mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-27 11:29:36 +03:00
ZTS: replace su commands by run_user function
Needed for PATH variable to be passed into su. The posix* tests were fixed, but they need further investigation before they can be enabled. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Giuseppe Di Natale <dinatale2@llnl.gov> Signed-off-by: George Melikov <mail@gmelikov.ru> Closes #6303
This commit is contained in:
parent
478e3ecf8b
commit
9c3dcab5e2
@ -48,21 +48,21 @@ log_assert "Verify acltype=posixacl works on file"
|
|||||||
# Test access to FILE
|
# Test access to FILE
|
||||||
log_note "Testing access to FILE"
|
log_note "Testing access to FILE"
|
||||||
log_must touch $TESTDIR/file.0
|
log_must touch $TESTDIR/file.0
|
||||||
log_must setfacl -m g:zfsgrp:rw $TESTDIR/file.0
|
log_must setfacl -m g:$ZFS_ACL_STAFF_GROUP:rw $TESTDIR/file.0
|
||||||
getfacl $TESTDIR/file.0 2> /dev/null | egrep -q "^group:zfsgrp:rw-$"
|
getfacl $TESTDIR/file.0 2> /dev/null | egrep -q "^group:$ZFS_ACL_STAFF_GROUP:rw-$"
|
||||||
if [ "$?" -eq "0" ]; then
|
if [ "$?" -eq "0" ]; then
|
||||||
# Should be able to write to file
|
# Should be able to write to file
|
||||||
log_must su staff1 -c "echo \"echo test > /dev/null\" > $TESTDIR/file.0"
|
log_must user_run $ZFS_ACL_STAFF1 "echo 'echo test > /dev/null' > $TESTDIR/file.0"
|
||||||
|
|
||||||
# Should NOT be able to create new file
|
# Should NOT be able to create new file
|
||||||
log_mustnot su staff1 -c "touch $TESTDIR/file.1"
|
log_mustnot user_run $ZFS_ACL_STAFF1 "touch $TESTDIR/file.1"
|
||||||
|
|
||||||
# Root should be able to run file, but not user
|
# Root should be able to run file, but not user
|
||||||
chmod +x $TESTDIR/file.0
|
chmod +x $TESTDIR/file.0
|
||||||
log_must $TESTDIR/file.0
|
log_must $TESTDIR/file.0
|
||||||
log_mustnot su staff1 -c $TESTDIR/file.0
|
log_mustnot user_run $ZFS_ACL_STAFF1 $TESTDIR/file.0
|
||||||
|
|
||||||
log_pass "POSIX ACL mode works on files"
|
log_pass "POSIX ACL mode works on files"
|
||||||
else
|
else
|
||||||
log_fail "Group 'zfsgrp' does not have 'rw' as specified"
|
log_fail "Group '$ZFS_ACL_STAFF_GROUP' does not have 'rw' as specified"
|
||||||
fi
|
fi
|
||||||
|
@ -47,16 +47,16 @@ log_assert "Verify acltype=posixacl works on directory"
|
|||||||
# Test access to DIRECTORY
|
# Test access to DIRECTORY
|
||||||
log_note "Testing access to DIRECTORY"
|
log_note "Testing access to DIRECTORY"
|
||||||
log_must mkdir $TESTDIR/dir.0
|
log_must mkdir $TESTDIR/dir.0
|
||||||
log_must setfacl -m g:zfsgrp:wx $TESTDIR/dir.0
|
log_must setfacl -m g:$ZFS_ACL_STAFF_GROUP:wx $TESTDIR/dir.0
|
||||||
getfacl $TESTDIR/dir.0 2> /dev/null | egrep -q "^group:zfsgrp:-wx$"
|
getfacl $TESTDIR/dir.0 2> /dev/null | egrep -q "^group:$ZFS_ACL_STAFF_GROUP:-wx$"
|
||||||
if [ "$?" -eq "0" ]; then
|
if [ "$?" -eq "0" ]; then
|
||||||
# Should be able to create file in directory
|
