ACL mask denies execute, we should respect that
+# regardless of the existing execute permissions.
+TESTNUM=10
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+setfacl -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+setfacl -d -m mask::rw- "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx #effective:rw-
+group::r-x #effective:r--
+mask::rw-
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+
+# The --recursive mode should work normally if the argument is a
+# normal file. See Test #1.
+TESTNUM=11
+TARGET="${TESTDIR}"/foo
+setfacl -d -m user::r-- "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+$BIN --recursive "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# The --recursive mode should work recursively.
+TESTNUM=12
+TARGET="${TESTDIR}"/foo
+mkdir -p "${TARGET}"
+touch "${TARGET}"/baz
+mkdir -p "${TARGET}"/bar
+touch "${TARGET}"/bar/quux
+setfacl -d -m user::rwx "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+chmod -R 777 "${TARGET}"
+$BIN --recursive "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"/bar/quux`
+compare
+
+
+# The --recursive mode should work recursively. This time
+# check a directory, and pass the short command-line flag.
+TESTNUM=13
+TARGET="${TESTDIR}"/foo
+mkdir -p "${TARGET}"
+touch "${TARGET}"/baz
+mkdir -p "${TARGET}"/bar
+touch "${TARGET}"/bar/quux
+setfacl -d -m user::rwx "${TESTDIR}"
+setfacl -d -m group::r-- "${TESTDIR}"
+setfacl -d -m other::r-- "${TESTDIR}"
+chmod -R 777 "${TARGET}"
+$BIN -r "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+group::r--
+other::r--
+default:user::rwx
+default:group::r--
+default:other::r--
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"/bar`
+compare
+
+
+# Test double application on a directory.
+#
+TESTNUM=14
+TARGET="${TESTDIR}"/baz
+mkdir "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:${USERS[0]}:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# Same as previous test, with 755 initial perms.
+#
+TESTNUM=15
+TARGET="${TESTDIR}"/baz
+mkdir "${TARGET}"
+chmod 755 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+default:user::rwx
+default:user:${USERS[0]}:rwx
+default:group::r-x
+default:mask::rwx
+default:other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# Same as previous two tests, only with a file.
+#
+TESTNUM=16
+TARGET="${TESTDIR}"/foo
touch "${TARGET}"
chmod 644 "${TARGET}"
-./aclq "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::rw-
+user:${USERS[0]}:rwx #effective:rw-
group::r--
-group:mail:rwx #effective:rw-
mask::rw-
other::r--
EOF
ACTUAL=`getfacl --omit-header "${TARGET}"`
compare
+
+
+# User-executable files should not wind up exec-masked.
+TESTNUM=17
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 700 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# Group-executable files should not wind up exec-masked.
+TESTNUM=18
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 670 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# Other-executable files should not wind up exec-masked.
+TESTNUM=19
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 607 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+
+# Test #16's setup repeated with the --no-exec-mask flag.
+#
+TESTNUM=20
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+# The directory allows execute for user, group, and other, so the file
+# should actually inherit them regardless of its initial mode when the
+# --no-exec-mask flag is passed.
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN --no-exec-mask "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+
+# Test #20 repeated recursively to make sure the flags play nice
+# together.
+TESTNUM=21
+PARENT_DIR="${TESTDIR}"/foo
+TARGET="${PARENT_DIR}"/bar
+mkdir "${PARENT_DIR}"
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -d -m user:${USERS[0]}:rwx "${TESTDIR}"
+
+$BIN --recursive --no-exec-mask "${PARENT_DIR}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:${USERS[0]}:rwx
+group::r-x
+mask::rwx
+other::r-x
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+