GitLab unavailability on July 18, 22, 23 due to hypervisor security updates: http://cern.ch/go/BP7D

Commit dcb4f1d6 authored by Rainer Toebbicke's avatar Rainer Toebbicke

MGM: ACL denials override mode bits

parent c6cd303b
Pipeline #710768 passed with stages
in 76 minutes and 7 seconds
......@@ -92,6 +92,7 @@ Acl::SetFromAttrMap(const eos::IContainerMD::XAttrMap& attrmap,
sysAcl = it->second;
}
if (EOS_LOGS_DEBUG) eos_static_debug("sysacl='%s' useracl='%s' evalUseracl=%d", sysAcl.c_str(), useracl.c_str(), evalUseracl);
Set(sysAcl, useracl, vid, evalUseracl);
}
......@@ -121,11 +122,14 @@ Acl::Set(std::string sysacl, std::string useracl,
// By default nothing is granted
mHasAcl = false;
mCanRead = false;
mCanNotRead = false;
mCanWrite = false;
mCanNotWrite = false;
mCanWriteOnce = false;
mCanUpdate = false;
mCanNotUpdate = false;
mCanBrowse = false;
mCanNotBrowse = false;
mCanChmod = false;
mCanNotChmod = false;
mCanChown = false;
......@@ -137,6 +141,7 @@ Acl::Set(std::string sysacl, std::string useracl,
mCanArchive = false;
mCanPrepare = false;
if (EOS_LOGS_DEBUG) eos_static_debug("acl='%s' length=%d allowUserAcl=%d", acl.c_str(), acl.length(), allowUserAcl);
// no acl definition
if (!acl.length()) {
return;
......@@ -180,6 +185,7 @@ Acl::Set(std::string sysacl, std::string useracl,
groupname = "_INVAL_";
}
if (EOS_LOGS_DEBUG) eos_static_debug("username '%s' groupname '%s'", username.c_str(), groupname.c_str());
std::string usr_name_tag = "u:";
usr_name_tag += username;
usr_name_tag += ":";
......@@ -190,7 +196,7 @@ Acl::Set(std::string sysacl, std::string useracl,
std::string keytag = "k:";
keytag += vid.key;
keytag += ":";;
eos_static_debug("%s %s %s %s %s", usertag.c_str(), grouptag.c_str(),
if (EOS_LOGS_DEBUG) eos_static_debug("%s %s %s %s %s", usertag.c_str(), grouptag.c_str(),
usr_name_tag.c_str(), grp_name_tag.c_str(), keytag.c_str());
// Rule interpretation logic
char denials[256];
......@@ -250,7 +256,7 @@ Acl::Set(std::string sysacl, std::string useracl,
}
if (reallow && !(c == 'u' || c == 'd')) {
eos_static_debug("'+' Acl flag ignored for '%c'", c);
eos_static_info("'+' Acl flag ignored for '%c'", c);
}
switch (c) {
......@@ -362,11 +368,13 @@ Acl::Set(std::string sysacl, std::string useracl,
if (denials['r']) {
mCanRead = false;
mCanNotRead = true;
eos_static_debug("deny r");
}
if (denials['x']) {
mCanBrowse = false;
mCanNotBrowse = true;
eos_static_debug("deny x");
}
......@@ -392,6 +400,7 @@ Acl::Set(std::string sysacl, std::string useracl,
if (denials['w']) {
mCanWrite = false;
mCanNotWrite = true;
eos_static_debug("deny w");
} else if (mCanWrite) { /* if mCanWrite, grant mCanUpdate implicitely *unless* 'u' is denied */
mCanUpdate = true; /* this could be reverted a few lines further down were 'u' denied */
......@@ -415,12 +424,12 @@ Acl::Set(std::string sysacl, std::string useracl,
if (EOS_LOGS_DEBUG) {
eos_static_debug(
