1#!/bin/ksh -p
2#
3# CDDL HEADER START
4#
5# The contents of this file are subject to the terms of the
6# Common Development and Distribution License (the "License").
7# You may not use this file except in compliance with the License.
8#
9# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10# or https://opensource.org/licenses/CDDL-1.0.
11# See the License for the specific language governing permissions
12# and limitations under the License.
13#
14# When distributing Covered Code, include this CDDL HEADER in each
15# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16# If applicable, add the following below this CDDL HEADER, with the
17# fields enclosed by brackets "[]" replaced with your own identifying
18# information: Portions Copyright [yyyy] [name of copyright owner]
19#
20# CDDL HEADER END
21#
22
23#
24# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
25# Use is subject to license terms.
26#
27
28#
29# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
30#
31
32. $STF_SUITE/tests/functional/delegate/delegate_common.kshlib
33
34#
35# DESCRIPTION:
36#	Scan the following permissions one by one to verify privileged user
37#	has correct permission delegation in datasets.
38#
39# STRATEGY:
40#	1. Delegate all the permission one by one to user on dataset.
41#	2. Verify privileged user has correct permission without any other
42#	   permissions allowed.
43#
44
45verify_runnable "both"
46
47log_assert "Verify privileged user has correct permissions once which was "\
48	"delegated to him in datasets"
49log_onexit restore_root_datasets
50
51if is_linux; then
52#
53#				Results in	Results in
54#		Permission	Filesystem	Volume
55#
56# Removed for Linux:
57# - mount	- mount(8) does not permit non-superuser mounts
58# - mountpoint	- mount(8) does not permit non-superuser mounts
59# - canmount	- mount(8) does not permit non-superuser mounts
60# - rename      - mount(8) does not permit non-superuser mounts
61# - zoned	- zones are not supported
62# - destroy     - umount(8) does not permit non-superuser umounts
63# - sharenfs	- sharing requires superuser privileges
64# - share	- sharing requires superuser privileges
65# - readonly	- mount(8) does not permit non-superuser remounts
66#
67set -A perms	create		true		false	\
68		snapshot	true		true	\
69		send		true		true	\
70		allow		true		true	\
71		quota		true		false	\
72		reservation	true		true	\
73		dnodesize	true		false	\
74		recordsize	true		false	\
75		checksum	true		true	\
76		compression	true		true	\
77		atime		true		false	\
78		devices		true		false	\
79		exec		true		false	\
80		volsize		false		true	\
81		setuid		true		false	\
82		snapdir		true		false	\
83		userprop	true		true	\
84		aclinherit	true		false	\
85		rollback	true		true	\
86		clone		true		true	\
87		promote		true		true	\
88		xattr		true		false	\
89		receive		true		false
90
91elif is_freebsd; then
92#				Results in	Results in
93#		Permission	Filesystem	Volume
94#
95# Removed for FreeBSD
96# - jailed	- jailing requires superuser privileges
97# - sharenfs	- sharing requires superuser privileges
98# - share	- sharing requires superuser privileges
99# - xattr	- Not supported on FreeBSD
100#
101set -A perms	create		true		false	\
102		snapshot	true		true	\
103		mount		true		false	\
104		send		true		true	\
105		allow		true		true	\
106		quota		true		false	\
107		reservation	true		true	\
108		dnodesize	true		false	\
109		recordsize	true		false	\
110		mountpoint	true		false	\
111		checksum	true		true	\
112		compression	true		true	\
113		canmount	true		false	\
114		atime		true		false	\
115		devices		true		false	\
116		exec		true		false	\
117		volsize		false		true	\
118		setuid		true		false	\
119		readonly	true		true	\
120		snapdir		true		false	\
121		userprop	true		true	\
122		aclmode		true		false	\
123		aclinherit	true		false	\
124		rollback	true		true	\
125		clone		true		true	\
126		rename		true		true	\
127		promote		true		true	\
128		receive		true		false   \
129		destroy		true		true
130
131else
132
133set -A perms	create		true		false	\
134		snapshot	true		true	\
135		mount		true		false	\
136		send		true		true	\
137		allow		true		true	\
138		quota		true		false	\
139		reservation	true		true	\
140		dnodesize	true		false	\
141		recordsize	true		false	\
142		mountpoint	true		false	\
143		checksum	true		true	\
144		compression	true		true	\
145		canmount	true		false	\
146		atime		true		false	\
147		devices		true		false	\
148		exec		true		false	\
149		volsize		false		true	\
150		setuid		true		false	\
151		readonly	true		true	\
152		snapdir		true		false	\
153		userprop	true		true	\
154		aclmode		true		false	\
155		aclinherit	true		false	\
156		rollback	true		true	\
157		clone		true		true	\
158		rename		true		true	\
159		promote		true		true	\
160		zoned		true		false	\
161		xattr		true		false	\
162		receive		true		false	\
163		destroy		true		true
164
165if is_global_zone; then
166	typeset -i n=${#perms[@]}
167	perms[((n))]="sharenfs"; perms[((n+1))]="true"; perms[((n+2))]="false"
168	perms[((n+3))]="share"; perms[((n+4))]="true"; perms[((n+5))]="false"
169fi
170fi
171
172for dtst in $DATASETS; do
173	typeset -i k=1
174	typeset type=$(get_prop type $dtst)
175	[[ $type == "volume" ]] && k=2
176
177	typeset -i i=0
178	while (( i < ${#perms[@]} )); do
179		log_must zfs allow $STAFF1 ${perms[$i]} $dtst
180
181		if [[ ${perms[((i+k))]} == "true" ]]; then
182			log_must verify_perm $dtst ${perms[$i]} $STAFF1
183		else
184			log_must verify_noperm $dtst ${perms[$i]} $STAFF1
185		fi
186
187		log_must restore_root_datasets
188
189		((i += 3))
190	done
191done
192
193log_pass "Verify privileged user has correct permissions " \
194	"in datasets passed."
195