diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/chmod/chmod.c 8.0/bin/chmod/chmod.c --- test/8.0/bin/chmod/chmod.c 2009-07-01 17:52:19.447674000 +0200 +++ 8.0/bin/chmod/chmod.c 2010-01-30 15:46:24.759185831 +0100 @@ -39,9 +39,9 @@ static char sccsid[] = "@(#)chmod.c 8.8 #endif /* not lint */ #endif #include -__FBSDID("$FreeBSD: src/bin/chmod/chmod.c,v 1.35.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $"); +__FBSDID("$FreeBSD: releng/8.0/bin/chmod/chmod.c 195243 2009-07-01 15:52:19Z trasz $"); -#include +#include #include #include @@ -54,7 +54,7 @@ __FBSDID("$FreeBSD: bin/chmod/chmod.c 19 #include static void usage(void); -static int may_have_nfs4acl(const FTSENT *ent); +static int may_have_nfs4acl(const FTSENT *ent, int hflag); int main(int argc, char *argv[]) @@ -62,11 +62,10 @@ main(int argc, char *argv[]) FTS *ftsp; FTSENT *p; mode_t *set; - int Hflag, Lflag, Rflag, ch, fflag, fts_options, hflag, rval; + int Hflag, Lflag, Rflag, ch, error, fflag, fts_options, hflag, rval; int vflag; char *mode; mode_t newmode; - int (*change_mode)(const char *, mode_t); set = NULL; Hflag = Lflag = Rflag = fflag = hflag = vflag = 0; @@ -140,11 +139,6 @@ done: argv += optind; } else fts_options = hflag ? FTS_PHYSICAL : FTS_LOGICAL; - if (hflag) - change_mode = lchmod; - else - change_mode = chmod; - mode = *argv; if ((set = setmode(mode)) == NULL) errx(1, "invalid file mode: %s", mode); @@ -175,7 +169,6 @@ done: argv += optind; */ if (!hflag) continue; - /* else */ /* FALLTHROUGH */ default: break; @@ -186,12 +179,18 @@ done: argv += optind; * identical to the one computed from an ACL will change * that ACL. */ - if (may_have_nfs4acl(p) == 0 && + if (may_have_nfs4acl(p, hflag) == 0 && (newmode & ALLPERMS) == (p->fts_statp->st_mode & ALLPERMS)) continue; - if ((*change_mode)(p->fts_accpath, newmode) && !fflag) { - warn("%s", p->fts_path); - rval = 1; + if (hflag) + error = lchmod(p->fts_accpath, newmode); + else + error = chmod(p->fts_accpath, newmode); + if (error) { + if (!fflag) { + warn("%s", p->fts_path); + rval = 1; + } } else { if (vflag) { (void)printf("%s", p->fts_path); @@ -202,7 +201,6 @@ done: argv += optind; strmode(p->fts_statp->st_mode, m1); strmode((p->fts_statp->st_mode & S_IFMT) | newmode, m2); - (void)printf(": 0%o [%s] -> 0%o [%s]", p->fts_statp->st_mode, m1, (p->fts_statp->st_mode & S_IFMT) | @@ -210,12 +208,10 @@ done: argv += optind; } (void)printf("\n"); } - } } if (errno) err(1, "fts_read"); - free(set); exit(rval); } @@ -228,17 +224,20 @@ usage(void) } static int -may_have_nfs4acl(const FTSENT *ent) +may_have_nfs4acl(const FTSENT *ent, int hflag) { int ret; - static dev_t previous_dev = (dev_t)-1; + static dev_t previous_dev = NODEV; static int supports_acls = -1; if (previous_dev != ent->fts_statp->st_dev) { previous_dev = ent->fts_statp->st_dev; supports_acls = 0; - ret = pathconf(ent->fts_accpath, _PC_ACL_NFS4); + if (hflag) + ret = lpathconf(ent->fts_accpath, _PC_ACL_NFS4); + else + ret = pathconf(ent->fts_accpath, _PC_ACL_NFS4); if (ret > 0) supports_acls = 1; else if (ret < 0 && errno != EINVAL) diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/cp/utils.c 8.0/bin/cp/utils.c --- test/8.0/bin/cp/utils.c 2009-05-30 12:36:14.293074000 +0200 +++ 8.0/bin/cp/utils.c 2010-01-30 15:48:35.674234761 +0100 @@ -377,24 +377,52 @@ setfile(struct stat *fs, int fd) int preserve_fd_acls(int source_fd, int dest_fd) { - struct acl *aclp; acl_t acl; + acl_type_t acl_type; + int acl_supported = 0, ret, trivial; - if (fpathconf(source_fd, _PC_ACL_EXTENDED) != 1 || - fpathconf(dest_fd, _PC_ACL_EXTENDED) != 1) + ret = fpathconf(source_fd, _PC_ACL_NFS4); + if (ret > 0 ) { + acl_supported = 1; + acl_type = ACL_TYPE_NFS4; + } else if (ret < 0 && errno != EINVAL) { + warn("fpathconf(..., _PC_ACL_NFS4) failed for %s", to.p_path); + return (1); + } + if (acl_supported == 0) { + ret = fpathconf(source_fd, _PC_ACL_EXTENDED); + if (ret > 0 ) { + acl_supported = 1; + acl_type = ACL_TYPE_ACCESS; + } else if (ret < 0 && errno != EINVAL) { + warn("fpathconf(..., _PC_ACL_EXTENDED) failed for %s", + to.p_path); + return (1); + } + } + if (acl_supported == 0) return (0); - acl = acl_get_fd(source_fd); + + acl = acl_get_fd_np(source_fd, acl_type); if (acl == NULL) { warn("failed to get acl entries while setting %s", to.p_path); return (1); } - aclp = &acl->ats_acl; - if (aclp->acl_cnt == 3) + if (acl_is_trivial_np(acl, &trivial)) { + warn("acl_is_trivial() failed for %s", to.p_path); + acl_free(acl); + return (1); + } + if (trivial) { + acl_free(acl); return (0); - if (acl_set_fd(dest_fd, acl) < 0) { + } + if (acl_set_fd_np(dest_fd, acl, acl_type) < 0) { warn("failed to set acl entries for %s", to.p_path); + acl_free(acl); return (1); } + acl_free(acl); return (0); } @@ -405,10 +433,31 @@ preserve_dir_acls(struct stat *fs, char int (*aclsetf)(const char *, acl_type_t, acl_t); struct acl *aclp; acl_t acl; + acl_type_t acl_type; + int acl_supported = 0, ret, trivial; - if (pathconf(source_dir, _PC_ACL_EXTENDED) != 1 || - pathconf(dest_dir, _PC_ACL_EXTENDED) != 1) + ret = pathconf(source_dir, _PC_ACL_NFS4); + if (ret > 0) { + acl_supported = 1; + acl_type = ACL_TYPE_NFS4; + } else if (ret < 0 && errno != EINVAL) { + warn("fpathconf(..., _PC_ACL_NFS4) failed for %s", source_dir); + return (1); + } + if (acl_supported == 0) { + ret = pathconf(source_dir, _PC_ACL_EXTENDED); + if (ret > 0) { + acl_supported = 1; + acl_type = ACL_TYPE_ACCESS; + } else if (ret < 0 && errno != EINVAL) { + warn("fpathconf(..., _PC_ACL_EXTENDED) failed for %s", + source_dir); + return (1); + } + } + if (acl_supported == 0) return (0); + /* * If the file is a link we will not follow it */ @@ -419,34 +468,48 @@ preserve_dir_acls(struct stat *fs, char aclgetf = acl_get_file; aclsetf = acl_set_file; } - /* - * Even if there is no ACL_TYPE_DEFAULT entry here, a zero - * size ACL will be returned. So it is not safe to simply - * check the pointer to see if the default ACL is present. - */ - acl = aclgetf(source_dir, ACL_TYPE_DEFAULT); + if (acl_type == ACL_TYPE_ACCESS) { + /* + * Even if there is no ACL_TYPE_DEFAULT entry here, a zero + * size ACL will be returned. So it is not safe to simply + * check the pointer to see if the default ACL is present. + */ + acl = aclgetf(source_dir, ACL_TYPE_DEFAULT); + if (acl == NULL) { + warn("failed to get default acl entries on %s", + source_dir); + return (1); + } + aclp = &acl->ats_acl; + if (aclp->acl_cnt != 0 && aclsetf(dest_dir, + ACL_TYPE_DEFAULT, acl) < 0) { + warn("failed to set default acl entries on %s", + dest_dir); + acl_free(acl); + return (1); + } + acl_free(acl); + } + acl = aclgetf(source_dir, acl_type); if (acl == NULL) { - warn("failed to get default acl entries on %s", - source_dir); + warn("failed to get acl entries on %s", source_dir); return (1); } - aclp = &acl->ats_acl; - if (aclp->acl_cnt != 0 && aclsetf(dest_dir, - ACL_TYPE_DEFAULT, acl) < 0) { - warn("failed to set default acl entries on %s", - dest_dir); + if (acl_is_trivial_np(acl, &trivial)) { + warn("acl_is_trivial() failed on %s", source_dir); + acl_free(acl); return (1); } - acl = aclgetf(source_dir, ACL_TYPE_ACCESS); - if (acl == NULL) { - warn("failed to get acl entries on %s", source_dir); - return (1); + if (trivial) { + acl_free(acl); + return (0); } - aclp = &acl->ats_acl; - if (aclsetf(dest_dir, ACL_TYPE_ACCESS, acl) < 0) { + if (aclsetf(dest_dir, acl_type, acl) < 0) { warn("failed to set acl entries on %s", dest_dir); + acl_free(acl); return (1); } + acl_free(acl); return (0); } diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/getfacl/getfacl.1 8.0/bin/getfacl/getfacl.1 --- test/8.0/bin/getfacl/getfacl.1 2006-09-17 19:40:07.000000000 +0200 +++ 8.0/bin/getfacl/getfacl.1 2010-01-30 15:50:49.108987103 +0100 @@ -30,7 +30,7 @@ .\" Developed by the TrustedBSD Project. .\" Support for POSIX.1e access control lists. .\" -.Dd March 13, 2006 +.Dd September 04, 2009 .Dt GETFACL 1 .Os .Sh NAME @@ -38,7 +38,7 @@ .Nd get ACL information .Sh SYNOPSIS .Nm -.Op Fl dhq +.Op Fl dhinqv .Op Ar .Sh DESCRIPTION The @@ -61,13 +61,25 @@ The operation applies to the default ACL access ACL. An error is generated if a default ACL cannot be associated with .Ar file . +This option is not valid for NFSv4 ACLs. .It Fl h If the target of the operation is a symbolic link, return the ACL from the symbolic link itself rather than following the link. +.It Fl i +For NFSv4 ACLs, append numerical ID at the end of each entry containing +user or group name. +Ignored for POSIX.1e ACLs. +.It Fl n +Display user and group IDs numerically rather than converting to +a user or group name. +Ignored for POSIX.1e ACLs. .It Fl q Do not write commented information about file name and ownership. This is useful when dealing with filenames with unprintable characters. +.It Fl v +For NFSv4 ACLs, display access mask and flags in a verbose form. +Ignored for POSIX.1e ACLs. .El .Pp The following operand is available: diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/getfacl/getfacl.c 8.0/bin/getfacl/getfacl.c --- test/8.0/bin/getfacl/getfacl.c 2007-09-19 04:04:47.000000000 +0200 +++ 8.0/bin/getfacl/getfacl.c 2010-01-30 15:50:49.399139343 +0100 @@ -54,7 +54,7 @@ static void usage(void) { - fprintf(stderr, "getfacl [-dhq] [file ...]\n"); + fprintf(stderr, "getfacl [-dhnqv] [file ...]\n"); } static char * @@ -175,22 +175,39 @@ acl_from_stat(struct stat sb) } static int -print_acl(char *path, acl_type_t type, int hflag, int qflag) +print_acl(char *path, acl_type_t type, int hflag, int iflag, int nflag, + int qflag, int vflag) { struct stat sb; acl_t acl; char *acl_text; - int error; + int error, flags = 0, ret; if (hflag) error = lstat(path, &sb); else error = stat(path, &sb); if (error == -1) { - warn("%s", path); + warn("%s: stat() failed", path); return(-1); } + if (hflag) + ret = lpathconf(path, _PC_ACL_NFS4); + else + ret = pathconf(path, _PC_ACL_NFS4); + if (ret > 0) { + if (type == ACL_TYPE_DEFAULT) { + warnx("%s: there are no default entries in NFSv4 ACLs", + path); + return (-1); + } + type = ACL_TYPE_NFS4; + } else if (ret < 0 && errno != EINVAL) { + warn("%s: pathconf(..., _PC_ACL_NFS4) failed", path); + return (-1); + } + if (more_than_one) printf("\n"); else @@ -210,18 +227,27 @@ print_acl(char *path, acl_type_t type, i return(-1); } errno = 0; - if (type != ACL_TYPE_ACCESS) + if (type == ACL_TYPE_DEFAULT) return(0); acl = acl_from_stat(sb); if (!acl) { - warn("acl_from_stat()"); + warn("%s: acl_from_stat() failed", path); return(-1); } } - acl_text = acl_to_text(acl, 0); + if (iflag) + flags |= ACL_TEXT_APPEND_ID; + + if (nflag) + flags |= ACL_TEXT_NUMERIC_IDS; + + if (vflag) + flags |= ACL_TEXT_VERBOSE; + + acl_text = acl_to_text_np(acl, 0, flags); if (!acl_text) { - warn("%s", path); + warn("%s: acl_to_text_np() failed", path); return(-1); } @@ -234,7 +260,8 @@ print_acl(char *path, acl_type_t type, i } static int -print_acl_from_stdin(acl_type_t type, int hflag, int qflag) +print_acl_from_stdin(acl_type_t type, int hflag, int iflag, int nflag, + int qflag, int vflag) { char *p, pathname[PATH_MAX]; int carried_error = 0; @@ -242,7 +269,8 @@ print_acl_from_stdin(acl_type_t type, in while (fgets(pathname, (int)sizeof(pathname), stdin)) { if ((p = strchr(pathname, '\n')) != NULL) *p = '\0'; - if (print_acl(pathname, type, hflag, qflag) == -1) { + if (print_acl(pathname, type, hflag, iflag, nflag, + qflag, vflag) == -1) { carried_error = -1; } } @@ -256,11 +284,14 @@ main(int argc, char *argv[]) acl_type_t type = ACL_TYPE_ACCESS; int carried_error = 0; int ch, error, i; - int hflag, qflag; + int hflag, iflag, qflag, nflag, vflag; hflag = 0; + iflag = 0; qflag = 0; - while ((ch = getopt(argc, argv, "dhq")) != -1) + nflag = 0; + vflag = 0; + while ((ch = getopt(argc, argv, "dhinqv")) != -1) switch(ch) { case 'd': type = ACL_TYPE_DEFAULT; @@ -268,9 +299,18 @@ main(int argc, char *argv[]) case 'h': hflag = 1; break; + case 'i': + iflag = 1; + break; + case 'n': + nflag = 1; + break; case 'q': qflag = 1; break; + case 'v': + vflag = 1; + break; default: usage(); return(-1); @@ -279,17 +319,20 @@ main(int argc, char *argv[]) argv += optind; if (argc == 0) { - error = print_acl_from_stdin(type, hflag, qflag); + error = print_acl_from_stdin(type, hflag, iflag, nflag, + qflag, vflag); return(error ? 