"mCanRead %d mCanWrite %d mCanWriteOnce %d mCanUpdate %d mCanNotUpdate %d mCanBrowse %d mCanChmod %d mCanChown %d mCanNotDelete %d"
"mCanNotChmod %d mCanDelete %d mCanSetQuota %d mHasAcl %d mHasEgroup %d mIsMutable %d mCanArchive %d mCanPrepare %d",
mCanRead, mCanWrite, mCanWriteOnce, mCanUpdate, mCanNotUpdate, mCanBrowse, mCanChmod,
mCanChown, mCanNotDelete,
mCanNotChmod, mCanDelete, mCanSetQuota, mHasAcl, mHasEgroup, mIsMutable,
mCanArchive, mCanPrepare);
"mCanRead %d mCanNotRead %d mCanWrite %d mCanNotWrite %d mCanWriteOnce %d mCanUpdate %d mCanNotUpdate %d "
"mCanBrowse %d mCanNotBrowse %d mCanChmod %d mCanChown %d mCanNotDelete %d mCanNotChmod %d "
"mCanDelete %d mCanSetQuota %d mHasAcl %d mHasEgroup %d mIsMutable %d mCanArchive %d mCanPrepare %d",
mCanRead, mCanNotRead, mCanWrite, mCanNotWrite, mCanWriteOnce, mCanUpdate, mCanNotUpdate,
mCanBrowse, mCanNotBrowse, mCanChmod, mCanChown, mCanNotDelete, mCanNotChmod,
mCanDelete, mCanSetQuota, mHasAcl, mHasEgroup, mIsMutable, mCanArchive, mCanPrepare);
}
}
}
......
......@@ -87,8 +87,9 @@ public: // [+] prevents '+' interpreted as "one or more"
//! Default Constructor
//----------------------------------------------------------------------------
Acl():
mCanRead(false), mCanWrite(false), mCanWriteOnce(false), mCanUpdate(false), mCanNotUpdate(false),
mCanBrowse(false), mCanChmod(false), mCanChown(false), mCanNotDelete(false),
mCanRead(false), mCanNotRead(false), mCanWrite(false), mCanNotWrite(false), mCanWriteOnce(false),
mCanUpdate(false), mCanNotUpdate(false), mCanBrowse(false), mCanNotBrowse(false),
mCanChmod(false), mCanChown(false), mCanNotDelete(false),
mCanNotChmod(false), mCanDelete(false), mCanSetQuota(false), mHasAcl(false),
mHasEgroup(false), mIsMutable(false), mCanArchive(false), mCanPrepare(false)
{}
......@@ -163,11 +164,21 @@ public: // [+] prevents '+' interpreted as "one or more"
return mCanRead;
}
inline bool CanNotRead() const
{
return mCanNotRead;
}
inline bool CanWrite() const
{
return mCanWrite;
}
inline bool CanNotWrite() const
{
return mCanNotWrite;
}
inline bool CanWriteOnce() const
{
return mCanWriteOnce;
......@@ -188,6 +199,11 @@ public: // [+] prevents '+' interpreted as "one or more"
return mCanBrowse;
}
inline bool CanNotBrowse() const
{
return mCanNotBrowse;
}
inline bool CanChmod() const
{
return mCanChmod;
......@@ -254,11 +270,14 @@ public: // [+] prevents '+' interpreted as "one or more"
private:
bool mCanRead; ///< acl allows read access
bool mCanNotRead; ///< acl denies read access
bool mCanWrite; ///< acl allows write access
bool mCanNotWrite; ///< acl denies write access
bool mCanWriteOnce; ///< acl allows write-once access (creation, no delete)
bool mCanUpdate; ///< acl allows update of files
bool mCanNotUpdate; ///< acl denies update of files
bool mCanBrowse; ///< acl allows browsing
bool mCanNotBrowse; ///< acl allows browsing
bool mCanChmod; ///< acl allows mode change
bool mCanChown; ///< acl allows chown change
bool mCanNotDelete; ///< acl forbids deletion
......