# Should be able to create file in directory
|
||||||
log_must su staff1 -c "touch $TESTDIR/dir.0/file.0"
|
log_must user_run $ZFS_ACL_STAFF1 "touch $TESTDIR/dir.0/file.0"
|
||||||
|
|
||||||
# Should NOT be able to list files in directory
|
# Should NOT be able to list files in directory
|
||||||
log_mustnot su staff1 -c "ls -l $TESTDIR/dir.0"
|
log_mustnot user_run $ZFS_ACL_STAFF1 "ls -l $TESTDIR/dir.0"
|
||||||
|
|
||||||
log_pass "POSIX ACL mode works on directories"
|
log_pass "POSIX ACL mode works on directories"
|
||||||
else
|
else
|
||||||
log_fail "Group 'zfsgrp' does not have 'rwx' as specified"
|
log_fail "Group '$ZFS_ACL_STAFF_GROUP' does not have 'rwx' as specified"
|
||||||
fi
|
fi
|
||||||
|
@ -37,25 +37,25 @@ verify_runnable "both"
|
|||||||
log_assert "Verify regular and default POSIX ACLs survive remount"
|
log_assert "Verify regular and default POSIX ACLs survive remount"
|
||||||
|
|
||||||
typeset output=/tmp/zfs-posixacl.$$
|
typeset output=/tmp/zfs-posixacl.$$
|
||||||
typeset acl_str1="^group:${ZFS_ACL_STAFF_GROUP}:-wx$"
|
typeset acl_str1="^group:$ZFS_ACL_STAFF_GROUP:-wx$"
|
||||||
typeset acl_str2="^default:group:${ZFS_ACL_STAFF_GROUP}:-wx$"
|
typeset acl_str2="^default:group:$ZFS_ACL_STAFF_GROUP:-wx$"
|
||||||
typeset ACLDIR="${TESTDIR}/dir.1"
|
typeset ACLDIR="$TESTDIR/dir.1"
|
||||||
|
|
||||||
log_note "Testing access to DIRECTORY"
|
log_note "Testing access to DIRECTORY"
|
||||||
log_must mkdir $ACLDIR
|
log_must mkdir $ACLDIR
|
||||||
log_must setfacl -m g:${ZFS_ACL_STAFF_GROUP}:wx $ACLDIR
|
log_must setfacl -m g:$ZFS_ACL_STAFF_GROUP:wx $ACLDIR
|
||||||
log_must setfacl -d -m g:${ZFS_ACL_STAFF_GROUP}:wx $ACLDIR
|
log_must setfacl -d -m g:$ZFS_ACL_STAFF_GROUP:wx $ACLDIR
|
||||||
getfacl $ACLDIR 2> /dev/null | egrep -q "${acl_str1}"
|
getfacl $ACLDIR 2> /dev/null | egrep -q "$acl_str1"
|
||||||
if [ "$?" -eq "0" ]; then
|
if [ "$?" -eq "0" ]; then
|
||||||
getfacl $ACLDIR 2> /dev/null | egrep -q "${acl_str2}"
|
getfacl $ACLDIR 2> /dev/null | egrep -q "$acl_str2"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$?" -eq "0" ]; then
|
if [ "$?" -eq "0" ]; then
|
||||||
log_must zfs unmount $TESTPOOL/$TESTFS
|
log_must zfs unmount $TESTPOOL/$TESTFS
|
||||||
log_must zfs mount $TESTPOOL/$TESTFS
|
log_must zfs mount $TESTPOOL/$TESTFS
|
||||||
log_must eval 'getfacl $ACLDIR 2> /dev/null | egrep -q "${acl_str1}"'
|
log_must eval "getfacl $ACLDIR 2> /dev/null | egrep -q \"$acl_str1\""
|
||||||
log_must eval 'getfacl $ACLDIR 2> /dev/null | egrep -q "${acl_str2}"'
|
log_must eval "getfacl $ACLDIR 2> /dev/null | egrep -q \"$acl_str2\""
|
||||||
log_pass "POSIX ACLs survive remount"
|
log_pass "POSIX ACLs survive remount"
|
||||||
else
|
else
|
||||||
log_fail "Group '${ZFS_ACL_STAFF_GROUP}' does not have 'rwx'"
|
log_fail "Group '$ZFS_ACL_STAFF_GROUP' does not have 'rwx'"
|
||||||
fi
|
fi
|
||||||
|
@ -74,7 +74,7 @@ function run_and_verify