1 : 0); } for (i = 0; i < argc; i++) { if (!strcmp(argv[i], "-")) { - error = print_acl_from_stdin(type, hflag, qflag); + error = print_acl_from_stdin(type, hflag, iflag, nflag, + qflag, vflag); if (error == -1) carried_error = -1; } else { - error = print_acl(argv[i], type, hflag, qflag); + error = print_acl(argv[i], type, hflag, iflag, nflag, + qflag, vflag); if (error == -1) carried_error = -1; } diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/ls/print.c 8.0/bin/ls/print.c --- test/8.0/bin/ls/print.c 2008-04-05 23:26:25.000000000 +0200 +++ 8.0/bin/ls/print.c 2010-01-30 15:42:58.751807474 +0100 @@ -70,7 +70,7 @@ static void printsize(size_t, off_t); static void endcolor(int); static int colortype(mode_t); #endif -static void aclmode(char *, const FTSENT *, int *); +static void aclmode(char *, const FTSENT *); #define IS_NOPRINT(p) ((p)->fts_number == NO_PRINT) @@ -139,16 +139,12 @@ printlong(const DISPLAY *dp) #ifdef COLORLS int color_printed = 0; #endif - int haveacls; - dev_t prevdev; if ((dp->list == NULL || dp->list->fts_level != FTS_ROOTLEVEL) && (f_longform || f_size)) { (void)printf("total %lu\n", howmany(dp->btotal, blocksize)); } - haveacls = 1; - prevdev = (dev_t)-1; for (p = dp->list; p; p = p->fts_link) { if (IS_NOPRINT(p)) continue; @@ -159,14 +155,7 @@ printlong(const DISPLAY *dp) (void)printf("%*jd ", dp->s_block, howmany(sp->st_blocks, blocksize)); strmode(sp->st_mode, buf); - /* - * Cache whether or not the filesystem supports ACL's to - * avoid expensive syscalls. Try again when we change devices. - */ - if (haveacls || sp->st_dev != prevdev) { - aclmode(buf, p, &haveacls); - prevdev = sp->st_dev; - } + aclmode(buf, p); np = p->fts_pointer; (void)printf("%s %*u %-*s %-*s ", buf, dp->s_nlink, sp->st_nlink, dp->s_user, np->user, dp->s_group, @@ -612,56 +601,73 @@ printsize(size_t width, off_t bytes) (void)printf("%*jd ", (u_int)width, bytes); } +/* + * Add a + after the standard rwxrwxrwx mode if the file has an + * ACL. strmode() reserves space at the end of the string. + */ static void -aclmode(char *buf, const FTSENT *p, int *haveacls) +aclmode(char *buf, const FTSENT *p) { char name[MAXPATHLEN + 1]; - int entries, ret; + int ret, trivial; + static dev_t previous_dev = NODEV; + static int supports_acls = -1; + static int type = ACL_TYPE_ACCESS; acl_t facl; - acl_entry_t ae; /* - * Add a + after the standard rwxrwxrwx mode if the file has an - * extended ACL. strmode() reserves space at the end of the string. + * XXX: ACLs are not supported on whiteouts and device files + * residing on UFS. */ + if (S_ISCHR(p->fts_statp->st_mode) || S_ISBLK(p->fts_statp->st_mode) || + S_ISWHT(p->fts_statp->st_mode)) + return; + + if (previous_dev == p->fts_statp->st_dev && supports_acls == 0) + return; + if (p->fts_level == FTS_ROOTLEVEL) snprintf(name, sizeof(name), "%s", p->fts_name); else snprintf(name, sizeof(name), "%s/%s", p->fts_parent->fts_accpath, p->fts_name); - /* - * We have no way to tell whether a symbolic link has an ACL since - * pathconf() and acl_get_file() both follow them. They also don't - * support whiteouts. - */ - if (S_ISLNK(p->fts_statp->st_mode) || S_ISWHT(p->fts_statp->st_mode)) { - *haveacls = 1; - return; - } - if ((ret = pathconf(name, _PC_ACL_EXTENDED)) <= 0) { - if (ret < 0 && errno != EINVAL) + + if (previous_dev != p->fts_statp->st_dev) { + previous_dev = p->fts_statp->st_dev; + supports_acls = 0; + + ret = lpathconf(name, _PC_ACL_NFS4); + if (ret > 0) { + type = ACL_TYPE_NFS4; + supports_acls = 1; + } else if (ret < 0 && errno != EINVAL) { warn("%s", name); - else - *haveacls = 0; + return; + } + if (supports_acls == 0) { + ret = lpathconf(name, _PC_ACL_EXTENDED); + if (ret > 0) { + type = ACL_TYPE_ACCESS; + supports_acls = 1; + } else if (ret < 0 && errno != EINVAL) { + warn("%s", name); + return; + } + } + } + if (supports_acls == 0) + return; + facl = acl_get_link_np(name, type); + if (facl == NULL) { + warn("%s", name); return; } - *haveacls = 1; - if ((facl = acl_get_file(name, ACL_TYPE_ACCESS)) != NULL) { - if (acl_get_entry(facl, ACL_FIRST_ENTRY, &ae) == 1) { - entries = 1; - while (acl_get_entry(facl, ACL_NEXT_ENTRY, &ae) == 1) - if (++entries > 3) - break; - /* - * POSIX.1e requires that ACLs of type ACL_TYPE_ACCESS - * must have at least three entries (owner, group, - * and other). So anything with more than 3 ACLs looks - * interesting to us. - */ - if (entries > 3) - buf[10] = '+'; - } + if (acl_is_trivial_np(facl, &trivial)) { acl_free(facl); - } else warn("%s", name); + return; + } + if (!trivial) + buf[10] = '+'; + acl_free(facl); } diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/mv/mv.c 8.0/bin/mv/mv.c --- test/8.0/bin/mv/mv.c 2008-07-19 02:13:26.847080000 +0200 +++ 8.0/bin/mv/mv.c 2010-01-30 15:55:29.398310627 +0100 @@ -74,6 +74,8 @@ static int copy(const char *, const char static int do_move(const char *, const char *); static int fastcopy(const char *, const char *, struct stat *); static void usage(void); +static void preserve_fd_acls(int source_fd, int dest_fd, const char *source_path, + const char *dest_path); int main(int argc, char *argv[]) @@ -260,7 +262,6 @@ fastcopy(const char *from, const char *t struct timeval tval[2]; static u_int blen; static char *bp; - acl_t acl; mode_t oldmode; int nread, from_fd, to_fd; @@ -311,23 +312,15 @@ err: if (unlink(to)) sbp->st_mode &= ~(S_ISUID | S_ISGID); } } + if (fchmod(to_fd, sbp->st_mode)) + warn("%s: set mode (was: 0%03o)", to, oldmode); /* * POSIX 1003.2c states that if _POSIX_ACL_EXTENDED is in effect * for dest_file, then its ACLs shall reflect the ACLs of the * source_file. */ - if (fpathconf(to_fd, _PC_ACL_EXTENDED) == 1 && - fpathconf(from_fd, _PC_ACL_EXTENDED) == 1) { - acl = acl_get_fd(from_fd); - if (acl == NULL) - warn("failed to get acl entries while setting %s", - from); - else if (acl_set_fd(to_fd, acl) < 0) - warn("failed to set acl entries for %s", to); - } + preserve_fd_acls(from_fd, to_fd, from, to); (void)close(from_fd); - if (fchmod(to_fd, sbp->st_mode)) - warn("%s: set mode (was: 0%03o)", to, oldmode); /* * XXX * NFS doesn't support chflags; ignore errors unless there's reason @@ -439,6 +432,59 @@ copy(const char *from, const char *to) } static void +preserve_fd_acls(int source_fd, int dest_fd, const char *source_path, + const char *dest_path) +{ + acl_t acl; + acl_type_t acl_type; + int acl_supported = 0, ret, trivial; + + ret = fpathconf(source_fd, _PC_ACL_NFS4); + if (ret > 0 ) { + acl_supported = 1; + acl_type = ACL_TYPE_NFS4; + } else if (ret < 0 && errno != EINVAL) { + warn("fpathconf(..., _PC_ACL_NFS4) failed for %s", + source_path); + return; + } + if (acl_supported == 0) { + ret = fpathconf(source_fd, _PC_ACL_EXTENDED); + if (ret > 0 ) { + acl_supported = 1; + acl_type = ACL_TYPE_ACCESS; + } else if (ret < 0 && errno != EINVAL) { + warn("fpathconf(..., _PC_ACL_EXTENDED) failed for %s", + source_path); + return; + } + } + if (acl_supported == 0) + return; + + acl = acl_get_fd_np(source_fd, acl_type); + if (acl == NULL) { + warn("failed to get acl entries for %s", source_path); + return; + } + if (acl_is_trivial_np(acl, &trivial)) { + warn("acl_is_trivial() failed for %s", source_path); + acl_free(acl); + return; + } + if (trivial) { + acl_free(acl); + return; + } + if (acl_set_fd_np(dest_fd, acl, acl_type) < 0) { + warn("failed to set acl entries for %s", dest_path); + acl_free(acl); + return; + } + acl_free(acl); +} + +static void usage(void) { diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/setfacl/mask.c 8.0/bin/setfacl/mask.c --- test/8.0/bin/setfacl/mask.c 2005-01-10 09:39:26.000000000 +0100 +++ 8.0/bin/setfacl/mask.c 2010-01-30 15:57:43.232705927 +0100 @@ -40,7 +40,7 @@ __FBSDID("$FreeBSD: bin/setfacl/mask.c 1 /* set the appropriate mask the given ACL's */ int -set_acl_mask(acl_t *prev_acl) +set_acl_mask(acl_t *prev_acl, const char *filename) { acl_entry_t entry; acl_t acl; @@ -59,7 +59,7 @@ set_acl_mask(acl_t *prev_acl) acl = acl_dup(*prev_acl); if (acl == NULL) - err(1, "acl_dup() failed"); + err(1, "%s: acl_dup() failed", filename); if (n_flag == 0) { /* @@ -70,7 +70,7 @@ set_acl_mask(acl_t *prev_acl) * class in the resulting ACL */ if (acl_calc_mask(&acl)) { - warn("acl_calc_mask() failed"); + warn("%s: acl_calc_mask() failed", filename); acl_free(acl); return (-1); } @@ -86,7 +86,8 @@ set_acl_mask(acl_t *prev_acl) while (acl_get_entry(acl, entry_id, &entry) == 1) { entry_id = ACL_NEXT_ENTRY; if (acl_get_tag_type(entry, &tag) == -1) - err(1, "acl_get_tag_type() failed"); + err(1, "%s: acl_get_tag_type() failed", + filename); if (tag == ACL_MASK) { acl_free(acl); @@ -100,7 +101,7 @@ set_acl_mask(acl_t *prev_acl) * file, then write an error message to standard error and * continue with the next file. */ - warnx("warning: no mask entry"); + warnx("%s: warning: no mask entry", filename); acl_free(acl); return (0); } diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/setfacl/merge.c 8.0/bin/setfacl/merge.c --- test/8.0/bin/setfacl/merge.c 2005-01-10 09:39:26.000000000 +0100 +++ 8.0/bin/setfacl/merge.c 2010-01-30 16:49:14.488510871 +0100 @@ -36,12 +36,15 @@ __FBSDID("$FreeBSD: bin/setfacl/merge.c #include "setfacl.h" -static int merge_user_group(acl_entry_t *entry, acl_entry_t *entry_new); +static int merge_user_group(acl_entry_t *entry, acl_entry_t *entry_new, + int acl_brand); static int -merge_user_group(acl_entry_t *entry, acl_entry_t *entry_new) +merge_user_group(acl_entry_t *entry, acl_entry_t *entry_new, int acl_brand) { acl_permset_t permset; + acl_entry_type_t entry_type; + acl_flagset_t flagset; int have_entry; uid_t *id, *id_new; @@ -59,6 +62,18 @@ merge_user_group(acl_entry_t *entry, acl err(1, "acl_get_permset() failed"); if (acl_set_permset(*entry_new, permset) == -1) err(1, "acl_set_permset() failed"); + + if (acl_brand == ACL_BRAND_NFS4) { + if (acl_get_entry_type_np(*entry, &entry_type)) + err(1, "acl_get_entry_type_np() failed"); + if (acl_set_entry_type_np(*entry_new, entry_type)) + err(1, "acl_set_entry_type_np() failed"); + if (acl_get_flagset_np(*entry, &flagset)) + err(1, "acl_get_flagset_np() failed"); + if (acl_set_flagset_np(*entry_new, flagset)) + err(1, "acl_set_flagset_np() failed"); + } + have_entry = 1; } acl_free(id); @@ -71,20 +86,30 @@ merge_user_group(acl_entry_t *entry, acl * merge an ACL into existing file's ACL */ int -merge_acl(acl_t acl, acl_t *prev_acl) +merge_acl(acl_t acl, acl_t *prev_acl, const char *filename) { acl_entry_t entry, entry_new; acl_permset_t permset; acl_t acl_new; acl_tag_t tag, tag_new; - int entry_id, entry_id_new, have_entry; + acl_entry_type_t entry_type, entry_type_new; + acl_flagset_t flagset; + int entry_id, entry_id_new, have_entry, entry_number = 0; + int acl_brand, prev_acl_brand; + + acl_get_brand_np(acl, &acl_brand); + acl_get_brand_np(*prev_acl, &prev_acl_brand); + + if (branding_mismatch(acl_brand, prev_acl_brand)) { + warnx("%s: branding mismatch; existing ACL is %s, " + "entry to be merged is %s", filename, + brand_name(prev_acl_brand), brand_name(acl_brand)); + return (-1); + } - if (acl_type == ACL_TYPE_ACCESS) - acl_new = acl_dup(prev_acl[ACCESS_ACL]); - else - acl_new = acl_dup(prev_acl[DEFAULT_ACL]); + acl_new = acl_dup(*prev_acl); if (acl_new == NULL) - err(1, "acl_dup() failed"); + err(1, "%s: acl_dup() failed", filename); entry_id = ACL_FIRST_ENTRY; @@ -94,28 +119,45 @@ merge_acl(acl_t acl, acl_t *prev_acl) /* keep track of existing ACL_MASK entries */ if (acl_get_tag_type(entry, &tag) == -1) - err(1, "acl_get_tag_type() failed - invalid ACL entry"); + err(1, "%s: acl_get_tag_type() failed - " + "invalid ACL entry", filename); if (tag == ACL_MASK) have_mask = 1; /* check against the existing ACL entries */ entry_id_new = ACL_FIRST_ENTRY; - while (have_entry == 0 && - acl_get_entry(acl_new, entry_id_new, &entry_new) == 1) { + while (acl_get_entry(acl_new, entry_id_new, &entry_new) == 1) { entry_id_new = ACL_NEXT_ENTRY; if (acl_get_tag_type(entry, &tag) == -1) - err(1, "acl_get_tag_type() failed"); + err(1, "%s: acl_get_tag_type() failed", + filename); if (acl_get_tag_type(entry_new, &tag_new) == -1) - err(1, "acl_get_tag_type() failed"); + err(1, "%s: acl_get_tag_type() failed", + filename); if (tag != tag_new) continue; + /* + * For NFSv4, in addition to "tag" and "id" we also + * compare "entry_type". + */ + if (acl_brand == ACL_BRAND_NFS4) { + if (acl_get_entry_type_np(entry, &entry_type)) + err(1, "%s: acl_get_entry_type_np() " + "failed", filename); + if (acl_get_entry_type_np(entry_new, &entry_type_new)) + err(1, "%s: acl_get_entry_type_np() " + "failed", filename); + if (entry_type != entry_type_new) + continue; + } + switch(tag) { case ACL_USER: case ACL_GROUP: have_entry = merge_user_group(&entry, - &entry_new); + &entry_new, acl_brand); if (have_entry == 0) break; /* FALLTHROUGH */ @@ -123,37 +165,128 @@ merge_acl(acl_t acl, acl_t *prev_acl) case ACL_GROUP_OBJ: case ACL_OTHER: case ACL_MASK: + case ACL_EVERYONE: if (acl_get_permset(entry, &permset) == -1) - err(1, "acl_get_permset() failed"); + err(1, "%s: acl_get_permset() failed", + filename); if (acl_set_permset(entry_new, permset) == -1) - err(1, "acl_set_permset() failed"); + err(1, "%s: acl_set_permset() failed", + filename); + + if (acl_brand == ACL_BRAND_NFS4) { + if (acl_get_entry_type_np(entry, &entry_type)) + err(1, "%s: acl_get_entry_type_np() failed", + filename); + if (acl_set_entry_type_np(entry_new, entry_type)) + err(1, "%s: acl_set_entry_type_np() failed", + filename); + if (acl_get_flagset_np(entry, &flagset)) + err(1, "%s: acl_get_flagset_np() failed", + filename); + if (acl_set_flagset_np(entry_new, flagset)) + err(1, "%s: acl_set_flagset_np() failed", + filename); + } have_entry = 1; break; default: /* should never be here */ - errx(1, "Invalid tag type: %i", tag); + errx(1, "%s: invalid tag type: %i", filename, tag); break; } } /* if this entry has not been found, it must be new */ if (have_entry == 0) { - if (acl_create_entry(&acl_new, &entry_new) == -1) { - acl_free(acl_new); - return (-1); + + /* + * NFSv4 ACL entries must be prepended to the ACL. + * Appending them at the end makes no sense, since + * in most cases they wouldn't even get evaluated. + */ + if (acl_brand == ACL_BRAND_NFS4) { + if (acl_create_entry_np(&acl_new, &entry_new, entry_number) == -1) { + warn("%s: acl_create_entry_np() failed", filename); + acl_free(acl_new); + return (-1); + } + /* + * Without this increment, adding several + * entries at once, for example + * "setfacl -m user:1:r:allow,user:2:r:allow", + * would make them appear in reverse order. + */ + entry_number++; + } else { + if (acl_create_entry(&acl_new, &entry_new) == -1) { + warn("%s: acl_create_entry() failed", filename); + acl_free(acl_new); + return (-1); + } } if (acl_copy_entry(entry_new, entry) == -1) - err(1, "acl_copy_entry() failed"); + err(1, "%s: acl_copy_entry() failed", filename); } } - if (acl_type == ACL_TYPE_ACCESS) { - acl_free(prev_acl[ACCESS_ACL]); - prev_acl[ACCESS_ACL] = acl_new; - } else { - acl_free(prev_acl[DEFAULT_ACL]); - prev_acl[DEFAULT_ACL] = acl_new; + acl_free(*prev_acl); + *prev_acl = acl_new; + + return (0); +} + +int +add_acl(acl_t acl, uint entry_number, acl_t *prev_acl, const char *filename) +{ + acl_entry_t entry, entry_new; + acl_t