......@@ -2484,7 +2484,7 @@ FuseServer::FillContainerCAP(uint64_t id,
dir.mutable_capability()->set_id(id);
if (EOS_LOGS_DEBUG) {
eos_debug("container-id=%llx", id);
eos_debug("container-id=%#llx", id);
}
struct timespec ts;
......@@ -2585,14 +2585,20 @@ FuseServer::FillContainerCAP(uint64_t id,
if (acl.IsMutable()) {
if (acl.CanRead()) {
mode |= R_OK;
} else if (acl.CanNotRead()) { /* denials override mode bits */
mode &= ~R_OK;
}
if (acl.CanWrite() || acl.CanWriteOnce()) {
mode |= W_OK | SA_OK | D_OK | M_OK;
} else if (acl.CanNotWrite()) { /* denials override mode bits */
mode &= ~(W_OK | SA_OK | D_OK | M_OK);
}
if (acl.CanBrowse()) {
mode |= X_OK;
} else if (acl.CanNotBrowse()) {/* denials override mode bits */
mode &= ~X_OK;
}
if (acl.CanNotChmod()) {
......
......@@ -225,6 +225,7 @@ XrdMgmOfs::_rem(const char* path,
"remove existing file - you are write-once user");
}
eos_debug("vid.uid %d vid.gid %d CanotDelete %d CUid %d", vid.uid, vid.gid, acl.CanNotDelete(), fmd->getCUid());
// if there is a !d policy we cannot delete files which we don't own
if (((vid.uid) && (vid.uid != 3) && (vid.gid != 4) && (acl.CanNotDelete())) &&
((fmd->getCUid() != vid.uid))) {
......
......@@ -637,6 +637,8 @@ XrdMgmOfsFile::open(const char* inpath,
eos::IFileMD::XAttrMap attrmapF;
gOFS->_attr_ls(cPath.GetPath(), error, vid, 0, attrmapF, false);
acl.SetFromAttrMap(attrmap, vid, &attrmapF);
eos_debug("error %d attrmap sys %d user %d attrmapF sys %d user %d", error.getErrInfo(), attrmap.count("sys.acl"),
attrmap.count("user.acl"), attrmapF.count("sys.acl"), attrmapF.count("user.acl"));
eos_info("acl=%d r=%d w=%d wo=%d egroup=%d shared=%d mutable=%d",
acl.HasAcl(), acl.CanRead(), acl.CanWrite(), acl.CanWriteOnce(),
acl.HasEgroup(),
......@@ -644,15 +646,25 @@ XrdMgmOfsFile::open(const char* inpath,
acl.IsMutable());
if (acl.HasAcl()) {
eos_debug("uid %d sudoer %d isRW %d CanNotRead %d CanNotWrite %d",
vid.uid, vid.sudoer, isRW, acl.CanNotRead(), acl.CanNotWrite());
if ( (vid.uid != 0) && (!vid.sudoer) && (isRW ? acl.CanNotWrite() : acl.CanNotRead()) ) {
eos_debug("uid %d sudoer %d isRW %d CanNotRead %d CanNotWrite %d",
vid.uid, vid.sudoer, isRW, acl.CanNotRead(), acl.CanNotWrite());
errno = EPERM;
gOFS->MgmStats.Add("OpenFailedPermission", vid.uid, vid.gid, 1);
return Emsg(epname, error, errno, "open file - forbidden by ACL", path);
}
if (isRW) {
// write case
if ((!acl.CanWrite()) && (!acl.CanWriteOnce())) {
if ( !(acl.CanWrite() || acl.CanWriteOnce()) ) {
// we have to check the standard permissions
stdpermcheck = true;
}
} else {
// read case
if ((!acl.CanRead())) {
if ( !acl.CanRead() ) {
// we have to check the standard permissions
stdpermcheck = true;
}
......@@ -668,8 +680,10 @@ XrdMgmOfsFile::open(const char* inpath,
return Emsg(epname, error, errno, "open file - directory immutable", path);
}
int taccess = -1;
if ((!isSharedFile || isRW) && stdpermcheck