|
|||||||
if [[ $user == "root" ]]; then
|
if [[ $user == "root" ]]; then
|
||||||
log_must eval "$fullcmd"
|
log_must eval "$fullcmd"
|
||||||
else
|
else
|
||||||
log_must su $user -c "eval $fullcmd"
|
log_must user_run $user "$fullcmd"
|
||||||
fi
|
fi
|
||||||
zpool history $flags $pool > $TMP_HISTORY 2>/dev/null
|
zpool history $flags $pool > $TMP_HISTORY 2>/dev/null
|
||||||
diff $OLD_HISTORY $TMP_HISTORY | grep "^> " | sed 's/^> //g' \
|
diff $OLD_HISTORY $TMP_HISTORY | grep "^> " | sed 's/^> //g' \
|
||||||
|
@ -66,30 +66,30 @@ log_assert "The RBAC profile \"ZFS Storage Management\" works"
|
|||||||
ZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)
|
ZFS_USER=$(cat /tmp/zfs-privs-test-user.txt)
|
||||||
|
|
||||||
# the user shouldn't be able to do anything initially
|
# the user shouldn't be able to do anything initially
|
||||||
log_mustnot su $ZFS_USER -c "zpool create $TESTPOOL $DISKS"
|
log_mustnot user_run $ZFS_USER "zpool create $TESTPOOL $DISKS"
|
||||||
log_mustnot su $ZFS_USER -c "pfexec zpool create $TESTPOOL $DISKS"
|
log_mustnot user_run $ZFS_USER "pfexec zpool create $TESTPOOL $DISKS"
|
||||||
|
|
||||||
# the first time we assign the profile, we insist it should work
|
# the first time we assign the profile, we insist it should work
|
||||||
log_must usermod -P "ZFS Storage Management" $ZFS_USER
|
log_must usermod -P "ZFS Storage Management" $ZFS_USER
|
||||||
log_must su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"
|
log_must user_run $ZFS_USER "pfexec zpool create -f $TESTPOOL $DISKS"
|
||||||
|
|
||||||
# ensure the user can't create a filesystem with this profile
|
# ensure the user can't create a filesystem with this profile
|
||||||
log_mustnot su $ZFS_USER -c "zfs create $TESTPOOL/fs"
|
log_mustnot user_run $ZFS_USER "zfs create $TESTPOOL/fs"
|
||||||
|
|
||||||
# add ZFS File System Management profile, and try to create a fs
|
# add ZFS File System Management profile, and try to create a fs
|
||||||
log_must usermod -P "ZFS File System Management" $ZFS_USER
|
log_must usermod -P "ZFS File System Management" $ZFS_USER
|
||||||
log_must su $ZFS_USER -c "pfexec zfs create $TESTPOOL/fs"
|
log_must user_run $ZFS_USER "pfexec zfs create $TESTPOOL/fs"
|
||||||
|
|
||||||
# revoke File System Management profile
|
# revoke File System Management profile
|
||||||
usermod -P, $ZFS_USER
|
usermod -P, $ZFS_USER
|
||||||
usermod -P "ZFS Storage Management" $ZFS_USER
|
usermod -P "ZFS Storage Management" $ZFS_USER
|
||||||
|
|
||||||
# ensure the user can destroy pools
|
# ensure the user can destroy pools
|
||||||
log_mustnot su $ZFS_USER -c "zpool destroy $TESTPOOL"
|
log_mustnot user_run $ZFS_USER "zpool destroy $TESTPOOL"
|
||||||
log_must su $ZFS_USER -c "pfexec zpool destroy $TESTPOOL"
|
log_must user_run $ZFS_USER "pfexec zpool destroy $TESTPOOL"
|
||||||
|
|
||||||
# revoke Storage Management profile
|
