#!/bin/sh # # Copyright (c) 2010 Matthieu Moy # global test_description := ''Test repository with default ACL'' # Create the test repo with restrictive umask # => this must come before . ./test-lib.sh umask 077 source ./test-lib.sh # We need an arbitrary other user give permission to using ACLs. root # is a good candidate: exists on all unices, and it has permission # anyway, so we don't create a security hole running the testsuite. test_expect_success 'checking for a working acl setup' ' if setfacl -m d:m:rwx -m u:root:rwx . && getfacl . | grep user:root:rwx && touch should-have-readable-acl && getfacl should-have-readable-acl | egrep "mask::?rw-" then test_set_prereq SETFACL fi ' if test -z $LOGNAME { global LOGNAME := $(USER:-$(id -u -n)) } proc check_perms_and_acl { test -r $1 && getfacl $1 > actual && grep -q "user:root:rwx" actual && grep -q "user:$(LOGNAME):rwx" actual && egrep "mask::?r--" actual > /dev/null !2 > !1 && grep -q "group::---" actual || false } global dirs_to_set := '"./ .git/ .git/objects/ .git/objects/pack/'" test_expect_success SETFACL 'Setup test repo' ' setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx $dirs_to_set && setfacl -m m:rwx $dirs_to_set && setfacl -m u:root:rwx $dirs_to_set && setfacl -m d:u:"$LOGNAME":rwx $dirs_to_set && setfacl -m d:u:root:rwx $dirs_to_set && touch file.txt && git add file.txt && git commit -m "init" ' test_expect_success SETFACL 'Objects creation does not break ACLs with restrictive umask' ' # SHA1 for empty blob check_perms_and_acl .git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 ' test_expect_success SETFACL 'git gc does not break ACLs with restrictive umask' ' git gc && check_perms_and_acl .git/objects/pack/*.pack ' test_done (CommandList children: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:test_description) op: Equal rhs: {(SQ <"Test repository with default ACL">)} spids: [13] ) ] spids: [13] ) (C {(umask)} {(077)}) (C {(.)} {(./test-lib.sh)}) (C {(test_expect_success)} {(SQ <"checking for a working acl setup">)} { (SQ <"\n"> <"\tif setfacl -m d:m:rwx -m u:root:rwx . &&\n"> <"\t getfacl . | grep user:root:rwx &&\n"> <"\t touch should-have-readable-acl &&\n"> <"\t getfacl should-have-readable-acl | egrep \"mask::?rw-\"\n"> <"\tthen\n"> <"\t\ttest_set_prereq SETFACL\n"> <"\tfi\n"> ) } ) (If arms: [ (if_arm cond: [(C {(test)} {(-z)} {(DQ ($ VSub_Name "$LOGNAME"))})] action: [ (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:LOGNAME) op: Equal rhs: { (DQ (BracedVarSub token: suffix_op: (StringUnary op_id: VTest_ColonHyphen arg_word: { (CommandSubPart command_list: (CommandList children:[(C {(id)} {(-u)} {(-n)})]) left_token: spids: [80 86] ) } ) spids: [77 87] ) ) } spids: [75] ) ] spids: [75] ) ] spids: [-1 72] ) ] spids: [-1 90] ) (FuncDef name: check_perms_and_acl body: (BraceGroup children: [ (AndOr children: [ (C {(test)} {(-r)} {(DQ ($ VSub_Number "$1"))}) (AndOr children: [ (SimpleCommand words: [{(getfacl)} {(DQ ($ VSub_Number "$1"))}] redirects: [(Redir op_id:Redir_Great fd:-1 arg_word:{(actual)} spids:[118])] ) (AndOr children: [ (C {(grep)} {(-q)} {(DQ ("user:root:rwx"))} {(actual)}) (AndOr children: [ (C {(grep)} {(-q)} {(DQ ("user:") (${ VSub_Name LOGNAME) (":rwx"))} {(actual)} ) (AndOr children: [ (SimpleCommand words: [{(egrep)} {(DQ ("mask::?r--"))} {(actual)}] redirects: [ (Redir op_id: Redir_Great fd: -1 arg_word: {(/dev/null)} spids: [163] ) (Redir op_id: Redir_GreatAnd fd: 2 arg_word: {(1)} spids: [167] ) ] ) (AndOr children: [ (C {(grep)} {(-q)} {(DQ ("group::---"))} {(actual)}) (C {(false)}) ] op_id: Op_DPipe ) ] op_id: Op_DAmp ) ] op_id: Op_DAmp ) ] op_id: Op_DAmp ) ] op_id: Op_DAmp ) ] op_id: Op_DAmp ) ] spids: [98] ) spids: [93 97] ) (Assignment keyword: Assign_None pairs: [ (assign_pair lhs: (LhsName name:dirs_to_set) op: Equal rhs: {(DQ ("./ .git/ .git/objects/ .git/objects/pack/"))} spids: [190] ) ] spids: [190] ) (C {(test_expect_success)} {(SETFACL)} {(SQ <"Setup test repo">)} { (SQ <"\n"> <"\tsetfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx $dirs_to_set &&\n"> <"\tsetfacl -m m:rwx $dirs_to_set &&\n"> <"\tsetfacl -m u:root:rwx $dirs_to_set &&\n"> <"\tsetfacl -m d:u:\"$LOGNAME\":rwx $dirs_to_set &&\n"> <"\tsetfacl -m d:u:root:rwx $dirs_to_set &&\n"> <"\n"> <"\ttouch file.txt &&\n"> <"\tgit add file.txt &&\n"> <"\tgit commit -m \"init\"\n"> ) } ) (C {(test_expect_success)} {(SETFACL)} {(SQ <"Objects creation does not break ACLs with restrictive umask">)} { (SQ <"\n"> <"\t# SHA1 for empty blob\n"> <"\tcheck_perms_and_acl .git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391\n"> ) } ) (C {(test_expect_success)} {(SETFACL)} {(SQ <"git gc does not break ACLs with restrictive umask">)} {(SQ <"\n"> <"\tgit gc &&\n"> <"\tcheck_perms_and_acl .git/objects/pack/*.pack\n">)} ) (C {(test_done)}) ] )