#!/bin/bash
+# The program name.
+BIN=./reapply_default_acl
+
# The directory where we'll do all the ACL manipulation.
TESTDIR=test
setfacl -d -m other::r-- "${TESTDIR}"
touch "${TARGET}"
chmod 777 "${TARGET}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::r--
setfacl -d -m user:mail:rwx "${TESTDIR}"
touch "${TARGET}"
chmod 777 "${TARGET}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::r--
touch "${TARGET}"
chmod 644 "${TARGET}"
setfacl -d -m group:mail:rwx "${TESTDIR}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::rw-
setfacl -d -m group:mail:rwx "${TESTDIR}"
mkdir "${TARGET}"
chmod 755 "${TARGET}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::rwx
TESTNUM=5
touch "${TARGET}"
chmod 744 "${TARGET}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
-# Make sure execute permission is removed for group/other after the
-# reapplication.
+# Since the default ACL will grant r-x to group/other, they will wind
+# up with it.
TESTNUM=6
touch "${TARGET}"
chmod 744 "${TARGET}"
setfacl -d -m user:mail:rwx "${TESTDIR}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::rwx
user:mail:rwx
-group::r--
+group::r-x
mask::rwx
-other::r--
+other::r-x
EOF
)
compare
-# In fact, no existing named entries without execute permissions
-# should be granted execute permissions as the result of
-# reapplication.
+# Some named entries can be granted execute permissions as the result
+# of reapplication.
TESTNUM=7
touch "${TARGET}"
chmod 744 "${TARGET}"
setfacl -m user:news:rw "${TARGET}"
setfacl -d -m user:mail:rwx "${TESTDIR}"
setfacl -d -m user:news:rwx "${TESTDIR}"
-./aclq "${TARGET}"
+$BIN "${TARGET}"
EXPECTED=$(cat <<EOF
user::rwx
user:mail:rwx
-user:news:rw-
-group::r--
+user:news:rwx
+group::r-x
mask::rwx
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# We should not retain any entries that aren't in the default.
+TESTNUM=8
+touch "${TARGET}"
+chmod 644 "${TARGET}"
+setfacl -m user:news:rw "${TARGET}"
+setfacl -d -m user:mail:rwx "${TESTDIR}"
+$BIN "${TARGET}"
+
+
+EXPECTED=$(cat <<EOF
+user::rw-
+user:mail:rwx #effective:rw-
+group::r--
+mask::rw-
other::r--
EOF
ACTUAL=`getfacl --omit-header "${TARGET}"`
compare
+
+
+# A slightly modified test #1 to make sure it works right.
+TESTNUM=9
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+setfacl -d -m user::r-- "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::r--
+group::r-x
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare
+
+
+# If the default ACL mask denies execute, we should respect that
+# regardless of the existing execute permissions.
+TESTNUM=10
+TARGET="${TESTDIR}"/foo
+touch "${TARGET}"
+chmod 777 "${TARGET}"
+setfacl -m user:mail:rwx "${TESTDIR}"
+setfacl -d -m user:mail:rwx "${TESTDIR}"
+setfacl -d -m mask::rw- "${TESTDIR}"
+$BIN "${TARGET}"
+
+EXPECTED=$(cat <<EOF
+user::rwx
+user:mail:rwx #effective:rw-
+group::r-x #effective:r--
+mask::rw-
+other::r-x
+
+EOF
+)
+
+ACTUAL=`getfacl --omit-header "${TARGET}"`
+compare