&& (!dmd->access(vid.uid, vid.gid, (isRW) ? W_OK | X_OK : R_OK | X_OK))) {
&& (!(taccess = dmd->access(vid.uid, vid.gid, (isRW) ? W_OK | X_OK : R_OK | X_OK))) ) {
eos_debug("fCUid %d dCUid %d uid %d isSharedFile %d isRW %d stdpermcheck %d access %d", fmd?fmd->getCUid():0, dmd->getCUid(), vid.uid, isSharedFile, isRW, stdpermcheck, taccess);
if (!((vid.uid == DAEMONUID) && (isPioReconstruct))) {
// we don't apply this permission check for reconstruction jobs issued via the daemon account
errno = EPERM;
......@@ -677,6 +691,7 @@ XrdMgmOfsFile::open(const char* inpath,
return Emsg(epname, error, errno, "open file", path);
}
}
eos_debug("coucou");
if (sticky_owner) {
eos_info("msg=\"client acting as directory owner\" path=\"%s\" uid=\"%u=>%u\" gid=\"%u=>%u\"",
......@@ -753,6 +768,7 @@ XrdMgmOfsFile::open(const char* inpath,
"you have to be a priviledged user for updates");
}
eos_debug("coucou");
if (!isInjection && (open_mode & SFS_O_TRUNC) && fmd) {
// check if this directory is write-once for the mapped user
if (acl.HasAcl()) {
......@@ -799,6 +815,7 @@ XrdMgmOfsFile::open(const char* inpath,
gOFS->MgmStats.Add("OpenWriteTruncate", vid.uid, vid.gid, 1);
} else {
eos_debug("coucou");
if (!(fmd) && ((open_flag & O_CREAT))) {
gOFS->MgmStats.Add("OpenWriteCreate", vid.uid, vid.gid, 1);
} else {
......@@ -956,6 +973,7 @@ XrdMgmOfsFile::open(const char* inpath,
gOFS->MgmStats.Add("OpenRead", vid.uid, vid.gid, 1);
}
}
eos_debug("coucou");
// ---------------------------------------------------------------------------
// flush synchronization logic, don't open a file which is currently flushing
......@@ -1043,6 +1061,7 @@ XrdMgmOfsFile::open(const char* inpath,
if (openOpaque->Get("eos.etag")) {
ext_etag = openOpaque->Get("eos.etag");
}
eos_debug("coucou");
if (openOpaque->Get("eos.xattr")) {
int envlen;
......@@ -1144,6 +1163,7 @@ XrdMgmOfsFile::open(const char* inpath,
}
}
eos_debug("coucou");
// 0-size files can be read from the MGM if this is not FUSE access!
if (!isRW && !isFuse && !fmd->getSize()) {
isZeroSizeFile = true;
......@@ -1215,6 +1235,7 @@ XrdMgmOfsFile::open(const char* inpath,
}
}
eos_debug("coucou");
if (attrmap.count("sys.forced.minsize")) {
minimumsize = strtoull(attrmap["sys.forced.minsize"].c_str(), 0, 10);
}
......
......@@ -101,7 +101,12 @@ bool AccessChecker::checkContainer(IContainerMD *cont, const Acl &acl,
// Basic check denied us access... let's see if we can recover through Acls
//----------------------------------------------------------------------------
if ((mode & W_OK) && (!acl.CanWrite() && !cont->access(vid.uid, vid.gid, W_OK) )) {
//if ((mode & W_OK) && (!acl.CanWrite() && !cont->access(vid.uid, vid.gid, W_OK) ))
if ( (mode & W_OK) &&
( acl.CanNotWrite() ||
( !acl.CanWrite() && !cont->access(vid.uid, vid.gid, W_OK) )
)
) {
//--------------------------------------------------------------------------
// Asking for write permission, and neither basic check, nor Acls grant us
// write. Deny.
