| #!/bin/ksh -p |
| # |
| # CDDL HEADER START |
| # |
| # The contents of this file are subject to the terms of the |
| # Common Development and Distribution License (the "License"). |
| # You may not use this file except in compliance with the License. |
| # |
| # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
| # or http://www.opensolaris.org/os/licensing. |
| # See the License for the specific language governing permissions |
| # and limitations under the License. |
| # |
| # When distributing Covered Code, include this CDDL HEADER in each |
| # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
| # If applicable, add the following below this CDDL HEADER, with the |
| # fields enclosed by brackets "[]" replaced with your own identifying |
| # information: Portions Copyright [yyyy] [name of copyright owner] |
| # |
| # CDDL HEADER END |
| # |
| |
| # |
| # Copyright 2007 Sun Microsystems, Inc. All rights reserved. |
| # Use is subject to license terms. |
| # |
| |
| # |
| # Copyright (c) 2013, 2016 by Delphix. All rights reserved. |
| # |
| |
| . $STF_SUITE/tests/functional/delegate/delegate_common.kshlib |
| |
| # |
| # DESCRIPTION: |
| # Scan the following permissions one by one to verify privileged user |
| # has correct permission delegation in datasets. |
| # |
| # STRATEGY: |
| # 1. Delegate all the permission one by one to user on dataset. |
| # 2. Verify privileged user has correct permission without any other |
| # permissions allowed. |
| # |
| |
| verify_runnable "both" |
| |
| log_assert "Verify privileged user has correct permissions once which was "\ |
| "delegated to him in datasets" |
| log_onexit restore_root_datasets |
| |
| if is_linux; then |
| # |
| # Results in Results in |
| # Permission Filesystem Volume |
| # |
| # Removed for Linux: |
| # - mount - mount(8) does not permit non-superuser mounts |
| # - mountpoint - mount(8) does not permit non-superuser mounts |
| # - canmount - mount(8) does not permit non-superuser mounts |
| # - rename - mount(8) does not permit non-superuser mounts |
| # - zoned - zones are not supported |
| # - destroy - umount(8) does not permit non-superuser umounts |
| # - sharenfs - sharing requires superuser privileges |
| # - share - sharing requires superuser privileges |
| # - readonly - mount(8) does not permit non-superuser remounts |
| # |
| set -A perms create true false \ |
| snapshot true true \ |
| send true true \ |
| allow true true \ |
| quota true false \ |
| reservation true true \ |
| dnodesize true false \ |
| recordsize true false \ |
| checksum true true \ |
| compression true true \ |
| atime true false \ |
| devices true false \ |
| exec true false \ |
| volsize false true \ |
| setuid true false \ |
| snapdir true false \ |
| userprop true true \ |
| aclinherit true false \ |
| rollback true true \ |
| clone true true \ |
| promote true true \ |
| xattr true false \ |
| receive true false |
| else |
| |
| set -A perms create true false \ |
| snapshot true true \ |
| mount true false \ |
| send true true \ |
| allow true true \ |
| quota true false \ |
| reservation true true \ |
| dnodesize true false \ |
| recordsize true false \ |
| mountpoint true false \ |
| checksum true true \ |
| compression true true \ |
| canmount true false \ |
| atime true false \ |
| devices true false \ |
| exec true false \ |
| volsize false true \ |
| setuid true false \ |
| readonly true true \ |
| snapdir true false \ |
| userprop true true \ |
| aclmode true false \ |
| aclinherit true false \ |
| rollback true true \ |
| clone true true \ |
| rename true true \ |
| promote true true \ |
| zoned true false \ |
| xattr true false \ |
| receive true false \ |
| destroy true true |
| |
| if is_global_zone; then |
| typeset -i n=${#perms[@]} |
| perms[((n))]="sharenfs"; perms[((n+1))]="true"; perms[((n+2))]="false" |
| perms[((n+3))]="share"; perms[((n+4))]="true"; perms[((n+5))]="false" |
| fi |
| fi |
| |
| for dtst in $DATASETS; do |
| typeset -i k=1 |
| typeset type=$(get_prop type $dtst) |
| [[ $type == "volume" ]] && k=2 |
| |
| typeset -i i=0 |
| while (( i < ${#perms[@]} )); do |
| log_must zfs allow $STAFF1 ${perms[$i]} $dtst |
| |
| if [[ ${perms[((i+k))]} == "true" ]]; then |
| log_must verify_perm $dtst ${perms[$i]} $STAFF1 |
| else |
| log_must verify_noperm $dtst ${perms[$i]} $STAFF1 |
| fi |
| |
| log_must restore_root_datasets |
| |
| ((i += 3)) |
| done |
| done |
| |
| log_pass "Verify privileged user has correct permissions " \ |
| "in datasets passed." |