acl_new; + int entry_id, acl_brand, prev_acl_brand; + + acl_get_brand_np(acl, &acl_brand); + acl_get_brand_np(*prev_acl, &prev_acl_brand); + + if (prev_acl_brand != ACL_BRAND_NFS4) { + warnx("%s: the '-a' option is only applicable to NFSv4 ACLs", + filename); + return (-1); + } + + if (branding_mismatch(acl_brand, ACL_BRAND_NFS4)) { + warnx("%s: branding mismatch; existing ACL is NFSv4, " + "entry to be added is %s", filename, + brand_name(acl_brand)); + return (-1); + } + + acl_new = acl_dup(*prev_acl); + if (acl_new == NULL) + err(1, "%s: acl_dup() failed", filename); + + entry_id = ACL_FIRST_ENTRY; + + while (acl_get_entry(acl, entry_id, &entry) == 1) { + entry_id = ACL_NEXT_ENTRY; + + if (acl_create_entry_np(&acl_new, &entry_new, entry_number) == -1) { + warn("%s: acl_create_entry_np() failed", filename); + acl_free(acl_new); + return (-1); + } + + /* + * Without this increment, adding several + * entries at once, for example + * "setfacl -m user:1:r:allow,user:2:r:allow", + * would make them appear in reverse order. + */ + entry_number++; + + if (acl_copy_entry(entry_new, entry) == -1) + err(1, "%s: acl_copy_entry() failed", filename); } + acl_free(*prev_acl); + *prev_acl = acl_new; + return (0); } diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/setfacl/remove.c 8.0/bin/setfacl/remove.c --- test/8.0/bin/setfacl/remove.c 2005-01-10 09:39:26.000000000 +0100 +++ 8.0/bin/setfacl/remove.c 2010-01-30 16:49:15.077051034 +0100 @@ -41,21 +41,30 @@ __FBSDID("$FreeBSD: bin/setfacl/remove.c * remove ACL entries from an ACL */ int -remove_acl(acl_t acl, acl_t *prev_acl) +remove_acl(acl_t acl, acl_t *prev_acl, const char *filename) { acl_entry_t entry; acl_t acl_new; acl_tag_t tag; - int carried_error, entry_id; + int carried_error, entry_id, acl_brand, prev_acl_brand; + + carried_error = 0; + + acl_get_brand_np(acl, &acl_brand); + acl_get_brand_np(*prev_acl, &prev_acl_brand); + + if (branding_mismatch(acl_brand, prev_acl_brand)) { + warnx("%s: branding mismatch; existing ACL is %s, " + "entry to be removed is %s", filename, + brand_name(prev_acl_brand), brand_name(acl_brand)); + return (-1); + } carried_error = 0; - if (acl_type == ACL_TYPE_ACCESS) - acl_new = acl_dup(prev_acl[ACCESS_ACL]); - else - acl_new = acl_dup(prev_acl[DEFAULT_ACL]); + acl_new = acl_dup(*prev_acl); if (acl_new == NULL) - err(1, "acl_dup() failed"); + err(1, "%s: acl_dup() failed", filename); tag = ACL_UNDEFINED_TAG; @@ -64,23 +73,68 @@ remove_acl(acl_t acl, acl_t *prev_acl) while (acl_get_entry(acl, entry_id, &entry) == 1) { entry_id = ACL_NEXT_ENTRY; if (acl_get_tag_type(entry, &tag) == -1) - err(1, "acl_get_tag_type() failed"); + err(1, "%s: acl_get_tag_type() failed", filename); if (tag == ACL_MASK) have_mask++; if (acl_delete_entry(acl_new, entry) == -1) { carried_error++; - warnx("cannot remove non-existent acl entry"); + warnx("%s: cannot remove non-existent ACL entry", + filename); } } - if (acl_type == ACL_TYPE_ACCESS) { - acl_free(prev_acl[ACCESS_ACL]); - prev_acl[ACCESS_ACL] = acl_new; - } else { - acl_free(prev_acl[DEFAULT_ACL]); - prev_acl[DEFAULT_ACL] = acl_new; + acl_free(*prev_acl); + *prev_acl = acl_new; + + if (carried_error) + return (-1); + + return (0); +} + +int +remove_by_number(uint entry_number, acl_t *prev_acl, const char *filename) +{ + acl_entry_t entry; + acl_t acl_new; + acl_tag_t tag; + int carried_error, entry_id; + uint i; + + carried_error = 0; + + acl_new = acl_dup(*prev_acl); + if (acl_new == NULL) + err(1, "%s: acl_dup() failed", filename); + + tag = ACL_UNDEFINED_TAG; + + /* + * Find out whether we're removing the mask entry, + * to behave the same as the routine above. + * + * XXX: Is this loop actually needed? + */ + entry_id = ACL_FIRST_ENTRY; + i = 0; + while (acl_get_entry(acl_new, entry_id, &entry) == 1) { + entry_id = ACL_NEXT_ENTRY; + if (i != entry_number) + continue; + if (acl_get_tag_type(entry, &tag) == -1) + err(1, "%s: acl_get_tag_type() failed", filename); + if (tag == ACL_MASK) + have_mask++; + } + + if (acl_delete_entry_np(acl_new, entry_number) == -1) { + carried_error++; + warn("%s: acl_delete_entry_np() failed", filename); } + acl_free(*prev_acl); + *prev_acl = acl_new; + if (carried_error) return (-1); @@ -91,18 +145,14 @@ remove_acl(acl_t acl, acl_t *prev_acl) * remove default entries */ int -remove_default(acl_t *prev_acl) +remove_default(acl_t *prev_acl, const char *filename) { - if (prev_acl[1]) { - acl_free(prev_acl[1]); - prev_acl[1] = acl_init(ACL_MAX_ENTRIES); - if (prev_acl[1] == NULL) - err(1, "acl_init() failed"); - } else { - warn("cannot remove default ACL"); - return (-1); - } + acl_free(*prev_acl); + *prev_acl = acl_init(ACL_MAX_ENTRIES); + if (*prev_acl == NULL) + err(1, "%s: acl_init() failed", filename); + return (0); } @@ -110,71 +160,14 @@ remove_default(acl_t *prev_acl) * remove extended entries */ void -remove_ext(acl_t *prev_acl) +remove_ext(acl_t *prev_acl, const char *filename) { - acl_t acl_new, acl_old; - acl_entry_t entry, entry_new; - acl_permset_t perm; - acl_tag_t tag; - int entry_id, have_mask_entry; - - if (acl_type == ACL_TYPE_ACCESS) - acl_old = acl_dup(prev_acl[ACCESS_ACL]); - else - acl_old = acl_dup(prev_acl[DEFAULT_ACL]); - if (acl_old == NULL) - err(1, "acl_dup() failed"); + acl_t acl_new; - have_mask_entry = 0; - acl_new = acl_init(ACL_MAX_ENTRIES); + acl_new = acl_strip_np(*prev_acl, !n_flag); if (acl_new == NULL) - err(1, "acl_init() failed"); - tag = ACL_UNDEFINED_TAG; - - /* only save the default user/group/other entries */ - entry_id = ACL_FIRST_ENTRY; - while (acl_get_entry(acl_old, entry_id, &entry) == 1) { - entry_id = ACL_NEXT_ENTRY; - - if (acl_get_tag_type(entry, &tag) == -1) - err(1, "acl_get_tag_type() failed"); - - switch(tag) { - case ACL_USER_OBJ: - case ACL_GROUP_OBJ: - case ACL_OTHER: - if (acl_get_tag_type(entry, &tag) == -1) - err(1, "acl_get_tag_type() failed"); - if (acl_get_permset(entry, &perm) == -1) - err(1, "acl_get_permset() failed"); - if (acl_create_entry(&acl_new, &entry_new) == -1) - err(1, "acl_create_entry() failed"); - if (acl_set_tag_type(entry_new, tag) == -1) - err(1, "acl_set_tag_type() failed"); - if (acl_set_permset(entry_new, perm) == -1) - err(1, "acl_get_permset() failed"); - if (acl_copy_entry(entry_new, entry) == -1) - err(1, "acl_copy_entry() failed"); - break; - case ACL_MASK: - have_mask_entry = 1; - break; - default: - break; - } - } - if (have_mask_entry && n_flag == 0) { - if (acl_calc_mask(&acl_new) == -1) - err(1, "acl_calc_mask() failed"); - } else { - have_mask = 1; - } + err(1, "%s: acl_strip_np() failed", filename); - if (acl_type == ACL_TYPE_ACCESS) { - acl_free(prev_acl[ACCESS_ACL]); - prev_acl[ACCESS_ACL] = acl_new; - } else { - acl_free(prev_acl[DEFAULT_ACL]); - prev_acl[DEFAULT_ACL] = acl_new; - } + acl_free(*prev_acl); + *prev_acl = acl_new; } diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/setfacl/setfacl.1 8.0/bin/setfacl/setfacl.1 --- test/8.0/bin/setfacl/setfacl.1 2008-07-07 00:47:10.194225000 +0200 +++ 8.0/bin/setfacl/setfacl.1 2010-01-30 15:57:42.352727047 +0100 @@ -23,9 +23,9 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $FreeBSD: src/bin/setfacl/setfacl.1,v 1.19.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $ +.\" $FreeBSD: releng/8.0/bin/setfacl/setfacl.1 180334 2008-07-06 22:47:10Z csjp $ .\" -.Dd January 7, 2001 +.Dd September 5, 2009 .Dt SETFACL 1 .Os .Sh NAME @@ -34,9 +34,10 @@ .Sh SYNOPSIS .Nm .Op Fl bdhkn +.Op Fl a Ar position entries .Op Fl m Ar entries .Op Fl M Ar file -.Op Fl x Ar entries +.Op Fl x Ar entries | position .Op Fl X Ar file .Op Ar .Sh DESCRIPTION @@ -50,9 +51,19 @@ the file names are taken from the standa .Pp The following options are available: .Bl -tag -width indent +.It Fl a Ar position entries +Modify the ACL on the specified files by inserting new +ACL entries +specified in +.Ar entries , +starting at position +.Ar position , +counting from zero. +This option is only applicable to NFSv4 ACLs. .It Fl b -Remove all ACL entries except for the three required entries. -If the ACL contains a +Remove all ACL entries except for the three required entries +(POSIX.1e ACLs) or six "canonical" entries (NFSv4 ACLs). +If the POSIX.1e ACL contains a .Dq Li mask entry, the permissions of the .Dq Li group @@ -66,7 +77,7 @@ entries of the current ACL. The operations apply to the default ACL entries instead of access ACL entries. Currently only directories may have -default ACL's. +default ACL's. This option is not applicable to NFSv4 ACLs. .It Fl h If the target of the operation is a symbolic link, perform the operation on the symbolic link itself, rather than following the link. @@ -77,7 +88,7 @@ is not considered an error if the specif any default ACL entries. An error will be reported if any of the specified files cannot have a default entry (i.e.\& -non-directories). +non-directories). This option is not applicable to NFSv4 ACLs. .It Fl m Ar entries Modify the ACL entries on the specified files by adding new entries and modifying existing ACL entries with the ACL entries @@ -95,11 +106,15 @@ is the input is taken from stdin. .It Fl n Do not recalculate the permissions associated with the ACL -mask entry. -.It Fl x Ar entries -Remove the ACL entries specified in +mask entry. This option is not applicable to NFSv4 ACLs. +.It Fl x Ar entries | position +If .Ar entries +is specified, remove the ACL entries specified there from the access or default ACL of the specified files. +Otherwise, remove entry at index +.Ar position , +counting from zero. .It Fl X Ar file Remove the ACL entries specified in the file .Ar file @@ -108,8 +123,8 @@ from the access or default ACL of the sp .Pp The above options are evaluated in the order specified on the command-line. -.Sh ACL ENTRIES -An ACL entry contains three colon-separated fields: +.Sh POSIX.1e ACL ENTRIES +A POSIX.1E ACL entry contains three colon-separated fields: an ACL tag, an ACL qualifier, and discretionary access permissions: .Bl -tag -width indent @@ -223,7 +238,7 @@ previously specified; whitespace is igno .Ql # is ignored (comments). .Pp -When ACL entries are evaluated, the access check algorithm checks +When POSIX.1e ACL entries are evaluated, the access check algorithm checks the ACL entries in the following order: file owner, .Dq Li user ACL entries, file owning group, @@ -243,13 +258,135 @@ ACL entries for user, group, other and m For more details see the examples below. Default ACLs can be created by using .Fl d . +.Sh NFSv4 ACL ENTRIES +An NFSv4 ACL entry contains four or five colon-separated fields: an ACL tag, +an ACL qualifier (only for +.Dq Li user +and +.Dq Li group +tags), discretionary access permissions, ACL inheritance flags, and ACL type: +.Bl -tag -width indent +.It Ar "ACL tag" +The ACL tag specifies the ACL entry type and consists of +one of the following: +.Dq Li user +or +.Ql u +specifying the access +granted to the specified user; +.Dq Li group +or +.Ql g +specifying the access granted to the specified group; +.Dq Li owner@ +specifying the access granted to the owner of the file; +.Dq Li group@ +specifying the access granted to the file owning group; +.Dq Li everyone@ +specifying everyone. Note that +.Dq Li everyone@ +is not the same as traditional Unix +.Dq Li other +- it means, +literally, everyone, including file owner and owning group. +.It Ar "ACL qualifier" +The ACL qualifier field describes the user or group associated with +the ACL entry. +It may consist of one of the following: uid or +user name, or gid or group name. In entries whose tag type is +one of +.Dq Li owner@ , +.Dq Li group@ , +or +.Dq Li everyone@ , +this field is ommited altogether, including the trailing comma. +.It Ar "access permissions" +Access permissions may be specified in either short or long form. +Short and long forms may not be mixed. +Permissions in long form are separated by the +.Ql / +character; in short form, they are concatenated together. +Valid permissions are: +.Bl -tag -width ".Dv short" +.It Short +Long +.It r +read_data +.It w +write_data +.It x +execute +.It p +append_data +.It d +delete_child +.It D +delete +.It a +read_attributes +.It A +write_attributes +.It R +read_xattr +.It W +write_xattr +.It c +read_acl +.It C +write_acl +.It o +write_owner +.It S +synchronize +.El +.It Ar "ACL inheritance flags" +Inheritance flags may be specified in either short or long form. +Short and long forms may not be mixed. +Access flags in long form are separated by the +.Ql / +character; in short form, they are concatenated together. +Valid inheritance flags are: +.Bl -tag -width ".Dv short" +.It Short +Long +.It f +file_inherit +.It d +dir_inherit +.It i +inherit_only +.It n +no_propagate +.El +.Pp +Inheritance flags may be only set on directories. +.It Ar "ACL type" +The ACL type field is either +.Dq Li allow +or +.Dq Li deny . +.El +.Pp +ACL entries applied from a file using the +.Fl M +or +.Fl X +options shall be of the following form: one ACL entry per line, as +previously specified; whitespace is ignored; any text after a +.Ql # +is ignored (comments). +.Pp +NFSv4 ACL entries are evaluated in their visible order. +.Pp +Multiple ACL entries specified on the command line are +separated by commas. .Sh EXIT STATUS .Ex -std .Sh EXAMPLES .Dl setfacl -d -m u::rwx,g::rx,o::rx,mask::rwx dir .Dl setfacl -d -m g:admins:rwx dir .Pp -The first command sets the mandatory elements of the default ACL. +The first command sets the mandatory elements of the POSIX.1e default ACL. The second command specifies that users in group admins can have read, write, and execute permissions for directory named "dir". It should be noted that any files or directories created underneath "dir" will @@ -259,9 +396,13 @@ inherit these default ACLs upon creation .Pp Sets