......@@ -109,7 +114,12 @@ bool AccessChecker::checkContainer(IContainerMD *cont, const Acl &acl,
return false;
}
if ((mode & R_OK) && (!acl.CanRead() && !cont->access(vid.uid, vid.gid, R_OK) )) {
// if ((mode & R_OK) && (!acl.CanRead() && !cont->access(vid.uid, vid.gid, R_OK) ))
if ( (mode & R_OK) &&
( acl.CanNotRead() ||
( !acl.CanRead() && !cont->access(vid.uid, vid.gid, R_OK) )
)
) {
//--------------------------------------------------------------------------
// Asking for read permission, and neither basic check, nor Acls grant us
// read. Deny.
......@@ -117,7 +127,12 @@ bool AccessChecker::checkContainer(IContainerMD *cont, const Acl &acl,
return false;
}
if ((mode & X_OK) && (!acl.CanBrowse() && !cont->access(vid.uid, vid.gid, X_OK) )) {
// if ((mode & X_OK) && (!acl.CanBrowse() && !cont->access(vid.uid, vid.gid, X_OK) ))
if ( (mode & X_OK) &&
( acl.CanNotBrowse() ||
( !acl.CanBrowse() && !cont->access(vid.uid, vid.gid, X_OK) )
)
) {
//--------------------------------------------------------------------------
// Asking for browse permission, and neither basic check, nor Acls grant us
// browse. Deny.
......
......@@ -367,6 +367,12 @@ runtest () {
return
fi
redir=$EOS_TEST_REDIRECTOR
if [ "$1" = H ]; then
EOS_TEST_REDIRECTOR=$EOS_TEST_FULL_REDIRECTOR
shift
fi
START=$(date +%s.%N)
echo $testcnt | awk '{printf("%04d ",$1);}'
echo -n `date +"%x %X"` "$1"
......@@ -425,6 +431,7 @@ runtest () {
echo " in $DIFF seconds"
fi
echo "--------------------------------------------------------------------------------------------------------------------"
EOS_TEST_REDIRECTOR=$redir
fi
}
################################################################################
......@@ -897,24 +904,70 @@ runtest "### Chmod " unix 0 "" eos chmod 755 /eos/$EOS_TEST_INSTANCE/test/in
runtest "### Attr " unix 0 "" eos attr rm sys.acl /eos/$EOS_TEST_INSTANCE/test/instancetest/
runtest "### Attr " unix 0 "" eos attr set sys.eval.useracl=1 /eos/$EOS_TEST_INSTANCE/test/instancetest/
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rwx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest "### Rm " unix 0 "EOSROLE='-r 99 99'" eos rm /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k
runtest "### Upload " unix 0 "EOSROLE='-r 99 99'" upload "$TESTSYSFILE1K" "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k" "-ODeos.ruid=99\&eos.rgid=99"
runtest "### Update " unix 0 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99"
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest "### Update " unix 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99"
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rwx\!u /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest "### Update " unix 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99"
runtest "### Attr " unix 0 "" eos attr set user.acl=u:1:rwx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest "### Chown " unix 0 "" eos chown 99:99 "/eos/$EOS_TEST_INSTANCE/test/instancetest"
runtest "### Update " unix 0 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # should work still the owner
runtest "### Upload " unix 0 "EOSROLE='-r 99 99'" eos cp -a "$TESTSYSFILE1K" /eos/dockertest/test/instancetest/file.1k
# "runtest H" with sss-auth secures "not sudoer" and group list contains 99 where needed... without H the former fails, with unix-auth the latter (gids=[2] hence hasAcl=0)
# ACL impact: no ACL or user neither granted nor denied -> dir mode bits
# ACL denials: override except for u/d for file owner
runtest "### Attr " unix 0 "" eos debug debug '\*'
runtest "### Chown " unix 0 "" eos chown daemon /eos/$EOS_TEST_INSTANCE/test/instancetest/
runtest "### Chown " unix 0 "" eos chown daemon /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k
# most frequent case, file/dir without ACL mode bits decide
runtest "### Chmod " unix 0 "" eos chmod 777 /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 0 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # no ACL, dir mode bits allow (o=rw)
runtest "### Chmod " unix 0 "" eos chmod 755 /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # fail: no ACL, dir mode bits deny
runtest "### Chmod " unix 0 "" eos chmod 775 /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # fail: no ACL, dir mode bits deny (g=rw but not group)
