diff options
author | Lennart Poettering <lennart@poettering.net> | 2023-07-04 22:26:52 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2023-07-04 22:58:01 +0200 |
commit | f76ce81b91db1dac0d0a012e1cc903639002dd0a (patch) | |
tree | ba22fb0082a4d59fb90074a3475c1a949153e85c /src/test/test-acl-util.c | |
parent | man: make sure credentials properly show up in directives index (diff) | |
download | systemd-f76ce81b91db1dac0d0a012e1cc903639002dd0a.tar.xz systemd-f76ce81b91db1dac0d0a012e1cc903639002dd0a.zip |
execute: fix credential dir handling for fs which support ACLs
When the credential dir is backed by an fs that supports ACLs we must be
more careful with adjusting the 'x' bit of the directory, as any chmod()
call on the dir will reset the mask entry of the ACL entirely which we
don't want. Hence, do a manual set of ACL changes, that only add/drop
the 'x' bit but otherwise leave the ACL as it is.
This matters if we use tmpfs rather than ramfs to store credentials.
Diffstat (limited to 'src/test/test-acl-util.c')
-rw-r--r-- | src/test/test-acl-util.c | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c index 093eaaa01b..eb9678a7d9 100644 --- a/src/test/test-acl-util.c +++ b/src/test/test-acl-util.c @@ -69,4 +69,62 @@ TEST_RET(add_acls_for_user) { return 0; } +TEST(fd_acl_make_read_only) { + _cleanup_(unlink_tempfilep) char fn[] = "/tmp/test-empty.XXXXXX"; + _cleanup_close_ int fd = -EBADF; + const char *cmd; + struct stat st; + + fd = mkostemp_safe(fn); + assert_se(fd >= 0); + + /* make it more exciting */ + (void) fd_add_uid_acl_permission(fd, 1, ACL_READ|ACL_WRITE|ACL_EXECUTE); + + assert_se(fstat(fd, &st) >= 0); + assert_se((st.st_mode & 0200) == 0200); + + cmd = strjoina("getfacl -p ", fn); + assert_se(system(cmd) == 0); + + cmd = strjoina("stat ", fn); + assert_se(system(cmd) == 0); + + log_info("read-only"); + assert_se(fd_acl_make_read_only(fd)); + + assert_se(fstat(fd, &st) >= 0); + assert_se((st.st_mode & 0222) == 0000); + + cmd = strjoina("getfacl -p ", fn); + assert_se(system(cmd) == 0); + + cmd = strjoina("stat ", fn); + assert_se(system(cmd) == 0); + + log_info("writable"); + assert_se(fd_acl_make_writable(fd)); + + assert_se(fstat(fd, &st) >= 0); + assert_se((st.st_mode & 0222) == 0200); + + cmd = strjoina("getfacl -p ", fn); + assert_se(system(cmd) == 0); + + cmd = strjoina("stat ", fn); + assert_se(system(cmd) == 0); + + log_info("read-only"); + assert_se(fd_acl_make_read_only(fd)); + + assert_se(fstat(fd, &st) >= 0); + assert_se((st.st_mode & 0222) == 0000); + + cmd = strjoina("getfacl -p ", fn); + assert_se(system(cmd) == 0); + + cmd = strjoina("stat ", fn); + assert_se(system(cmd) == 0); +} + DEFINE_TEST_MAIN(LOG_INFO); |