read, write, and execute permissions for the .Pa file -owner's ACL entry and read and write permissions for group mail on +owner's POSIX.1e ACL entry and read and write permissions for group mail on .Pa file . .Pp +.Dl setfacl -m owner@:rwxp::allow,g:mail:rwp::allow file +.Pp +Semantically equal to the example above, but for NFSv4 ACL. +.Pp .Dl setfacl -M file1 file2 .Pp Sets/updates the ACL entries contained in @@ -271,10 +412,15 @@ on .Pp .Dl setfacl -x g:mail:rw file .Pp -Remove the group mail ACL entry containing read/write permissions +Remove the group mail POSIX.1e ACL entry containing read/write permissions from .Pa file . .Pp +.Dl setfacl -x0 file +.Pp +Remove the first entry from the NFSv4 ACL from +.Pa file . +.Pp .Dl setfacl -bn file .Pp Remove all diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/setfacl/setfacl.c 8.0/bin/setfacl/setfacl.c --- test/8.0/bin/setfacl/setfacl.c 2008-09-06 15:17:35.620122000 +0200 +++ 8.0/bin/setfacl/setfacl.c 2010-01-30 15:57:42.673611405 +0100 @@ -34,6 +34,7 @@ __FBSDID("$FreeBSD: bin/setfacl/setfacl. #include #include +#include #include #include #include @@ -41,9 +42,8 @@ __FBSDID("$FreeBSD: bin/setfacl/setfacl. #include "setfacl.h" -static void add_filename(const char *filename); -static acl_t *get_file_acls(const char *filename); -static void usage(void); +static void add_filename(const char *filename); +static void usage(void); static void add_filename(const char *filename) @@ -59,57 +59,28 @@ add_filename(const char *filename) TAILQ_INSERT_TAIL(&filelist, file, next); } -static acl_t * -get_file_acls(const char *filename) -{ - acl_t *acl; - struct stat sb; - - if (stat(filename, &sb) == -1) { - warn("stat() of %s failed", filename); - return (NULL); - } - - acl = zmalloc(sizeof(acl_t) * 2); - if (h_flag) - acl[ACCESS_ACL] = acl_get_link_np(filename, ACL_TYPE_ACCESS); - else - acl[ACCESS_ACL] = acl_get_file(filename, ACL_TYPE_ACCESS); - if (acl[ACCESS_ACL] == NULL) - err(1, "acl_get_file() failed"); - if (S_ISDIR(sb.st_mode)) { - if (h_flag) - acl[DEFAULT_ACL] = acl_get_link_np(filename, - ACL_TYPE_DEFAULT); - else - acl[DEFAULT_ACL] = acl_get_file(filename, - ACL_TYPE_DEFAULT); - if (acl[DEFAULT_ACL] == NULL) - err(1, "acl_get_file() failed"); - } else - acl[DEFAULT_ACL] = NULL; - - return (acl); -} - static void usage(void) { - fprintf(stderr, "usage: setfacl [-bdhkn] [-m entries] [-M file] " - "[-x entries] [-X file] [file ...]\n"); + fprintf(stderr, "usage: setfacl [-bdhkn] [-a position entries] " + "[-m entries] [-M file] [-x entries] [-X file] [file ...]\n"); exit(1); } int main(int argc, char *argv[]) { - acl_t *acl, final_acl; + acl_t acl; + acl_type_t acl_type; char filename[PATH_MAX]; - int local_error, carried_error, ch, i; + int local_error, carried_error, ch, i, entry_number, ret; + int h_flag; struct sf_file *file; struct sf_entry *entry; const char *fn_dup; + char *end; + struct stat sb; acl_type = ACL_TYPE_ACCESS; carried_error = local_error = 0; @@ -118,13 +89,13 @@ main(int argc, char *argv[]) TAILQ_INIT(&entrylist); TAILQ_INIT(&filelist); - while ((ch = getopt(argc, argv, "M:X:bdhkm:nx:")) != -1) + while ((ch = getopt(argc, argv, "M:X:a:bdhkm:nx:")) != -1) switch(ch) { case 'M': entry = zmalloc(sizeof(struct sf_entry)); entry->acl = get_acl_from_file(optarg); if (entry->acl == NULL) - err(1, "get_acl_from_file() failed"); + err(1, "%s: get_acl_from_file() failed", optarg); entry->op = OP_MERGE_ACL; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; @@ -134,6 +105,25 @@ main(int argc, char *argv[]) entry->op = OP_REMOVE_ACL; TAILQ_INSERT_TAIL(&entrylist, entry, next); break; + case 'a': + entry = zmalloc(sizeof(struct sf_entry)); + + entry_number = strtol(optarg, &end, 10); + if (end - optarg != (int)strlen(optarg)) + errx(1, "%s: invalid entry number", optarg); + if (entry_number < 0) + errx(1, "%s: entry number cannot be less than zero", optarg); + entry->entry_number = entry_number; + + if (argv[optind] == NULL) + errx(1, "missing ACL"); + entry->acl = acl_from_text(argv[optind]); + if (entry->acl == NULL) + err(1, "%s", argv[optind]); + optind++; + entry->op = OP_ADD_ACL; + TAILQ_INSERT_TAIL(&entrylist, entry, next); + break; case 'b': entry = zmalloc(sizeof(struct sf_entry)); entry->op = OP_REMOVE_EXT; @@ -163,10 +153,18 @@ main(int argc, char *argv[]) break; case 'x': entry = zmalloc(sizeof(struct sf_entry)); - entry->acl = acl_from_text(optarg); - if (entry->acl == NULL) - err(1, "%s", optarg); - entry->op = OP_REMOVE_ACL; + entry_number = strtol(optarg, &end, 10); + if (end - optarg == (int)strlen(optarg)) { + if (entry_number < 0) + errx(1, "%s: entry number cannot be less than zero", optarg); + entry->entry_number = entry_number; + entry->op = OP_REMOVE_BY_NUMBER; + } else { + entry->acl = acl_from_text(optarg); + if (entry->acl == NULL) + err(1, "%s", optarg); + entry->op = OP_REMOVE_ACL; + } TAILQ_INSERT_TAIL(&entrylist, entry, next); break; default: @@ -199,16 +197,51 @@ main(int argc, char *argv[]) /* cycle through each file */ TAILQ_FOREACH(file, &filelist, next) { - /* get our initial access and default ACL's */ - acl = get_file_acls(file->filename); - if (acl == NULL) + local_error = 0; + + if (stat(file->filename, &sb) == -1) { + warn("%s: stat() failed", file->filename); continue; - if ((acl_type == ACL_TYPE_DEFAULT) && !acl[1]) { - warnx("Default ACL not valid for %s", file->filename); + } + + if (acl_type == ACL_TYPE_DEFAULT && S_ISDIR(sb.st_mode) == 0) { + warnx("%s: default ACL may only be set on a directory", + file->filename); continue; } - local_error = 0; + if (h_flag) + ret = lpathconf(file->filename, _PC_ACL_NFS4); + else + ret = pathconf(file->filename, _PC_ACL_NFS4); + if (ret > 0) { + if (acl_type == ACL_TYPE_DEFAULT) { + warnx("%s: there are no default entries " + "in NFSv4 ACLs", file->filename); + continue; + } + acl_type = ACL_TYPE_NFS4; + } else if (ret == 0) { + if (acl_type == ACL_TYPE_NFS4) + acl_type = ACL_TYPE_ACCESS; + } else if (ret < 0 && errno != EINVAL) { + warn("%s: pathconf(..., _PC_ACL_NFS4) failed", + file->filename); + } + + if (h_flag) + acl = acl_get_link_np(file->filename, acl_type); + else + acl = acl_get_file(file->filename, acl_type); + if (acl == NULL) { + if (h_flag) + warn("%s: acl_get_link_np() failed", + file->filename); + else + warn("%s: acl_get_file() failed", + file->filename); + continue; + } /* cycle through each option */ TAILQ_FOREACH(entry, &entrylist, next) { @@ -216,24 +249,44 @@ main(int argc, char *argv[]) continue; switch(entry->op) { + case OP_ADD_ACL: + local_error += add_acl(entry->acl, + entry->entry_number, &acl, file->filename); + break; case OP_MERGE_ACL: - local_error += merge_acl(entry->acl, acl); + local_error += merge_acl(entry->acl, &acl, + file->filename); need_mask = 1; break; case OP_REMOVE_EXT: - remove_ext(acl); + remove_ext(&acl, file->filename); need_mask = 0; break; case OP_REMOVE_DEF: + if (acl_type == ACL_TYPE_NFS4) { + warnx("%s: there are no default entries in NFSv4 ACLs; " + "cannot remove", file->filename); + local_error++; + break; + } if (acl_delete_def_file(file->filename) == -1) { - warn("acl_delete_def_file() failed"); + warn("%s: acl_delete_def_file() failed", + file->filename); local_error++; } - local_error += remove_default(acl); + if (acl_type == ACL_TYPE_DEFAULT) + local_error += remove_default(&acl, + file->filename); need_mask = 0; break; case OP_REMOVE_ACL: - local_error += remove_acl(entry->acl, acl); + local_error += remove_acl(entry->acl, &acl, + file->filename); + need_mask = 1; + break; + case OP_REMOVE_BY_NUMBER: + local_error += remove_by_number(entry->entry_number, + &acl, file->filename); need_mask = 1; break; } @@ -245,35 +298,27 @@ main(int argc, char *argv[]) continue; } - if (acl_type == ACL_TYPE_ACCESS) { - final_acl = acl[ACCESS_ACL]; - acl_free(acl[DEFAULT_ACL]); - } else { - final_acl = acl[DEFAULT_ACL]; - acl_free(acl[ACCESS_ACL]); - } - - if (need_mask && (set_acl_mask(&final_acl) == -1)) { - warnx("failed to set ACL mask on %s", file->filename); + if (acl_type != ACL_TYPE_NFS4 && need_mask && + set_acl_mask(&acl, file->filename) == -1) { + warnx("%s: failed to set ACL mask", file->filename); carried_error++; } else if (h_flag) { if (acl_set_link_np(file->filename, acl_type, - final_acl) == -1) { + acl) == -1) { carried_error++; - warn("acl_set_link_np() failed for %s", + warn("%s: acl_set_link_np() failed", file->filename); } } else { if (acl_set_file(file->filename, acl_type, - final_acl) == -1) { + acl) == -1) { carried_error++; - warn("acl_set_file() failed for %s", + warn("%s: acl_set_file() failed", file->filename); } } - acl_free(final_acl); - free(acl); + acl_free(acl); } return (carried_error); diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/setfacl/setfacl.h 8.0/bin/setfacl/setfacl.h --- test/8.0/bin/setfacl/setfacl.h 2005-01-10 09:39:26.000000000 +0100 +++ 8.0/bin/setfacl/setfacl.h 2010-01-30 16:49:14.777052850 +0100 @@ -38,15 +38,14 @@ #define OP_REMOVE_DEF 0x01 /* remove default acl's (-k) */ #define OP_REMOVE_EXT 0x02 /* remove extended acl's (-b) */ #define OP_REMOVE_ACL 0x03 /* remove acl's (-xX) */ - -/* ACL types for the acl array */ -#define ACCESS_ACL 0 -#define DEFAULT_ACL 1 +#define OP_REMOVE_BY_NUMBER 0x04 /* remove acl's (-xX) by acl entry number */ +#define OP_ADD_ACL 0x05 /* add acls entries at a given position */ /* TAILQ entry for acl operations */ struct sf_entry { uint op; acl_t acl; + uint entry_number; TAILQ_ENTRY(sf_entry) next; }; TAILQ_HEAD(, sf_entry) entrylist; @@ -61,21 +60,23 @@ TAILQ_HEAD(, sf_file) filelist; /* files.c */ acl_t get_acl_from_file(const char *filename); /* merge.c */ -int merge_acl(acl_t acl, acl_t *prev_acl); +int merge_acl(acl_t acl, acl_t *prev_acl, const char *filename); +int add_acl(acl_t acl, uint entry_number, acl_t *prev_acl, const char *filename); /* remove.c */ -int remove_acl(acl_t acl, acl_t *prev_acl); -int remove_default(acl_t *prev_acl); -void remove_ext(acl_t *prev_acl); +int remove_acl(acl_t acl, acl_t *prev_acl, const char *filename); +int remove_by_number(uint entry_number, acl_t *prev_acl, const char *filename); +int remove_default(acl_t *prev_acl, const char *filename); +void remove_ext(acl_t *prev_acl, const char *filename); /* mask.c */ -int set_acl_mask(acl_t *prev_acl); +int set_acl_mask(acl_t *prev_acl, const char *filename); /* util.c */ void *zmalloc(size_t size); +const char *brand_name(int brand); +int branding_mismatch(int brand1, int brand2); -acl_type_t acl_type; uint have_mask; uint need_mask; uint have_stdin; -uint h_flag; uint n_flag; #endif /* _SETFACL_H */ diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/bin/setfacl/util.c 8.0/bin/setfacl/util.c --- test/8.0/bin/setfacl/util.c 2005-01-10 09:39:26.000000000 +0100 +++ 8.0/bin/setfacl/util.c 2010-01-30 16:52:33.104695364 +0100 @@ -43,3 +43,26 @@ zmalloc(size_t size) err(1, "calloc() failed"); return (ptr); } + +const char * +brand_name(int brand) +{ + switch (brand) { + case ACL_BRAND_NFS4: + return "NFSv4"; + case ACL_BRAND_POSIX: + return "POSIX.1e"; + default: + return "unknown"; + } +} + +int +branding_mismatch(int brand1, int brand2) +{ + if (brand1 == ACL_BRAND_UNKNOWN || brand2 == ACL_BRAND_UNKNOWN) + return (0); + if (brand1 != brand2) + return (1); + return (0); +} diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c 8.0/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c --- test/8.0/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c 2008-11-17 21:49:29.675976000 +0100 +++ 8.0/cddl/contrib/opensolaris/cmd/zpool/zpool_main.c 2010-01-31 17:44:46.600470928 +0100 @@ -3488,6 +3488,8 @@ zpool_do_upgrade(int argc, char **argv) (void) printf(gettext(" 11 Improved scrub performance\n")); (void) printf(gettext(" 12 Snapshot properties\n")); (void) printf(gettext(" 13 snapused property\n")); + (void) printf(gettext(" 14 passthrough-x aclinherit " + "support\n")); (void) printf(gettext("For more information on a particular " "version, including supported releases, see:\n\n")); (void) printf("http://www.opensolaris.org/os/community/zfs/" Files test/8.0/share/examples/kld/firmware/fwimage/firmware.img and 8.0/share/examples/kld/firmware/fwimage/firmware.img differ diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/sys/cddl/boot/zfs/zfsimpl.h 8.0/sys/cddl/boot/zfs/zfsimpl.h --- test/8.0/sys/cddl/boot/zfs/zfsimpl.h 2009-05-16 12:48:20.339337000 +0200 +++ 8.0/sys/cddl/boot/zfs/zfsimpl.h 2010-01-31 17:40:23.527689533 +0100 @@ -461,13 +461,14 @@ typedef enum { #define SPA_VERSION_11 11ULL #define SPA_VERSION_12 12ULL #define SPA_VERSION_13 13ULL +#define SPA_VERSION_14 14ULL /* * When bumping up SPA_VERSION, make sure GRUB ZFS understand the on-disk * format change. Go to usr/src/grub/grub-0.95/stage2/{zfs-include/, fsys_zfs*}, * and do the appropriate changes. */ -#define SPA_VERSION SPA_VERSION_13 -#define SPA_VERSION_STRING "13" +#define SPA_VERSION SPA_VERSION_14 +#define SPA_VERSION_STRING "14" /* * Symbolic names for the changes that caused a SPA_VERSION switch. @@ -502,6 +503,7 @@ typedef enum { #define SPA_VERSION_DSL_SCRUB SPA_VERSION_11 #define SPA_VERSION_SNAP_PROPS SPA_VERSION_12 #define SPA_VERSION_USED_BREAKDOWN SPA_VERSION_13 +#define SPA_VERSION_PASSTHROUGH_X SPA_VERSION_14 /* * The following are configuration names used in the nvlist describing a pool's diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c 8.0/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c --- test/8.0/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c 2009-05-17 06:04:25.597636000 +0200 +++ 8.0/sys/cddl/contrib/opensolaris/common/zfs/zfs_prop.c 2010-01-31 17:40:19.306498293 +0100 @@ -97,6 +97,7 @@ zfs_prop_init(void) { "restricted", ZFS_ACL_RESTRICTED }, { "passthrough", ZFS_ACL_PASSTHROUGH }, { "secure", ZFS_ACL_RESTRICTED }, /* bkwrd compatability */ + { "passthrough-x", ZFS_ACL_PASSTHROUGH_X }, { NULL } }; @@ -173,7 +174,7 @@ zfs_prop_init(void) "discard | groupmask | passthrough", "ACLMODE", acl_mode_table); register_index(ZFS_PROP_ACLINHERIT, "aclinherit", ZFS_ACL_RESTRICTED, PROP_INHERIT, ZFS_TYPE_FILESYSTEM, - "discard | noallow | restricted | passthrough", + "discard | noallow | restricted | passthrough | passthrough-x", "ACLINHERIT", acl_inherit_table); register_index(ZFS_PROP_COPIES, "copies", 1, PROP_INHERIT, ZFS_TYPE_FILESYSTEM | ZFS_TYPE_VOLUME, diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sys/zfs_acl.h 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sys/zfs_acl.h --- test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sys/zfs_acl.h 2009-05-26 10:21:59.949447000 +0200 +++ 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/sys/zfs_acl.h 2010-01-31 17:40:21.932189546 +0100 @@ -26,8 +26,6 @@ #ifndef _SYS_FS_ZFS_ACL_H #define _SYS_FS_ZFS_ACL_H -#pragma ident "%Z%%M% %I% %E% SMI" - #ifdef _KERNEL #include #endif @@ -180,6 +178,7 @@ typedef struct zfs_acl { #define ZFS_ACL_GROUPMASK 2 #define ZFS_ACL_PASSTHROUGH 3 #define ZFS_ACL_RESTRICTED 4 +#define ZFS_ACL_PASSTHROUGH_X 5 struct znode; struct zfsvfs; diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_acl.c 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_acl.c --- test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_acl.c 2009-09-29 12:53:06.049332000 +0200 +++ 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_acl.c 2010-01-31 17:40:21.114730624 +0100 @@ -1663,7 +1663,8 @@ zfs_ace_can_use(znode_t *zp, uint16_t ac * inherit inheritable ACEs from parent */ static zfs_acl_t * -zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp, boolean_t *need_chmod) +zfs_acl_inherit(znode_t *zp, zfs_acl_t *paclp, uint64_t mode, + boolean_t *need_chmod) { zfsvfs_t *zfsvfs = zp->z_zfsvfs; void *pacep; @@ -1676,112 +1677,123 @@ zfs_acl_inherit(znode_t *zp, zfs_acl_t * size_t ace_size; void *data1, *data2; size_t data1sz, data2sz; - enum vtype vntype = ZTOV(zp)->v_type; + boolean_t vdir = ZTOV(zp)->v_type == VDIR; + boolean_t vreg = ZTOV(zp)->v_type == VREG; + boolean_t passthrough, passthrough_x, noallow; + + passthrough_x = + zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH_X; + passthrough = passthrough_x || + zfsvfs->z_acl_inherit == ZFS_ACL_PASSTHROUGH; + noallow = + zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW; *need_chmod = B_TRUE; pacep = NULL; aclp = zfs_acl_alloc(paclp->z_version); - if (zfsvfs->z_acl_inherit != ZFS_ACL_DISCARD) { - while (pacep = zfs_acl_next_ace(paclp, pacep, &who, - &access_mask, &iflags, &type)) { + if (zfsvfs->z_acl_inherit == ZFS_ACL_DISCARD) + return (aclp); + while (pacep = zfs_acl_next_ace(paclp, pacep, &who, + &access_mask, &iflags, &type)) { - /* - * don't inherit bogus ACEs - */ - if (!zfs_acl_valid_ace_type(type, iflags)) - continue; + /* + * don't inherit bogus ACEs + */ + if (!zfs_acl_valid_ace_type(type, iflags)) + continue; - if (zfsvfs->z_acl_inherit == ZFS_ACL_NOALLOW && - type == ALLOW) - continue; + if (noallow && type == ALLOW) + continue; - ace_size = aclp->z_ops.ace_size(pacep); + ace_size = aclp->z_ops.ace_size(pacep); - if (!zfs_ace_can_use(zp, iflags)) - continue; + if (!zfs_ace_can_use(zp, iflags)) + continue; - /* - * If owner@, group@, or everyone@ inheritable - * then zfs_acl_chmod() isn't needed. - */ - if (zfsvfs->z_acl_inherit == - ZFS_ACL_PASSTHROUGH && - ((iflags & (ACE_OWNER|ACE_EVERYONE)) || - ((iflags & OWNING_GROUP) == - OWNING_GROUP)) && (vntype == VREG || - (vntype == VDIR && - (iflags & ACE_DIRECTORY_INHERIT_ACE)))) - *need_chmod = B_FALSE; - - aclnode = zfs_acl_node_alloc(ace_size); - list_insert_tail(&aclp->z_acl, aclnode); - acep = aclnode->z_acldata; - zfs_set_ace(aclp, acep, access_mask, type, - who, iflags|ACE_INHERITED_ACE); + /* + * If owner@, group@, or everyone@ inheritable + * then zfs_acl_chmod() isn't needed. + */ + if (passthrough && + ((iflags & (ACE_OWNER|ACE_EVERYONE)) || + ((iflags & OWNING_GROUP) == + OWNING_GROUP)) && (vreg || (vdir && (iflags & + ACE_DIRECTORY_INHERIT_ACE)))) { + *need_chmod = B_FALSE; + + if (!vdir && passthrough_x && + ((mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)) { + access_mask &= ~ACE_EXECUTE; + } + } + + aclnode = zfs_acl_node_alloc(ace_size); + list_insert_tail(&aclp->z_acl, aclnode); + acep = aclnode->z_acldata; + + zfs_set_ace(aclp, acep, access_mask, type, + who, iflags|ACE_INHERITED_ACE); + + /* + * Copy special opaque data if any + */ + if ((data1sz = paclp->z_ops.ace_data(pacep, &data1)) != 0) { + VERIFY((data2sz = aclp->z_ops.ace_data(acep, + &data2)) == data1sz); + bcopy(data1, data2, data2sz); + } + aclp->z_acl_count++; + aclnode->z_ace_count++; + aclp->z_acl_bytes += aclnode->z_size; + newflags = aclp->z_ops.ace_flags_get(acep); + + if (vdir) + aclp->z_hints |= ZFS_INHERIT_ACE; + + if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || !vdir) { + newflags &= ~ALL_INHERIT; + aclp->z_ops.ace_flags_set(acep, + newflags|ACE_INHERITED_ACE); + zfs_restricted_update(zfsvfs, aclp, acep); + continue; + } + + ASSERT(vdir); + + newflags = aclp->z_ops.ace_flags_get(acep); + if ((iflags & (ACE_FILE_INHERIT_ACE | + ACE_DIRECTORY_INHERIT_ACE)) != + ACE_FILE_INHERIT_ACE) { + aclnode2 = zfs_acl_node_alloc(ace_size); + list_insert_tail(&aclp->z_acl, aclnode2); + acep2 = aclnode2->z_acldata; + zfs_set_ace(aclp, acep2, + access_mask, type, who, + iflags|ACE_INHERITED_ACE); + newflags |= ACE_INHERIT_ONLY_ACE; + aclp->z_ops.ace_flags_set(acep, newflags); + newflags &= ~ALL_INHERIT; + aclp->z_ops.ace_flags_set(acep2, + newflags|ACE_INHERITED_ACE); /* * Copy special opaque data if any */ - if ((data1sz = paclp->z_ops.ace_data(pacep, + if ((data1sz = aclp->z_ops.ace_data(acep, &data1)) != 0) { - VERIFY((data2sz = aclp->z_ops.ace_data(acep, + VERIFY((data2sz = + aclp->z_ops.ace_data(acep2, &data2)) == data1sz); - bcopy(data1, data2, data2sz); + bcopy(data1, data2, data1sz); } aclp->z_acl_count++; - aclnode->z_ace_count++; + aclnode2->z_ace_count++; aclp->z_acl_bytes += aclnode->z_size; - newflags = aclp->z_ops.ace_flags_get(acep); - - if (vntype == VDIR) - aclp->z_hints |= ZFS_INHERIT_ACE; - - if ((iflags & ACE_NO_PROPAGATE_INHERIT_ACE) || - (vntype != VDIR)) { - newflags &= ~ALL_INHERIT; - aclp->z_ops.ace_flags_set(acep, - newflags|ACE_INHERITED_ACE); - zfs_restricted_update(zfsvfs, aclp, acep); - continue; - } - - ASSERT(vntype == VDIR); - - newflags = aclp->z_ops.ace_flags_get(acep); - if ((iflags & (ACE_FILE_INHERIT_ACE | - ACE_DIRECTORY_INHERIT_ACE)) != - ACE_FILE_INHERIT_ACE) { - aclnode2 = zfs_acl_node_alloc(ace_size); - list_insert_tail(&aclp->z_acl, aclnode2); - acep2 = aclnode2->z_acldata; - zfs_set_ace(aclp, acep2, - access_mask, type, who, - iflags|ACE_INHERITED_ACE); - newflags |= ACE_INHERIT_ONLY_ACE; - aclp->z_ops.ace_flags_set(acep, newflags); - newflags &= ~ALL_INHERIT; - aclp->z_ops.ace_flags_set(acep2, - newflags|ACE_INHERITED_ACE); - - /* - * Copy special opaque data if any - */ - if ((data1sz = aclp->z_ops.ace_data(acep, - &data1)) != 0) { - VERIFY((data2sz = - aclp->z_ops.ace_data(acep2, - &data2)) == data1sz); - bcopy(data1, data2, data1sz); - } - aclp->z_acl_count++; - aclnode2->z_ace_count++; - aclp->z_acl_bytes += aclnode->z_size; - zfs_restricted_update(zfsvfs, aclp, acep2); - } else { - newflags |= ACE_INHERIT_ONLY_ACE; - aclp->z_ops.ace_flags_set(acep, - newflags|ACE_INHERITED_ACE); - } + zfs_restricted_update(zfsvfs, aclp, acep2); + } else { + newflags |= ACE_INHERIT_ONLY_ACE; + aclp->z_ops.ace_flags_set(acep, + newflags|ACE_INHERITED_ACE); } } return (aclp); @@ -1876,7 +1888,7 @@ zfs_perm_init(znode_t *zp, znode_t *pare mutex_enter(&parent->z_acl_lock); VERIFY(0 == zfs_acl_node_read(parent, &paclp, B_FALSE)); mutex_exit(&parent->z_acl_lock); - aclp = zfs_acl_inherit(zp, paclp, &need_chmod); + aclp = zfs_acl_inherit(zp, paclp, mode, &need_chmod); zfs_acl_free(paclp); } else { aclp = zfs_acl_alloc(zfs_acl_version_zp(zp)); diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c --- test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c 2009-09-15 14:21:06.754488000 +0200 +++ 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c 2010-01-31 17:40:20.771133882 +0100 @@ -1491,6 +1491,14 @@ zfs_set_prop_nvlist(const char *name, nv if (zpl_earlier_version(name, ZPL_VERSION_FUID)) return (ENOTSUP); break; + + case ZFS_PROP_ACLINHERIT: + if (nvpair_type(elem) == DATA_TYPE_UINT64 && + nvpair_value_uint64(elem, &intval) == 0) + if (intval == ZFS_ACL_PASSTHROUGH_X && + zfs_earlier_version(name, + SPA_VERSION_PASSTHROUGH_X)) + return (ENOTSUP); } } diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c --- test/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c 2010-01-06 22:45:30.661656000 +0100 +++ 8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c 2010-01-30 17:02:01.861161540 +0100 @@ -3851,7 +3851,15 @@ zfs_pathconf(vnode_t *vp, int cmd, ulong #endif case _PC_ACL_EXTENDED: - *valp = 0; /* TODO */ + *valp = 0; + return (0); + + case _PC_ACL_NFS4: + *valp = 1; + return (0); + + case _PC_ACL_PATH_MAX: + *valp = ACL_MAX_ENTRIES; return (0); case _PC_MIN_HOLE_SIZE: @@ -4471,6 +4479,26 @@ zfs_freebsd_pathconf(ap) return (error); } +static int +zfs_freebsd_fifo_pathconf(ap) + struct vop_pathconf_args /* { + struct vnode *a_vp; + int a_name; + register_t *a_retval; + } */ *ap; +{ + + switch (ap->a_name) { + case _PC_ACL_EXTENDED: + case _PC_ACL_NFS4: + case _PC_ACL_PATH_MAX: + case _PC_MAC_PRESENT: + return (zfs_freebsd_pathconf(ap)); + default: + return (fifo_specops.vop_pathconf(ap)); + } +} + /* * FreeBSD's extended attributes namespace defines file name prefix for ZFS' * extended attribute name: @@ -4865,7 +4893,7 @@ zfs_freebsd_getacl(ap) vsecattr_t vsecattr; if (ap->a_type != ACL_TYPE_NFS4) - return (EOPNOTSUPP); + return (EINVAL); vsecattr.vsa_mask = VSA_ACE | VSA_ACECNT; if (error = zfs_getsecattr(ap->a_vp, &vsecattr, 0, ap->a_cred, NULL)) @@ -4894,13 +4922,13 @@ zfs_freebsd_setacl(ap) aclent_t *aaclp; if (ap->a_type != ACL_TYPE_NFS4) - return (EOPNOTSUPP); + return (EINVAL); if (ap->a_aclp->acl_cnt < 1 || ap->a_aclp->acl_cnt > MAX_ACL_ENTRIES) return (EINVAL); /* - * With NFS4 ACLs, chmod(2) may need to add additional entries, + * With NFSv4 ACLs, chmod(2) may need to add additional entries, * splitting every entry into two and appending "canonical six" * entries at the end. Don't allow for setting an ACL that would * cause chmod(2) to run out of ACL entries. @@ -4974,11 +5002,9 @@ struct vop_vector zfs_vnodeops = { .vop_deleteextattr = zfs_deleteextattr, .vop_setextattr = zfs_setextattr, .vop_listextattr = zfs_listextattr, -#ifdef notyet .vop_getacl = zfs_freebsd_getacl, .vop_setacl = zfs_freebsd_setacl, .vop_aclcheck = zfs_freebsd_aclcheck, -#endif }; struct vop_vector zfs_fifoops = { @@ -4991,10 +5017,9 @@ struct vop_vector zfs_fifoops = { .vop_reclaim = zfs_freebsd_reclaim, .vop_setattr = zfs_freebsd_setattr, .vop_write = VOP_PANIC, + .vop_pathconf = zfs_freebsd_fifo_pathconf, .vop_fid = zfs_freebsd_fid, -#ifdef notyet .vop_getacl = zfs_freebsd_getacl, .vop_setacl = zfs_freebsd_setacl, .vop_aclcheck = zfs_freebsd_aclcheck, -#endif }; diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h 8.0/sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h --- test/8.0/sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h 2008-11-17 21:49:29.675976000 +0100 +++ 8.0/sys/cddl/contrib/opensolaris/uts/common/sys/fs/zfs.h 2010-01-31 17:40:22.719953075 +0100 @@ -253,13 +253,14 @@ typedef enum zfs_cache_type { #define SPA_VERSION_11 11ULL #define SPA_VERSION_12 12ULL #define SPA_VERSION_13 13ULL +#define SPA_VERSION_14 14ULL /* * When bumping up SPA_VERSION, make sure GRUB ZFS understands the on-disk * format change. Go to usr/src/grub/grub-0.95/stage2/{zfs-include/, fsys_zfs*}, * and do the appropriate changes. */ -#define SPA_VERSION SPA_VERSION_13 -#define SPA_VERSION_STRING "13" +#define SPA_VERSION SPA_VERSION_14 +#define SPA_VERSION_STRING "14" /* * Symbolic names for the changes that caused a SPA_VERSION switch. @@ -294,6 +295,7 @@ typedef enum zfs_cache_type { #define SPA_VERSION_DSL_SCRUB SPA_VERSION_11 #define SPA_VERSION_SNAP_PROPS SPA_VERSION_12 #define SPA_VERSION_USED_BREAKDOWN SPA_VERSION_13 +#define SPA_VERSION_PASSTHROUGH_X SPA_VERSION_14 /* * ZPL version - rev'd whenever an incompatible on-disk format change diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/tools/regression/acltools/00.t 8.0/tools/regression/acltools/00.t --- test/8.0/tools/regression/acltools/00.t 2008-11-25 19:29:33.849572000 +0100 +++ 8.0/tools/regression/acltools/00.t 2010-01-31 03:23:25.075843188 +0100 @@ -1,6 +1,33 @@ #!/bin/sh # -# This is a wrapper script to run tools-posix.test. +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: releng/8.0/tools/regression/acltools/00.t 185304 2008-11-25 18:29:33Z trasz $ +# + +# This is a wrapper script to run tools-posix.test on UFS filesystem. # # If any of the tests fails, here is how to debug it: go to # the directory with problematic filesystem mounted on it, @@ -9,9 +36,6 @@ # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test # # Output should be obvious. -# -# $FreeBSD: src/tools/regression/acltools/00.t,v 1.1.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $ -# echo "1..4" @@ -59,4 +83,3 @@ rmdir $MNT mdconfig -du $MD echo "ok 4" - diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/tools/regression/acltools/01.t 8.0/tools/regression/acltools/01.t --- test/8.0/tools/regression/acltools/01.t 1970-01-01 01:00:00.000000000 +0100 +++ 8.0/tools/regression/acltools/01.t 2010-01-31 03:19:21.232863277 +0100 @@ -0,0 +1,86 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: releng/8.0/tools/regression/acltools/01.t 196938 2009-09-07 16:26:03Z trasz $ +# + +# This is a wrapper script to run tools-nfs4.test on ZFS filesystem. