[mirror_zfs.git] / tests / zfs-tests / tests / functional / privilege / privilege_002_pos.ksh

#!/bin/ksh -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#

#
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

#
# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
#

. $STF_SUITE/include/libtest.shlib

#
# DESCRIPTION:
#
# The RBAC profile "ZFS File System Management" works
#
# STRATEGY:
#
#	The following actions are taken, both using profile execution (pfexec)
#	and without profile execution - we make sure that the latter should
#	always fail.
#
#	(create)
#	1. As a normal user, try to create a filesystem - which should fail.
#       2. Assign "ZFS File System Management" profile, try to create fs again,
#	   which should succeed.
#
#	(pools)
#	3. Ensure a user with this profile can't perform pool administration
#	   by attempting to destroy a pool.
#
#	(destroy)
#       5. Remove the FS profile, then attempt to destroy the fs, which
# 	   should fail.
#	6. Assign the FS profile, then attempt to destroy the fs, which
#	   should succeed.
#

verify_runnable "both"

if is_linux || is_freebsd; then
	log_unsupported "Requires pfexec command"
fi

log_assert "The RBAC profile \"ZFS File System Management\" works"

ZFS_USER=$(<$TEST_BASE_DIR/zfs-privs-test-user.txt)

# Set a $DATASET where we can create child files systems
if is_global_zone; then
	log_must zpool create -f $TESTPOOL $DISKS
	DATASET=$TESTPOOL
else
	DATASET=zonepool/zonectr0
fi

# A user shouldn't be able to create filesystems
log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs"

# Insist this invocation of usermod works
log_must usermod -P "ZFS File System Management" $ZFS_USER

# Now try to create file systems as the user
log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs"
log_must user_run $ZFS_USER "pfexec zfs create $DATASET/zfsprivfs"

# Ensure the user can't do anything to pools in this state:
log_mustnot user_run $ZFS_USER "zpool destroy $DATASET"
log_mustnot user_run $ZFS_USER "pfexec zpool destroy $DATASET"

# revoke File System Management profile
usermod -P, $ZFS_USER

# Ensure the user can't create more filesystems
log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs2"
log_mustnot user_run $ZFS_USER "pfexec zfs create $DATASET/zfsprivfs2"

# assign the profile again and destroy the fs.
usermod -P "ZFS File System Management" $ZFS_USER
log_must user_run $ZFS_USER "pfexec zfs destroy $DATASET/zfsprivfs"
usermod -P, $ZFS_USER

log_pass "The RBAC profile \"ZFS File System Management\" works"
Commit	Line	Data
6bb24f4d BB	1	#!/bin/ksh -p
	2	#
	3	# CDDL HEADER START
	4	#
	5	# The contents of this file are subject to the terms of the
	6	# Common Development and Distribution License (the "License").
	7	# You may not use this file except in compliance with the License.
	8	#
	9	# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
	10	# or http://www.opensolaris.org/os/licensing.
	11	# See the License for the specific language governing permissions
	12	# and limitations under the License.
	13	#
	14	# When distributing Covered Code, include this CDDL HEADER in each
	15	# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
	16	# If applicable, add the following below this CDDL HEADER, with the
	17	# fields enclosed by brackets "[]" replaced with your own identifying
	18	# information: Portions Copyright [yyyy] [name of copyright owner]
	19	#
	20	# CDDL HEADER END
	21	#
	22
	23	#
	24	# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
	25	# Use is subject to license terms.
	26	#
	27
	28	#
c1d9abf9	29	# Copyright (c) 2013, 2016 by Delphix. All rights reserved.
6bb24f4d BB	30	#
	31
	32	. $STF_SUITE/include/libtest.shlib
	33
	34	#
	35	# DESCRIPTION:
	36	#
	37	# The RBAC profile "ZFS File System Management" works
	38	#
	39	# STRATEGY:
	40	#
	41	# The following actions are taken, both using profile execution (pfexec)
	42	# and without profile execution - we make sure that the latter should
	43	# always fail.
	44	#
	45	# (create)
	46	# 1. As a normal user, try to create a filesystem - which should fail.
	47	# 2. Assign "ZFS File System Management" profile, try to create fs again,
	48	# which should succeed.
	49	#
	50	# (pools)
	51	# 3. Ensure a user with this profile can't perform pool administration
	52	# by attempting to destroy a pool.
	53	#
	54	# (destroy)
	55	# 5. Remove the FS profile, then attempt to destroy the fs, which
	56	# should fail.
	57	# 6. Assign the FS profile, then attempt to destroy the fs, which
	58	# should succeed.
	59	#
	60
	61	verify_runnable "both"
	62
7839c4b5	63	if is_linux \|\| is_freebsd; then
95401cb6 BB	64	log_unsupported "Requires pfexec command"
	65	fi
	66
6bb24f4d BB	67	log_assert "The RBAC profile \"ZFS File System Management\" works"
6bb24f4d BB	68
58aeb87a	69	ZFS_USER=$(<$TEST_BASE_DIR/zfs-privs-test-user.txt)
6bb24f4d BB	70
	71	# Set a $DATASET where we can create child files systems
	72	if is_global_zone; then
c1d9abf9	73	log_must zpool create -f $TESTPOOL $DISKS
6bb24f4d BB	74	DATASET=$TESTPOOL
	75	else
	76	DATASET=zonepool/zonectr0
	77	fi
	78
	79	# A user shouldn't be able to create filesystems
9c3dcab5	80	log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs"
6bb24f4d BB	81
6bb24f4d BB	82	# Insist this invocation of usermod works
c1d9abf9	83	log_must usermod -P "ZFS File System Management" $ZFS_USER
6bb24f4d BB	84
6bb24f4d BB	85	# Now try to create file systems as the user
9c3dcab5 GM	86	log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs"
9c3dcab5 GM	87	log_must user_run $ZFS_USER "pfexec zfs create $DATASET/zfsprivfs"
6bb24f4d BB	88
6bb24f4d BB	89	# Ensure the user can't do anything to pools in this state:
9c3dcab5 GM	90	log_mustnot user_run $ZFS_USER "zpool destroy $DATASET"
9c3dcab5 GM	91	log_mustnot user_run $ZFS_USER "pfexec zpool destroy $DATASET"
6bb24f4d BB	92
6bb24f4d BB	93	# revoke File System Management profile
c1d9abf9	94	usermod -P, $ZFS_USER
6bb24f4d BB	95
6bb24f4d BB	96	# Ensure the user can't create more filesystems
9c3dcab5 GM	97	log_mustnot user_run $ZFS_USER "zfs create $DATASET/zfsprivfs2"
9c3dcab5 GM	98	log_mustnot user_run $ZFS_USER "pfexec zfs create $DATASET/zfsprivfs2"
6bb24f4d BB	99
6bb24f4d BB	100	# assign the profile again and destroy the fs.
c1d9abf9	101	usermod -P "ZFS File System Management" $ZFS_USER
9c3dcab5	102	log_must user_run $ZFS_USER "pfexec zfs destroy $DATASET/zfsprivfs"
c1d9abf9	103	usermod -P, $ZFS_USER
6bb24f4d BB	104
6bb24f4d BB	105	log_pass "The RBAC profile \"ZFS File System Management\" works"