# revoke Storage Management profile
|
||||||
usermod -P, $ZFS_USER
|
usermod -P, $ZFS_USER
|
||||||
log_mustnot su $ZFS_USER -c "pfexec zpool create -f $TESTPOOL $DISKS"
|
log_mustnot user_run $ZFS_USER "pfexec zpool create -f $TESTPOOL $DISKS"
|
||||||
|
|
||||||
log_pass "The RBAC profile \"ZFS Storage Management\" works"
|
log_pass "The RBAC profile \"ZFS Storage Management\" works"
|
||||||
|
@ -77,29 +77,29 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# A user shouldn't be able to create filesystems
|
# A user shouldn't be able to create filesystems
|
||||||
log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
|
log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs"
|
||||||
|
|
||||||
# Insist this invocation of usermod works
|
# Insist this invocation of usermod works
|
||||||
log_must usermod -P "ZFS File System Management" $ZFS_USER
|
log_must usermod -P "ZFS File System Management" $ZFS_USER
|
||||||
|
|
||||||
# Now try to create file systems as the user
|
# Now try to create file systems as the user
|
||||||
log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs"
|
log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs"
|
||||||
log_must su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs"
|
log_must user_run $ZFS_USER "pfexec zfs create $DATASET/zfsprivfs"
|
||||||
|
|
||||||
# Ensure the user can't do anything to pools in this state:
|
# Ensure the user can't do anything to pools in this state:
|
||||||
log_mustnot su $ZFS_USER -c "zpool destroy $DATASET"
|
log_mustnot user_run $ZFS_USER "zpool destroy $DATASET"
|
||||||
log_mustnot su $ZFS_USER -c "pfexec zpool destroy $DATASET"
|
log_mustnot user_run $ZFS_USER "pfexec zpool destroy $DATASET"
|
||||||
|
|
||||||
# revoke File System Management profile
|
# revoke File System Management profile
|
||||||
usermod -P, $ZFS_USER
|
usermod -P, $ZFS_USER
|
||||||
|
|
||||||
# Ensure the user can't create more filesystems
|
# Ensure the user can't create more filesystems
|
||||||
log_mustnot su $ZFS_USER -c "zfs create $DATASET/zfsprivfs2"
|
log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs2"
|
||||||
log_mustnot su $ZFS_USER -c "pfexec zfs create $DATASET/zfsprivfs2"
|
log_mustnot user_run $ZFS_USER "pfexec zfs create $DATASET/zfsprivfs2"
|
||||||
|
|
||||||
# assign the profile again and destroy the fs.
|
# assign the profile again and destroy the fs.
|
||||||
usermod -P "ZFS File System Management" $ZFS_USER
|
usermod -P "ZFS File System Management" $ZFS_USER
|
||||||
log_must su $ZFS_USER -c "pfexec zfs destroy $DATASET/zfsprivfs"
|
log_must user_run $ZFS_USER "pfexec zfs destroy $DATASET/zfsprivfs"
|
||||||
usermod -P, $ZFS_USER
|
usermod -P, $ZFS_USER
|
||||||
|
|
||||||
log_pass "The RBAC profile \"ZFS File System Management\" works"
|
log_pass "The RBAC profile \"ZFS File System Management\" works"
|
||||||
|
Loading…
Reference in New Issue
Block a user