summaryrefslogtreecommitdiffstats
path: root/src/test/test-acl-util.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2023-07-04 22:26:52 +0200
committerLennart Poettering <lennart@poettering.net>2023-07-04 22:58:01 +0200
commitf76ce81b91db1dac0d0a012e1cc903639002dd0a (patch)
treeba22fb0082a4d59fb90074a3475c1a949153e85c /src/test/test-acl-util.c
parentman: make sure credentials properly show up in directives index (diff)
downloadsystemd-f76ce81b91db1dac0d0a012e1cc903639002dd0a.tar.xz
systemd-f76ce81b91db1dac0d0a012e1cc903639002dd0a.zip
execute: fix credential dir handling for fs which support ACLs
When the credential dir is backed by an fs that supports ACLs we must be more careful with adjusting the 'x' bit of the directory, as any chmod() call on the dir will reset the mask entry of the ACL entirely which we don't want. Hence, do a manual set of ACL changes, that only add/drop the 'x' bit but otherwise leave the ACL as it is. This matters if we use tmpfs rather than ramfs to store credentials.
Diffstat (limited to 'src/test/test-acl-util.c')
-rw-r--r--src/test/test-acl-util.c58
1 files changed, 58 insertions, 0 deletions
diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c
index 093eaaa01b..eb9678a7d9 100644
--- a/src/test/test-acl-util.c
+++ b/src/test/test-acl-util.c
@@ -69,4 +69,62 @@ TEST_RET(add_acls_for_user) {
return 0;
}
+TEST(fd_acl_make_read_only) {
+ _cleanup_(unlink_tempfilep) char fn[] = "/tmp/test-empty.XXXXXX";
+ _cleanup_close_ int fd = -EBADF;
+ const char *cmd;
+ struct stat st;
+
+ fd = mkostemp_safe(fn);
+ assert_se(fd >= 0);
+
+ /* make it more exciting */
+ (void) fd_add_uid_acl_permission(fd, 1, ACL_READ|ACL_WRITE|ACL_EXECUTE);
+
+ assert_se(fstat(fd, &st) >= 0);
+ assert_se((st.st_mode & 0200) == 0200);
+
+ cmd = strjoina("getfacl -p ", fn);
+ assert_se(system(cmd) == 0);
+
+ cmd = strjoina("stat ", fn);
+ assert_se(system(cmd) == 0);
+
+ log_info("read-only");
+ assert_se(fd_acl_make_read_only(fd));
+
+ assert_se(fstat(fd, &st) >= 0);
+ assert_se((st.st_mode & 0222) == 0000);
+
+ cmd = strjoina("getfacl -p ", fn);
+ assert_se(system(cmd) == 0);
+
+ cmd = strjoina("stat ", fn);
+ assert_se(system(cmd) == 0);
+
+ log_info("writable");
+ assert_se(fd_acl_make_writable(fd));
+
+ assert_se(fstat(fd, &st) >= 0);
+ assert_se((st.st_mode & 0222) == 0200);
+
+ cmd = strjoina("getfacl -p ", fn);
+ assert_se(system(cmd) == 0);
+
+ cmd = strjoina("stat ", fn);
+ assert_se(system(cmd) == 0);
+
+ log_info("read-only");
+ assert_se(fd_acl_make_read_only(fd));
+
+ assert_se(fstat(fd, &st) >= 0);
+ assert_se((st.st_mode & 0222) == 0000);
+
+ cmd = strjoina("getfacl -p ", fn);
+ assert_se(system(cmd) == 0);
+
+ cmd = strjoina("stat ", fn);
+ assert_se(system(cmd) == 0);
+}
+
DEFINE_TEST_MAIN(LOG_INFO);