runtest "### Chown " unix 0 "" eos chown 2:99 /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 0 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # no ACL, dir mode bits allow (g=rw same group)
runtest "### Chown " unix 0 "" eos chown 99:2 /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 0 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # no ACL, dir mode bits allow (u=rw same user)
runtest "### Chown " unix 0 "" eos chown 2:2 /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Rm " sss 1 "EOSROLE='-r 99 99'" eos rm /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k # fail: dir not owned, no ACL
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rwx!d /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Rm " sss 1 "EOSROLE='-r 99 99'" eos rm /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k # fail: dir not owned, ACL denies delete
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rwx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest "### Chown " unix 0 "" eos chown root /eos/$EOS_TEST_INSTANCE/test/instancetest/
# dir not owned
runtest H "### Rm " sss 0 "EOSROLE='-r 99 99'" eos rm /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k # dir not owned, but ACL allows write
runtest H "### Upload " sss 0 "" upload "$TESTSYSFILE1K" "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k" "-ODeos.ruid=99\&eos.rgid=99" # ACL allows write, new file owned
runtest H "### Update " sss 0 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # dir not owned, ACL allows write
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # fail: dir not owned, ACL does not grant write
runtest "### Chown " unix 0 "" eos chown root /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k
runtest H "### Update " sss 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # fail: not owner, ACL allows rx only
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rwx\!u /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # fail: not owner, ACL allows RW but denies update
runtest "### Attr " unix 0 "" eos attr set user.acl=u:1:rwx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # fail: not owner, not in ACL
runtest "### Attr " unix 0 "" eos attr set user.acl=u:99:rwx!d /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Rm " sss 1 "EOSROLE='-r 99 99'" eos rm /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k # fail: dir not owned, ACL denies delete
# dir owned
runtest "### Chown " unix 0 "" eos chown 99:99 "/eos/$EOS_TEST_INSTANCE/test/instancetest"
runtest H "### Update " sss 0 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # dir owned
runtest H "### Upload " sss 0 "EOSROLE='-r 99 99'" eos cp -a "$TESTSYSFILE1K" /eos/dockertest/test/instancetest/file.1k # dir owned
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:r!wx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest H "### Update " sss 1 "" append "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k\?eos.ruid=99\&eos.rgid=99" # should fail explicit denial
runtest H "### Upload " sss 1 "EOSROLE='-r 99 99'" eos cp -a "$TESTSYSFILE1K" /eos/dockertest/test/instancetest/file.1k # should fail explicit denial
runtest "### Attr " unix 0 "" eos attr set user.acl=u:99:rwx!d /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest "### Chown " unix 0 "" eos chown 99:99 "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k" # make sure file owned
sleep 1
runtest H "### Rm " sss 0 "EOSROLE='-r 99 99'" eos rm /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k # ACL denies delete but file owned
sleep 1
#cleanup
runtest "### Attr " unix 0 "" eos debug info '\*'
runtest "### Rm " unix 2 "" eos rm /eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k
runtest "### Attr " unix 0 "" eos attr set user.acl=u:nobody:rwx /eos/$EOS_TEST_INSTANCE/test/instancetest
runtest "### Upload " unix 0 "EOSROLE='-r 99 99'" upload "$TESTSYSFILE1K" "/eos/$EOS_TEST_INSTANCE/test/instancetest/file.1k" "-ODeos.ruid=99\&eos.rgid=99"
runtest "### Attr " unix 0 "" eos attr rm user.acl /eos/$EOS_TEST_INSTANCE/test/instancetest/
runtest "### Chown " unix 0 "" eos chown 0:0 "/eos/$EOS_TEST_INSTANCE/test/instancetest"
#exit
# ------------------------------------------------------------------------------
categorie="symlink"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment