2010-02-22 23:32:11 +01:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# Copyright (c) 2010 Matthieu Moy
|
|
|
|
#
|
|
|
|
|
|
|
|
test_description='Test repository with default ACL'
|
|
|
|
|
|
|
|
# Create the test repo with restrictive umask
|
|
|
|
# => this must come before . ./test-lib.sh
|
|
|
|
umask 077
|
|
|
|
|
|
|
|
. ./test-lib.sh
|
|
|
|
|
|
|
|
# We need an arbitrary other user give permission to using ACLs. root
|
|
|
|
# is a good candidate: exists on all unices, and it has permission
|
|
|
|
# anyway, so we don't create a security hole running the testsuite.
|
t1304: improve setfacl prerequisite setup
t1304 first runs setfacl as an experiment to see whether the
filesystem supports ACLs, and skips the remaining tests if
it does not. However, our setfacl run did not exercise the
ACLs very well, and some filesystems may support our initial
setfacl, but not the rest of the test.
In particular, some versions of ecryptfs will erroneously
apply the umask on top of an inherited directory ACL,
causing our tests to fail. Let's be more careful and make
sure both that we can read back the user ACL we set, and
that the inherited ACL is propagated correctly. The latter
catches the ecryptfs bug, but may also catch other bugs
(e.g., an implementation which does not handle inherited
ACLs at all).
Since we're making the setup more complex, let's move it
into its own test. This will hide the output for us unless
the user wants to run "-v" to see it (and we don't need to
bother printing anything about setfacl failing; the
remaining tests will properly print "skip" due to the
missing prerequisite).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-06-06 15:28:24 +02:00
|
|
|
test_expect_success 'checking for a working acl setup' '
|
|
|
|
if setfacl -m d:m:rwx -m u:root:rwx . &&
|
|
|
|
getfacl . | grep user:root:rwx &&
|
|
|
|
touch should-have-readable-acl &&
|
2022-09-21 15:02:31 +02:00
|
|
|
getfacl should-have-readable-acl | grep -E "mask::?rw-"
|
t1304: improve setfacl prerequisite setup
t1304 first runs setfacl as an experiment to see whether the
filesystem supports ACLs, and skips the remaining tests if
it does not. However, our setfacl run did not exercise the
ACLs very well, and some filesystems may support our initial
setfacl, but not the rest of the test.
In particular, some versions of ecryptfs will erroneously
apply the umask on top of an inherited directory ACL,
causing our tests to fail. Let's be more careful and make
sure both that we can read back the user ACL we set, and
that the inherited ACL is propagated correctly. The latter
catches the ecryptfs bug, but may also catch other bugs
(e.g., an implementation which does not handle inherited
ACLs at all).
Since we're making the setup more complex, let's move it
into its own test. This will hide the output for us unless
the user wants to run "-v" to see it (and we don't need to
bother printing anything about setfacl failing; the
remaining tests will properly print "skip" due to the
missing prerequisite).
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2012-06-06 15:28:24 +02:00
|
|
|
then
|
|
|
|
test_set_prereq SETFACL
|
|
|
|
fi
|
|
|
|
'
|
2010-02-22 23:32:11 +01:00
|
|
|
|
2011-10-14 19:44:45 +02:00
|
|
|
if test -z "$LOGNAME"
|
|
|
|
then
|
2014-10-17 23:39:00 +02:00
|
|
|
LOGNAME="${USER:-$(id -u -n)}"
|
2011-10-14 19:44:45 +02:00
|
|
|
fi
|
|
|
|
|
2010-02-22 23:32:11 +01:00
|
|
|
check_perms_and_acl () {
|
2010-03-15 18:14:35 +01:00
|
|
|
test -r "$1" &&
|
2010-02-22 23:32:11 +01:00
|
|
|
getfacl "$1" > actual &&
|
|
|
|
grep -q "user:root:rwx" actual &&
|
|
|
|
grep -q "user:${LOGNAME}:rwx" actual &&
|
2022-09-21 15:02:31 +02:00
|
|
|
grep -E "mask::?r--" actual > /dev/null 2>&1 &&
|
2010-02-22 23:32:11 +01:00
|
|
|
grep -q "group::---" actual || false
|
|
|
|
}
|
|
|
|
|
|
|
|
dirs_to_set="./ .git/ .git/objects/ .git/objects/pack/"
|
|
|
|
|
2010-08-11 21:04:04 +02:00
|
|
|
test_expect_success SETFACL 'Setup test repo' '
|
2010-03-15 18:14:34 +01:00
|
|
|
setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx $dirs_to_set &&
|
2010-03-15 19:35:03 +01:00
|
|
|
setfacl -m m:rwx $dirs_to_set &&
|
2010-02-22 23:32:11 +01:00
|
|
|
setfacl -m u:root:rwx $dirs_to_set &&
|
2010-03-15 18:14:33 +01:00
|
|
|
setfacl -m d:u:"$LOGNAME":rwx $dirs_to_set &&
|
|
|
|
setfacl -m d:u:root:rwx $dirs_to_set &&
|
2010-02-22 23:32:11 +01:00
|
|
|
|
|
|
|
touch file.txt &&
|
|
|
|
git add file.txt &&
|
|
|
|
git commit -m "init"
|
|
|
|
'
|
|
|
|
|
2010-08-11 21:04:04 +02:00
|
|
|
test_expect_success SETFACL 'Objects creation does not break ACLs with restrictive umask' '
|
2010-02-22 23:32:11 +01:00
|
|
|
# SHA1 for empty blob
|
2018-03-25 21:20:47 +02:00
|
|
|
check_perms_and_acl .git/objects/$(echo $EMPTY_BLOB | sed -e "s,^\(..\),\1/,")
|
2010-02-22 23:32:11 +01:00
|
|
|
'
|
|
|
|
|
2010-08-11 21:04:04 +02:00
|
|
|
test_expect_success SETFACL 'git gc does not break ACLs with restrictive umask' '
|
2010-02-22 23:32:11 +01:00
|
|
|
git gc &&
|
|
|
|
check_perms_and_acl .git/objects/pack/*.pack
|
|
|
|
'
|
|
|
|
|
|
|
|
test_done
|