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" +# +# If any of the tests fails, here is how to debug it: go to +# the directory with problematic filesystem mounted on it, +# and do /path/to/test run /path/to/test tools-nfs4.test, e.g. +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# Output should be obvious. + +echo "1..4" + +if [ `whoami` != "root" ]; then + echo "not ok 1 - you need to be root to run this test." + exit 1 +fi + +TESTDIR=`dirname $0` + +# Set up the test filesystem. +MD=`mdconfig -at swap -s 64m` +MNT=`mktemp -dt acltools` +zpool create -R $MNT acltools /dev/$MD +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + exit 1 +fi + +echo "ok 1" + +cd $MNT + +# First, check whether we can crash the kernel by creating too many +# entries. For some reason this won't work in the test file. +touch xxx +setfacl -x5 xxx +while :; do setfacl -a0 u:42:rwx:allow xxx 2> /dev/null; if [ $? -ne 0 ]; then break; fi; done +chmod 600 xxx +rm xxx +echo "ok 2" + +perl $TESTDIR/run $TESTDIR/tools-nfs4.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 3" +else + echo "not ok 3" +fi + +cd / +zpool destroy -f acltools +rmdir $MNT +mdconfig -du $MD + +echo "ok 4" diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/tools/regression/acltools/03.t 8.0/tools/regression/acltools/03.t --- test/8.0/tools/regression/acltools/03.t 1970-01-01 01:00:00.000000000 +0100 +++ 8.0/tools/regression/acltools/03.t 2010-01-31 03:23:25.075843188 +0100 @@ -0,0 +1,110 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: releng/8.0/tools/regression/acltools/03.t 197436 2009-09-23 15:12:20Z trasz $ +# + +# This is a wrapper script to run tools-crossfs.test between UFS without +# ACLs, UFS with POSIX.1e ACLs, and ZFS with NFSv4 ACLs. +# +# WARNING: It uses hardcoded ZFS pool name "acltools" +# +# Output should be obvious. + +echo "1..5" + +if [ `whoami` != "root" ]; then + echo "not ok 1 - you need to be root to run this test." + exit 1 +fi + +TESTDIR=`dirname $0` +MNTROOT=`mktemp -dt acltools` + +# Set up the test filesystems. +MD1=`mdconfig -at swap -s 64m` +MNT1=$MNTROOT/nfs4 +mkdir $MNT1 +zpool create -R $MNT1 acltools /dev/$MD1 +if [ $? -ne 0 ]; then + echo "not ok 1 - 'zpool create' failed." + exit 1 +fi + +echo "ok 1" + +MD2=`mdconfig -at swap -s 10m` +MNT2=$MNTROOT/posix +mkdir $MNT2 +newfs /dev/$MD2 > /dev/null +mount -o acls /dev/$MD2 $MNT2 +if [ $? -ne 0 ]; then + echo "not ok 2 - mount failed." + exit 1 +fi + +echo "ok 2" + +MD3=`mdconfig -at swap -s 10m` +MNT3=$MNTROOT/none +mkdir $MNT3 +newfs /dev/$MD3 > /dev/null +mount /dev/$MD3 $MNT3 +if [ $? -ne 0 ]; then + echo "not ok 3 - mount failed." + exit 1 +fi + +echo "ok 3" + +cd $MNTROOT + +perl $TESTDIR/run $TESTDIR/tools-crossfs.test > /dev/null + +if [ $? -eq 0 ]; then + echo "ok 4" +else + echo "not ok 4" +fi + +cd / + +umount -f $MNT3 +rmdir $MNT3 +mdconfig -du $MD3 + +umount -f $MNT2 +rmdir $MNT2 +mdconfig -du $MD2 + +zpool destroy -f acltools +rmdir $MNT1 +mdconfig -du $MD1 + +rmdir $MNTROOT + +echo "ok 5" + diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/tools/regression/acltools/aclfuzzer.sh 8.0/tools/regression/acltools/aclfuzzer.sh --- test/8.0/tools/regression/acltools/aclfuzzer.sh 1970-01-01 01:00:00.000000000 +0100 +++ 8.0/tools/regression/acltools/aclfuzzer.sh 2010-01-31 03:21:51.947621945 +0100 @@ -0,0 +1,225 @@ +#!/bin/sh +# +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: releng/8.0/tools/regression/acltools/aclfuzzer.sh 197434 2009-09-23 15:06:51Z trasz $ +# + +# This is an NFSv4 ACL fuzzer. It expects to be run by non-root in a scratch +# directory on a filesystem with NFSv4 ACLs support. Output it generates +# is expected to be fed to /usr/src/tools/regression/acltools/run script. + +NUMBER_OF_COMMANDS=300 + +run_command() +{ + echo "\$ $1" + eval $1 2>&1 | sed 's/^/> /' +} + +rnd_from_0_to() +{ + max=`expr $1 + 1` + rnd=`jot -r 1` + rnd=`expr $rnd % $max` + + echo $rnd +} + +rnd_path() +{ + rnd=`rnd_from_0_to 3` + case $rnd in + 0) echo "$TMP/aaa" ;; + 1) echo "$TMP/bbb" ;; + 2) echo "$TMP/aaa/ccc" ;; + 3) echo "$TMP/bbb/ddd" ;; + esac +} + +f_prepend_random_acl_on() +{ + rnd=`rnd_from_0_to 4` + case $rnd in + 0) u="owner@" ;; + 1) u="group@" ;; + 2) u="everyone@" ;; + 3) u="u:1138" ;; + 4) u="g:1138" ;; + esac + + p="" + while :; do + rnd=`rnd_from_0_to 30` + if [ -n "$p" -a $rnd -ge 14 ]; then + break; + fi + + case $rnd in + 0) p="${p}r" ;; + 1) p="${p}w" ;; + 2) p="${p}x" ;; + 3) p="${p}p" ;; + 4) p="${p}d" ;; + 5) p="${p}D" ;; + 6) p="${p}a" ;; + 7) p="${p}A" ;; + 8) p="${p}R" ;; + 9) p="${p}W" ;; + 10) p="${p}R" ;; + 11) p="${p}c" ;; + 12) p="${p}C" ;; + 13) p="${p}o" ;; + 14) p="${p}s" ;; + esac + done + + f="" + while :; do + rnd=`rnd_from_0_to 10` + if [ $rnd -ge 6 ]; then + break; + fi + + case $rnd in + 0) f="${f}f" ;; + 1) f="${f}d" ;; + 2) f="${f}n" ;; + 3) f="${f}i" ;; + esac + done + + rnd=`rnd_from_0_to 1` + case $rnd in + 0) x="allow" ;; + 1) x="deny" ;; + esac + + acl="$u:$p:$f:$x" + + file=`rnd_path` + run_command "setfacl -a0 $acl $file" +} + +f_getfacl() +{ + file=`rnd_path` + run_command "getfacl -qn $file" +} + +f_ls_mode() +{ + file=`rnd_path` + run_command "ls -al $file | sed -n '2p' | cut -d' ' -f1" +} + +f_chmod() +{ + b1=`rnd_from_0_to 7` + b2=`rnd_from_0_to 7` + b3=`rnd_from_0_to 7` + b4=`rnd_from_0_to 7` + file=`rnd_path` + + run_command "chmod $b1$b2$b3$b4 $file $2" +} + +f_touch() +{ + file=`rnd_path` + run_command "touch $file" +} + +f_rm() +{ + file=`rnd_path` + run_command "rm -f $file" +} + +f_mkdir() +{ + file=`rnd_path` + run_command "mkdir $file" +} + +f_rmdir() +{ + file=`rnd_path` + run_command "rmdir $file" +} + +f_mv() +{ + from=`rnd_path` + to=`rnd_path` + run_command "mv -f $from $to" +} + +# XXX: To be implemented: chown(8), setting times with touch(1). + +switch_to_random_user() +{ + # XXX: To be implemented. +} + +execute_random_command() +{ + rnd=`rnd_from_0_to 20` + + case $rnd in + 0|10|11|12|13|15) cmd=f_prepend_random_acl_on ;; + 1) cmd=f_getfacl ;; + 2) cmd=f_ls_mode ;; + 3) cmd=f_chmod ;; + 4|18|19) cmd=f_touch ;; + 5) cmd=f_rm ;; + 6|16|17) cmd=f_mkdir ;; + 7) cmd=f_rmdir ;; + 8) cmd=f_mv ;; + esac + + $cmd "XXX" +} + +echo "# Fuzzing; will stop after $NUMBER_OF_COMMANDS commands." +TMP="aclfuzzer_`dd if=/dev/random bs=1k count=1 2>/dev/null | openssl md5`" + +run_command "whoami" +umask 022 +run_command "umask 022" +run_command "mkdir $TMP" + +i=0; +while [ "$i" -lt "$NUMBER_OF_COMMANDS" ]; do + switch_to_random_user + execute_random_command + i=`expr $i + 1` +done + +run_command "find $TMP -exec setfacl -a0 everyone@:rxd:allow {} \;" +run_command "rm -rfv $TMP" + +echo "# Fuzzed, thank you." + diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/tools/regression/acltools/tools-crossfs.test 8.0/tools/regression/acltools/tools-crossfs.test --- test/8.0/tools/regression/acltools/tools-crossfs.test 1970-01-01 01:00:00.000000000 +0100 +++ 8.0/tools/regression/acltools/tools-crossfs.test 2010-01-31 03:24:48.477469291 +0100 @@ -0,0 +1,331 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: releng/8.0/tools/regression/acltools/tools-crossfs.test 197436 2009-09-23 15:12:20Z trasz $ +# + +# This is a tools-level test intended to verify that cp(1) and mv(1) +# do the right thing with respect to ACLs. Run it as root using +# ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# You need to have three subdirectories, named nfs4, posix and none, +# with filesystems with NFSv4 ACLs, POSIX.1e ACLs and no ACLs enabled, +# respectively, mounted on them, in your current directory. +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +$ touch nfs4/xxx +$ getfacl -nq nfs4/xxx +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ touch posix/xxx +$ getfacl -nq posix/xxx +> user::rw- +> group::r-- +> other::r-- + +# mv with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ chmod 456 posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--r-xrw- +$ setfacl -m u:42:x,g:43:w posix/xxx +$ mv posix/xxx posix/yyy +$ getfacl -nq posix/yyy +> user::r-- +> user:42:--x +> group::r-x +> group:43:-w- +> mask::rwx +> other::rw- +$ ls -l posix/yyy | cut -d' ' -f1 +> -r--rwxrw-+ + +# mv from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ chmod 345 posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> --wxrwxr-x+ +$ mv posix/xxx none/xxx +> mv: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> --wxrwxr-x + +# mv from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ chmod 456 posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--rwxrw-+ +$ mv posix/yyy nfs4/xxx +> mv: failed to set acl entries for nfs4/xxx: Invalid argument +$ getfacl -nq nfs4/xxx +> owner@:-wxp----------:------:deny +> owner@:r------A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:rwxp----------:------:allow +> everyone@:--x----A-W-Co-:------:deny +> everyone@:rw-p--a-R-c--s:------:allow +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r--rwxrw- + +# mv with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ mv nfs4/xxx nfs4/yyy +$ getfacl -nq nfs4/yyy +> user:42:--x-----------:------:allow +> group:43:-w------------:------:allow +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -rw-r--r--+ + +# mv from NFSv4 to POSIX.1e without any ACLs. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 456 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r--r-xrw- +$ mv nfs4/xxx posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r--r-xrw- + +# mv from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 345 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x+ +$ mv nfs4/xxx none/xxx +> mv: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> --wxr--r-x + +# mv from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 345 nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> --wxr--r-x+ +$ mv nfs4/xxx posix/xxx +> mv: failed to set acl entries for posix/xxx: Invalid argument +$ ls -l posix/xxx | cut -d' ' -f1 +> --wxr--r-x + +# cp with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx posix/yyy +$ ls -l posix/yyy | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p with POSIX.1e ACLs. +$ rm -f posix/xxx +$ rm -f posix/yyy +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ getfacl -nq posix/xxx +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx posix/yyy +$ getfacl -nq posix/yyy +> user::rw- +> user:42:--x +> group::r-- +> group:43:-w- +> mask::rwx +> other::r-- +$ ls -l posix/yyy | cut -d' ' -f1 +> -rw-rwxr--+ + +# cp from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx none/xxx +$ ls -l none/xxx | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p from POSIX.1e to none. +$ rm -f posix/xxx +$ rm -f none/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx none/xxx +> cp: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> -rw-rwxr-- + +# cp from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp posix/xxx nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -rw-r-xr-- + +# cp -p from POSIX.1e to NFSv4. +$ rm -f posix/xxx +$ rm -f nfs4/xxx +$ touch posix/xxx +$ setfacl -m u:42:x,g:43:w posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -rw-rwxr--+ +$ cp -p posix/xxx nfs4/xxx +> cp: failed to set acl entries for nfs4/xxx: Invalid argument +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -rw-rwxr-- + +# cp with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx nfs4/yyy +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -r-xr----x + +# cp -p with NFSv4 ACLs. +$ rm -f nfs4/xxx +$ rm -f nfs4/yyy +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ cp -p nfs4/xxx nfs4/yyy +$ getfacl -nq nfs4/yyy +> user:42:--x-----------:------:allow +> group:43:-w------------:------:allow +> owner@:-w-p----------:------:deny +> owner@:r-x----A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:r------A-W-Co-:------:deny +> everyone@:-wxp--a-R-c--s:------:allow +$ ls -l nfs4/yyy | cut -d' ' -f1 +> -r-xr---wx+ + +# cp from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx none/xxx +$ ls -l none/xxx | cut -d' ' -f1 +> -r-xr----x + +# cp -p from NFSv4 to none. +$ rm -f nfs4/xxx +$ rm -f none/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp -p nfs4/xxx none/xxx +> cp: failed to set acl entries for none/xxx: Operation not supported +$ ls -l none/xxx | cut -d' ' -f1 +> -r-xr---wx + +# cp from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp nfs4/xxx posix/xxx +$ ls -l posix/xxx | cut -d' ' -f1 +> -r-xr----x + +# cp -p from NFSv4 to POSIX.1e. +$ rm -f nfs4/xxx +$ rm -f posix/xxx +$ touch nfs4/xxx +$ chmod 543 nfs4/xxx +$ setfacl -a0 u:42:x:allow,g:43:w:allow nfs4/xxx +$ ls -l nfs4/xxx | cut -d' ' -f1 +> -r-xr---wx+ +$ cp -p nfs4/xxx posix/xxx +> cp: failed to set acl entries for posix/xxx: Invalid argument +$ ls -l posix/xxx | cut -d' ' -f1 +> -r-xr---wx diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/tools/regression/acltools/tools-nfs4.test 8.0/tools/regression/acltools/tools-nfs4.test --- test/8.0/tools/regression/acltools/tools-nfs4.test 1970-01-01 01:00:00.000000000 +0100 +++ 8.0/tools/regression/acltools/tools-nfs4.test 2010-01-31 03:19:21.232863277 +0100 @@ -0,0 +1,829 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: releng/8.0/tools/regression/acltools/tools-nfs4.test 196938 2009-09-07 16:26:03Z trasz $ +# + +# This is a tools-level test for NFSv4 ACL functionality. Run it as root +# using ACL-enabled kernel: +# +# /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-nfs4.test +# +# WARNING: Creates files in unsafe way. + +$ whoami +> root +$ umask 022 + +# Smoke test for getfacl(1). +$ touch xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ getfacl -q xxx +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +# Check verbose mode formatting. +$ getfacl -v xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:execute::deny +> owner@:read_data/write_data/append_data/write_attributes/write_xattr/write_acl/write_owner::allow +> group@:write_data/execute/append_data::deny +> group@:read_data::allow +> everyone@:write_data/execute/append_data/write_attributes/write_xattr/write_acl/write_owner::deny +> everyone@:read_data/read_attributes/read_xattr/read_acl/synchronize::allow + +# Test setfacl -a. +$ setfacl -a2 u:0:write_acl:allow,g:1:read_acl:deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> user:0:-----------C--:------:allow +> group:1:----------c---:------:deny +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +# Test user and group name resolving. +$ rm xxx +$ touch xxx +$ setfacl -a2 u:root:write_acl:allow,g:daemon:read_acl:deny xxx +$ getfacl xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> user:root:-----------C--:------:allow +> group:daemon:----------c---:------:deny +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +# Check whether ls correctly marks files with "+". +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r--+ + +# Test removing entries by number. +$ setfacl -x 4 xxx +$ setfacl -x 4 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> user:0:-----------C--:------:allow +> group:1:----------c---:------:deny +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +# Test setfacl -m. +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -a0 everyone@:rwx:deny xxx +$ setfacl -m everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:------:deny +> everyone@:--------------:------:deny +> everyone@:--------------:------:deny +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> user:0:-----------C--:------:allow +> group:1:----------c---:------:deny +> everyone@:--------------:------:deny +> everyone@:r-----a-R-c--s:------:allow + +# Test getfacl -i. +$ getfacl -i xxx +> # file: xxx +> # owner: root +> # group: wheel +> everyone@:--------------:------:deny +> everyone@:--------------:------:deny +> everyone@:--------------:------:deny +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> user:root:-----------C--:------:allow:0 +> group:daemon:----------c---:------:deny:1 +> everyone@:--------------:------:deny +> everyone@:r-----a-R-c--s:------:allow + +# Make sure cp without any flags does not copy copy the ACL. +$ cp xxx yyy +$ ls -l yyy | cut -d' ' -f1 +> -rw-r--r-- + +# Make sure it does with the "-p" flag. +$ rm yyy +$ cp -p xxx yyy +$ getfacl -n yyy +> # file: yyy +> # owner: root +> # group: wheel +> everyone@:--------------:------:deny +> everyone@:--------------:------:deny +> everyone@:--------------:------:deny +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> user:0:-----------C--:------:allow +> group:1:----------c---:------:deny +> everyone@:--------------:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ rm yyy + +# Test removing entries by... by example? +$ setfacl -x everyone@::deny xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> user:0:-----------C--:------:allow +> group:1:----------c---:------:deny +> everyone@:r-----a-R-c--s:------:allow + +# Test setfacl -b. +$ setfacl -b xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ ls -l xxx | cut -d' ' -f1 +> -rw-r--r-- + +# Check setfacl(1) and getfacl(1) with multiple files. +$ touch xxx yyy zzz + +$ ls -l xxx yyy zzz | cut -d' ' -f1 +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ setfacl -m u:42:x:allow,g:43:w:allow nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r--+ +> -rw-r--r--+ +> -rw-r--r--+ + +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory +> user:42:--x-----------:------:allow +> group:43:-w------------:------:allow +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow +> +> user:42:--x-----------:------:allow +> group:43:-w------------:------:allow +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow +> +> user:42:--x-----------:------:allow +> group:43:-w------------:------:allow +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ setfacl -b nnn xxx yyy zzz +> setfacl: nnn: stat() failed: No such file or directory + +$ ls -l nnn xxx yyy zzz | cut -d' ' -f1 +> ls: nnn: No such file or directory +> -rw-r--r-- +> -rw-r--r-- +> -rw-r--r-- + +$ rm xxx yyy zzz + +# Test applying mode to an ACL. +$ touch xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow -x everyone@::allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user:42:r-------------:------:deny +> user:42:r-------------:------:allow +> user:43:-w------------:------:deny +> user:43:-w------------:------:allow +> user:44:--x-----------:------:deny +> user:44:--x-----------:------:allow +> owner@:--------------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:--------------:------:allow +> everyone@:-------A-W-Co-:------:deny +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:rwxp----------:------:deny +> group@:--------------:------:allow +> everyone@:rwxp---A-W-Co-:------:deny +> everyone@:------a-R-c--s:------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw-------+ + +$ rm xxx +$ touch xxx +$ chown 42 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 600 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 42 +> # group: wheel +> user:42:--------------:------:deny +> user:42:r-------------:------:allow +> user:43:-w------------:------:deny +> user:43:-w------------:------:allow +> user:44:--x-----------:------:deny +> user:44:--x-----------:------:allow +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:rwxp----------:------:deny +> group@:--------------:------:allow +> everyone@:rwxp---A-W-Co-:------:deny +> everyone@:------a-R-c--s:------:allow +$ ls -l xxx | cut -d' ' -f1 +> -rw-------+ + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 124 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> user:42:r-------------:------:deny +> user:42:r-------------:------:allow +> user:43:-w------------:------:deny +> user:43:-w------------:------:allow +> user:44:--x-----------:------:deny +> user:44:--x-----------:------:allow +> owner@:rw-p----------:------:deny +> owner@:--x----A-W-Co-:------:allow +> group@:r-x-----------:------:deny +> group@:-w-p----------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow +$ ls -l xxx | cut -d' ' -f1 +> ---x-w-r--+ + +$ rm xxx +$ touch xxx +$ chown 43 xxx +$ setfacl -a0 user:42:r:allow,user:43:w:deny,user:43:w:allow,user:44:x:allow xxx +$ chmod 412 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: 43 +> # group: wheel +> user:42:r-------------:------:deny +> user:42:r-------------:------:allow +> user:43:-w------------:------:deny +> user:43:-w------------:------:allow +> user:44:--------------:------:deny +> user:44:--x-----------:------:allow +> owner@:-wxp----------:------:deny +> owner@:r------A-W-Co-:------:allow +> group@:rw-p----------:------:deny +> group@:--x-----------:------:allow +> everyone@:r-x----A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:------:allow +$ ls -l xxx | cut -d' ' -f1 +> -r----x-w-+ + +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:-d----:allow +> group:43:-w--D---------:-d----:deny +> group@:-----da-------:------:allow +> group:44:rw-p-da-------:------:allow +> owner@:--------------:------:deny +> owner@:rwxp---A-W-Co-:------:allow +> group@:-w-p----------:------:deny +> group@:r-x-----------:------:allow +> everyone@:-w-p---A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:f-i---:allow +$ chmod 777 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:-di---:allow +> group:42:--------------:------:deny +> group:42:-w--D---------:------:allow +> group:43:-w--D---------:-di---:deny +> group:43:-w--D---------:------:deny +> group@:-----da-------:------:allow +> group:44:--------------:------:deny +> group:44:rw-p-da-------:------:allow +> owner@:--------------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:--------------:------:allow +> everyone@:-------A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:f-i---:allow +> owner@:--------------:------:deny +> owner@:rwxp---A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:rwxp----------:------:allow +> everyone@:-------A-W-Co-:------:deny +> everyone@:rwxp--a-R-c--s:------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chmod 124 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:-di---:allow +> group:42:--------------:------:deny +> group:42:----D---------:------:allow +> group:43:-w--D---------:-di---:deny +> group:43:-w--D---------:------:deny +> group@:-----da-------:------:allow +> group:44:r-------------:------:deny +> group:44:r----da-------:------:allow +> owner@:--------------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:--------------:------:allow +> everyone@:-------A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:f-i---:allow +> owner@:rw-p----------:------:deny +> owner@:--x----A-W-Co-:------:allow +> group@:r-x-----------:------:deny +> group@:-w-p----------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chmod 412 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: root +> # group: wheel +> user:42:r-------------:------:deny +> user:42:r-x-----------:------:allow +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:-di---:allow +> group:42:-w------------:------:deny +> group:42:-w--D---------:------:allow +> group:43:-w--D---------:-di---:deny +> group:43:-w--D---------:------:deny +> group@:-----da-------:------:allow +> group:44:rw-p----------:------:deny +> group:44:rw-p-da-------:------:allow +> owner@:--------------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:--------------:------:allow +> everyone@:-------A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:f-i---:allow +> owner@:-wxp----------:------:deny +> owner@:r------A-W-Co-:------:allow +> group@:rw-p----------:------:deny +> group@:--x-----------:------:allow +> everyone@:r-x----A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:------:allow + +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:44:rwapd:allow ddd +$ setfacl -a0 group:43:write_data/delete_child:d:deny,group@:ad:allow ddd +$ setfacl -a0 user:42:rx:allow,user:42:rx:fi:allow,group:42:write_data/delete_child:d:allow ddd +$ setfacl -m everyone@:-w-p--a-R-c--s:fi:allow ddd +$ chown 42 ddd +$ chmod 412 ddd +$ getfacl -n ddd +> # file: ddd +> # owner: 42 +> # group: wheel +> user:42:--x-----------:------:deny +> user:42:r-x-----------:------:allow +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:-di---:allow +> group:42:-w------------:------:deny +> group:42:-w--D---------:------:allow +> group:43:-w--D---------:-di---:deny +> group:43:-w--D---------:------:deny +> group@:-----da-------:------:allow +> group:44:rw-p----------:------:deny +> group:44:rw-p-da-------:------:allow +> owner@:--------------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:--------------:------:allow +> everyone@:-------A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:f-i---:allow +> owner@:-wxp----------:------:deny +> owner@:r------A-W-Co-:------:allow +> group@:rw-p----------:------:deny +> group@:--x-----------:------:allow +> everyone@:r-x----A-W-Co-:------:deny +> everyone@:-w-p--a-R-c--s:------:allow + +# Test applying ACL to mode. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 u:42:rwx:fi:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> drwxr-xr-x+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr----x---+ + +# XXX: This one is fishy. Shouldn't it be "dr---wx---+"? +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group@:w:fi:deny,group@:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr---wx---+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,group:43:w:deny,group:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +$ rmdir ddd +$ mkdir ddd +$ chmod 0 ddd +$ setfacl -a0 owner@:r:allow,user:43:w:deny,user:43:wx:allow ddd +$ ls -ld ddd | cut -d' ' -f1 +> dr--------+ + +# Test inheritance. +$ rmdir ddd +$ mkdir ddd +$ setfacl -a0 group:43:write_data/write_acl:fin:deny,u:43:rwxp:allow ddd +$ setfacl -a0 user:42:rx:fi:allow,group:42:write_data/delete_child:dn:deny ddd +$ setfacl -a0 user:42:write_acl/write_owner:fi:allow ddd +$ setfacl -a0 group:41:read_data/read_attributes:dni:allow ddd +$ setfacl -a0 user:41:write_data/write_attributes:fn:allow ddd +$ getfacl -qn ddd +> user:41:-w-----A------:f--n--:allow +> group:41:r-----a-------:-din--:allow +> user:42:-----------Co-:f-i---:allow +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:-d-n--:deny +> group:43:-w---------C--:f-in--:deny +> user:43:rwxp----------:------:allow +> owner@:--------------:------:deny +> owner@:rwxp---A-W-Co-:------:allow +> group@:-w-p----------:------:deny +> group@:r-x-----------:------:allow +> everyone@:-w-p---A-W-Co-:------:deny +> everyone@:r-x---a-R-c--s:------:allow + +$ cd ddd +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:------:deny +> user:41:-w-----A------:------:allow +> user:42:--------------:------:deny +> user:42:--------------:------:allow +> user:42:--x-----------:------:deny +> user:42:r-x-----------:------:allow +> group:43:-w---------C--:------:deny +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ rm xxx +$ umask 077 +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:------:deny +> user:41:-w-----A------:------:allow +> user:42:--------------:------:deny +> user:42:--------------:------:allow +> user:42:r-x-----------:------:deny +> user:42:r-x-----------:------:allow +> group:43:-w---------C--:------:deny +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:rwxp----------:------:deny +> group@:--------------:------:allow +> everyone@:rwxp---A-W-Co-:------:deny +> everyone@:------a-R-c--s:------:allow + +$ rm xxx +$ umask 770 +$ touch xxx +$ getfacl -qn xxx +> user:41:-w------------:------:deny +> user:41:-w-----A------:------:allow +> user:42:--------------:------:deny +> user:42:--------------:------:allow +> user:42:r-x-----------:------:deny +> user:42:r-x-----------:------:allow +> group:43:-w---------C--:------:deny +> owner@:rwxp----------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:rwxp----------:------:deny +> group@:--------------:------:allow +> everyone@:--x----A-W-Co-:------:deny +> everyone@:rw-p--a-R-c--s:------:allow + +$ rm xxx +$ umask 707 +$ touch xxx +$ getfacl -qn xxx +> user:41:--------------:------:deny +> user:41:-w-----A------:------:allow +> user:42:--------------:------:deny +> user:42:--------------:------:allow +> user:42:--x-----------:------:deny +> user:42:r-x-----------:------:allow +> group:43:-w---------C--:------:deny +> owner@:rwxp----------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:--x-----------:------:deny +> group@:rw-p----------:------:allow +> everyone@:rwxp---A-W-Co-:------:deny +> everyone@:------a-R-c--s:------:allow + +$ umask 077 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:r-------------:------:deny +> group:41:r-----a-------:------:allow +> user:42:-----------Co-:f-i---:allow +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:------:deny +> owner@:--------------:------:deny +> owner@:rwxp---A-W-Co-:------:allow +> group@:rwxp----------:------:deny +> group@:--------------:------:allow +> everyone@:rwxp---A-W-Co-:------:deny +> everyone@:------a-R-c--s:------:allow + +$ rmdir yyy +$ umask 770 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:r-------------:------:deny +> group:41:r-----a-------:------:allow +> user:42:-----------Co-:f-i---:allow +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:------:deny +> owner@:rwxp----------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:rwxp----------:------:deny +> group@:--------------:------:allow +> everyone@:-------A-W-Co-:------:deny +> everyone@:rwxp--a-R-c--s:------:allow + +$ rmdir yyy +$ umask 707 +$ mkdir yyy +$ getfacl -qn yyy +> group:41:--------------:------:deny +> group:41:------a-------:------:allow +> user:42:-----------Co-:f-i---:allow +> user:42:r-x-----------:f-i---:allow +> group:42:-w--D---------:------:deny +> owner@:rwxp----------:------:deny +> owner@:-------A-W-Co-:------:allow +> group@:--------------:------:deny +> group@:rwxp----------:------:allow +> everyone@:rwxp---A-W-Co-:------:deny +> everyone@:------a-R-c--s:------:allow + +# There is some complication regarding how write_acl and write_owner flags +# get inherited. Make sure we got it right. +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:allow . +$ setfacl -a0 u:43:Co:d:allow . +$ setfacl -a0 u:44:Co:fd:allow . +$ setfacl -a0 u:45:Co:fi:allow . +$ setfacl -a0 u:46:Co:di:allow . +$ setfacl -a0 u:47:Co:fdi:allow . +$ setfacl -a0 u:48:Co:fn:allow . +$ setfacl -a0 u:49:Co:dn:allow . +$ setfacl -a0 u:50:Co:fdn:allow . +$ setfacl -a0 u:51:Co:fni:allow . +$ setfacl -a0 u:52:Co:dni:allow . +$ setfacl -a0 u:53:Co:fdni:allow . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:--------------:------:deny +> user:53:--------------:------:allow +> user:51:--------------:------:deny +> user:51:--------------:------:allow +> user:50:--------------:------:deny +> user:50:--------------:------:allow +> user:48:--------------:------:deny +> user:48:--------------:------:allow +> user:47:--------------:------:deny +> user:47:--------------:------:allow +> user:45:--------------:------:deny +> user:45:--------------:------:allow +> user:44:--------------:------:deny +> user:44:--------------:------:allow +> user:42:--------------:------:deny +> user:42:--------------:------:allow +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:--------------:------:deny +> user:53:--------------:------:allow +> user:52:--------------:------:deny +> user:52:--------------:------:allow +> user:50:--------------:------:deny +> user:50:--------------:------:allow +> user:49:--------------:------:deny +> user:49:--------------:------:allow +> user:47:-----------Co-:fdi---:allow +> user:47:--------------:------:deny +> user:47:--------------:------:allow +> user:46:-----------Co-:-di---:allow +> user:46:--------------:------:deny +> user:46:--------------:------:allow +> user:45:-----------Co-:f-i---:allow +> user:44:-----------Co-:fdi---:allow +> user:44:--------------:------:deny +> user:44:--------------:------:allow +> user:43:-----------Co-:-di---:allow +> user:43:--------------:------:deny +> user:43:--------------:------:allow +> user:42:-----------Co-:f-i---:allow +> owner@:--------------:------:deny +> owner@:rwxp---A-W-Co-:------:allow +> group@:-w-p----------:------:deny +> group@:r-x-----------:------:allow +> everyone@:-w-p---A-W-Co-:------:deny +> everyone@:r-x---a-R-c--s:------:allow + +$ setfacl -b . +$ setfacl -a0 u:42:Co:f:deny . +$ setfacl -a0 u:43:Co:d:deny . +$ setfacl -a0 u:44:Co:fd:deny . +$ setfacl -a0 u:45:Co:fi:deny . +$ setfacl -a0 u:46:Co:di:deny . +$ setfacl -a0 u:47:Co:fdi:deny . +$ setfacl -a0 u:48:Co:fn:deny . +$ setfacl -a0 u:49:Co:dn:deny . +$ setfacl -a0 u:50:Co:fdn:deny . +$ setfacl -a0 u:51:Co:fni:deny . +$ setfacl -a0 u:52:Co:dni:deny . +$ setfacl -a0 u:53:Co:fdni:deny . +$ umask 022 +$ rm xxx +$ touch xxx +$ getfacl -nq xxx +> user:53:-----------Co-:------:deny +> user:51:-----------Co-:------:deny +> user:50:-----------Co-:------:deny +> user:48:-----------Co-:------:deny +> user:47:-----------Co-:------:deny +> user:45:-----------Co-:------:deny +> user:44:-----------Co-:------:deny +> user:42:-----------Co-:------:deny +> owner@:--x-----------:------:deny +> owner@:rw-p---A-W-Co-:------:allow +> group@:-wxp----------:------:deny +> group@:r-------------:------:allow +> everyone@:-wxp---A-W-Co-:------:deny +> everyone@:r-----a-R-c--s:------:allow + +$ rmdir yyy +$ mkdir yyy +$ getfacl -nq yyy +> user:53:-----------Co-:------:deny +> user:52:-----------Co-:------:deny +> user:50:-----------Co-:------:deny +> user:49:-----------Co-:------:deny +> user:47:-----------Co-:fdi---:deny +> user:47:-----------Co-:------:deny +> user:46:-----------Co-:-di---:deny +> user:46:-----------Co-:------:deny +> user:45:-----------Co-:f-i---:deny +> user:44:-----------Co-:fdi---:deny +> user:44:-----------Co-:------:deny +> user:43:-----------Co-:-di---:deny +> user:43:-----------Co-:------:deny +> user:42:-----------Co-:f-i---:deny +> owner@:--------------:------:deny +> owner@:rwxp---A-W-Co-:------:allow +> group@:-w-p----------:------:deny +> group@:r-x-----------:------:allow +> everyone@:-w-p---A-W-Co-:------:deny +> everyone@:r-x---a-R-c--s:------:allow + +$ rmdir yyy +$ rm xxx +$ cd .. +$ rmdir ddd + +$ rm xxx + diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/tools/regression/acltools/tools-posix.test 8.0/tools/regression/acltools/tools-posix.test --- test/8.0/tools/regression/acltools/tools-posix.test 2009-07-02 22:05:21.559785000 +0200 +++ 8.0/tools/regression/acltools/tools-posix.test 2010-01-31 03:19:21.582827588 +0100 @@ -1,11 +1,36 @@ +# Copyright (c) 2008, 2009 Edward Tomasz Napierała +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD: releng/8.0/tools/regression/acltools/tools-posix.test 195296 2009-07-02 20:05:21Z trasz $ +# + # This is a tools-level test for POSIX.1e ACL functionality. Run it as root # using ACL-enabled kernel: # # /usr/src/tools/regression/acltools/run /usr/src/tools/regression/acltools/tools-posix.test # # WARNING: Creates files in unsafe way. -# -# $FreeBSD: src/tools/regression/acltools/tools-posix.test,v 1.3.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $ $ whoami > root @@ -13,7 +38,7 @@ $ umask 022 # Smoke test for getfacl(1). $ touch xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -27,7 +52,7 @@ $ getfacl -q xxx > other::r-- $ setfacl -m u:42:r,g:43:w xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -77,9 +102,8 @@ $ getfacl -h lll > mask::rwx > other::r-x -# XXX: Why doesn't ls(1) print '+' for symbolic links with ACL set? $ ls -l lll | cut -d' ' -f1 -> lrwxrwxr-x +> lrwxrwxr-x+ # Check whether the original file is left untouched. $ ls -l xxx | cut -d' ' -f1 @@ -99,8 +123,32 @@ $ getfacl xxx > mask::rw- > other::r-- +$ setfacl -m u:42:r xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> user:42:r-- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + +# Test removing entries by number. +$ setfacl -x 1 xxx +$ getfacl -n xxx +> # file: xxx +> # owner: root +> # group: wheel +> user::rw- +> group::r-- +> group:43:-w- +> mask::rw- +> other::r-- + $ setfacl -m g:43:r xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -118,7 +166,7 @@ $ ls -l yyy | cut -d' ' -f1 # Make sure it does with the "-p" flag. $ rm yyy $ cp -p xxx yyy -$ getfacl yyy +$ getfacl -n yyy > # file: yyy > # owner: root > # group: wheel @@ -133,7 +181,7 @@ $ rm yyy # Test removing entries by... by example? $ setfacl -m u:42:r,g:43:w xxx $ setfacl -x u:42: xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -145,7 +193,7 @@ $ getfacl xxx # Test setfacl -b. $ setfacl -b xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -158,7 +206,7 @@ $ ls -l xxx | cut -d' ' -f1 > -rw-r--r--+ $ setfacl -nb xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -178,7 +226,7 @@ $ ls -l xxx yyy zzz | cut -d' ' -f1 > -rw-r--r-- $ setfacl -m u:42:x,g:43:w nnn xxx yyy zzz -> setfacl: stat() of nnn failed: No such file or directory +> setfacl: nnn: stat() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory @@ -186,8 +234,8 @@ $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > -rw-rwxr--+ > -rw-rwxr--+ -$ getfacl -q nnn xxx yyy zzz -> getfacl: nnn: No such file or directory +$ getfacl -nq nnn xxx yyy zzz +> getfacl: nnn: stat() failed: No such file or directory > user::rw- > user:42:--x > group::r-- @@ -210,7 +258,7 @@ $ getfacl -q nnn xxx yyy zzz > other::r-- $ setfacl -b nnn xxx yyy zzz -> setfacl: stat() of nnn failed: No such file or directory +> setfacl: nnn: stat() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory @@ -219,7 +267,7 @@ $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > -rw-r--r--+ $ setfacl -bn nnn xxx yyy zzz -> setfacl: stat() of nnn failed: No such file or directory +> setfacl: nnn: stat() failed: No such file or directory $ ls -l nnn xxx yyy zzz | cut -d' ' -f1 > ls: nnn: No such file or directory @@ -233,7 +281,7 @@ $ rm xxx yyy zzz $ touch xxx $ setfacl -m u:42:rwx,g:43:rwx xxx $ chmod 600 xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -245,7 +293,7 @@ $ getfacl xxx > other::--- $ chmod 060 xxx -$ getfacl xxx +$ getfacl -n xxx > # file: xxx > # owner: root > # group: wheel @@ -259,7 +307,7 @@ $ getfacl xxx # Test default ACLs. $ umask 022 $ mkdir ddd -$ getfacl -q ddd +$ getfacl -qn ddd > user::rwx > group::r-x > other::r-x @@ -269,7 +317,7 @@ $ ls -l | grep ddd | cut -d' ' -f1 $ getfacl -dq ddd $ setfacl -dm u::rwx,g::rx,o::rx,mask::rwx ddd -$ getfacl -dq ddd +$ getfacl -dqn ddd > user::rwx > group::r-x > mask::rwx @@ -281,7 +329,7 @@ $ ls -l | grep ddd | cut -d' ' -f1 $ setfacl -dm g:42:rwx,u:42:r ddd $ setfacl -dm g::w ddd -$ getfacl -dq ddd +$ getfacl -dqn ddd > user::rwx > user:42:r-- > group::-w- @@ -290,7 +338,7 @@ $ getfacl -dq ddd > other::r-x $ setfacl -dx group:42: ddd -$ getfacl -dq ddd +$ getfacl -dqn ddd > user::rwx > user:42:r-- > group::-w- @@ -387,3 +435,19 @@ $ ls -l fff | cut -d' ' -f1 $ rm fff +# Test if we deal properly with device files. +$ mknod bbb b 1 1 +$ setfacl -m u:42:r,g:43:w bbb +> setfacl: bbb: acl_get_file() failed: Operation not supported +$ ls -l bbb | cut -d' ' -f1 +> brw-r--r-- + +$ rm bbb + +$ mknod ccc c 1 1 +$ setfacl -m u:42:r,g:43:w ccc +> setfacl: ccc: acl_get_file() failed: Operation not supported +$ ls -l ccc | cut -d' ' -f1 +> crw-r--r-- + +$ rm ccc diff -x .svn -I '$FreeBSD: ' -urNp test/8.0/usr.bin/find/function.c 8.0/usr.bin/find/function.c --- test/8.0/usr.bin/find/function.c 2009-05-30 12:42:19.274925000 +0200 +++ 8.0/usr.bin/find/function.c 2010-01-30 15:52:49.485468614 +0100 @@ -371,38 +371,48 @@ c_mXXdepth(OPTION *option, char ***argvp int f_acl(PLAN *plan __unused, FTSENT *entry) { - int match, entries; - acl_entry_t ae; acl_t facl; + acl_type_t acl_type; + int acl_supported = 0, ret, trivial; if (S_ISLNK(entry->fts_statp->st_mode)) return 0; - if ((match = pathconf(entry->fts_accpath, _PC_ACL_EXTENDED)) <= 0) { - if (match < 0 && errno != EINVAL) - warn("%s", entry->fts_accpath); - else - return 0; + ret = pathconf(entry->fts_accpath, _PC_ACL_NFS4); + if (ret > 0) { + acl_supported = 1; + acl_type = ACL_TYPE_NFS4; + } else if (ret < 0 && errno != EINVAL) { + warn("%s", entry->fts_accpath); + return (0); } - match = 0; - if ((facl = acl_get_file(entry->fts_accpath,ACL_TYPE_ACCESS)) != NULL) { - if (acl_get_entry(facl, ACL_FIRST_ENTRY, &ae) == 1) { - /* - * POSIX.1e requires that ACLs of type ACL_TYPE_ACCESS - * must have at least three entries (owner, group, - * other). - */ - entries = 1; - while (acl_get_entry(facl, ACL_NEXT_ENTRY, &ae) == 1) { - if (++entries > 3) { - match = 1; - break; - } - } + if (acl_supported == 0) { + ret = pathconf(entry->fts_accpath, _PC_ACL_EXTENDED); + if (ret > 0) { + acl_supported = 1; + acl_type = ACL_TYPE_ACCESS; + } else if (ret < 0 && errno != EINVAL) { + warn("%s", entry->fts_accpath); + return (0); } - acl_free(facl); - } else + } + if (acl_supported == 0) + return (0); + + facl = acl_get_file(entry->fts_accpath, acl_type); + if (facl == NULL) { warn("%s", entry->fts_accpath); - return match; + return (0); + } + ret = acl_is_trivial_np(facl, &trivial); + acl_free(facl); + if (ret) { + warn("%s", entry->fts_accpath); + acl_free(facl); + return (0); + } + if (trivial) + return (0); + return (1); } PLAN *