git/t/t1304-default-acl.sh

#!/bin/sh
#
# Copyright (c) 2010 Matthieu Moy
#

test_description='Test repository with default ACL'

# Create the test repo with restrictive umask
# => this must come before . ./test-lib.sh
umask 077

TEST_PASSES_SANITIZE_LEAK=true
. ./test-lib.sh

# We need an arbitrary other user give permission to using ACLs. root
# is a good candidate: exists on all unices, and it has permission
# anyway, so we don't create a security hole running the testsuite.
test_expect_success 'checking for a working acl setup' '
	if setfacl -m d:m:rwx -m u:root:rwx . &&
	   getfacl . | grep user:root:rwx &&
	   touch should-have-readable-acl &&
	   getfacl should-have-readable-acl | grep -E "mask::?rw-"
	then
		test_set_prereq SETFACL
	fi
'

if test -z "$LOGNAME"
then
	LOGNAME="${USER:-$(id -u -n)}"
fi

check_perms_and_acl () {
	test -r "$1" &&
	getfacl "$1" > actual &&
	grep -q "user:root:rwx" actual &&
	grep -q "user:${LOGNAME}:rwx" actual &&
	grep -E "mask::?r--" actual > /dev/null 2>&1 &&
	grep -q "group::---" actual || false
}

dirs_to_set="./ .git/ .git/objects/ .git/objects/pack/"

test_expect_success SETFACL 'Setup test repo' '
	setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx $dirs_to_set &&
	setfacl -m m:rwx               $dirs_to_set &&
	setfacl -m u:root:rwx          $dirs_to_set &&
	setfacl -m d:u:"$LOGNAME":rwx  $dirs_to_set &&
	setfacl -m d:u:root:rwx        $dirs_to_set &&

	touch file.txt &&
	git add file.txt &&
	git commit -m "init"
'

test_expect_success SETFACL 'Objects creation does not break ACLs with restrictive umask' '
	# SHA1 for empty blob
	check_perms_and_acl .git/objects/$(echo $EMPTY_BLOB | sed -e "s,^\(..\),\1/,")
'

test_expect_success SETFACL 'git gc does not break ACLs with restrictive umask' '
	git gc &&
	check_perms_and_acl .git/objects/pack/*.pack
'

test_done
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`#!/bin/sh`
			`#`
			`# Copyright (c) 2010 Matthieu Moy`
			`#`

			`test_description='Test repository with default ACL'`

			`# Create the test repo with restrictive umask`
			`# => this must come before . ./test-lib.sh`
			`umask 077`

tests: mark tests as passing with SANITIZE=leak When the "ab/various-leak-fixes" topic was merged in [1] only t6021 would fail if the tests were run in the "GIT_TEST_PASSING_SANITIZE_LEAK=check" mode, i.e. to check whether we marked all leak-free tests with "TEST_PASSES_SANITIZE_LEAK=true". Since then we've had various tests starting to pass under SANITIZE=leak. Let's mark those as passing, this is when they started to pass, narrowed down with "git bisect": - t5317-pack-objects-filter-objects.sh: In faebba436e6 (list-objects-filter: plug pattern_list leak, 2022-12-01). - t3210-pack-refs.sh, t5613-info-alternate.sh, t7403-submodule-sync.sh: In 189e97bc4ba (diff: remove parseopts member from struct diff_options, 2022-12-01). - t1408-packed-refs.sh: In ab91f6b7c42 (Merge branch 'rs/diff-parseopts', 2022-12-19). - t0023-crlf-am.sh, t4152-am-subjects.sh, t4254-am-corrupt.sh, t4256-am-format-flowed.sh, t4257-am-interactive.sh, t5403-post-checkout-hook.sh: In a658e881c13 (am: don't pass strvec to apply_parse_options(), 2022-12-13) - t1301-shared-repo.sh, t1302-repo-version.sh: In b07a819c05f (reflog: clear leftovers in reflog_expiry_cleanup(), 2022-12-13). - t1304-default-acl.sh, t1410-reflog.sh, t5330-no-lazy-fetch-with-commit-graph.sh, t5502-quickfetch.sh, t5604-clone-reference.sh, t6014-rev-list-all.sh, t7701-repack-unpack-unreachable.sh: In b0c61be3209 (Merge branch 'rs/reflog-expiry-cleanup', 2022-12-26) - t3800-mktag.sh, t5302-pack-index.sh, t5306-pack-nobase.sh, t5573-pull-verify-signatures.sh, t7612-merge-verify-signatures.sh: In 69bbbe484ba (hash-object: use fsck for object checks, 2023-01-18). - t1451-fsck-buffer.sh: In 8e4309038f0 (fsck: do not assume NUL-termination of buffers, 2023-01-19). - t6501-freshen-objects.sh: In abf2bb895b4 (Merge branch 'jk/hash-object-fsck', 2023-01-30) 1. 9ea1378d046 (Merge branch 'ab/various-leak-fixes', 2022-12-14) Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2023-02-06 23:07:36 +00:00			`TEST_PASSES_SANITIZE_LEAK=true`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`. ./test-lib.sh`

			`# We need an arbitrary other user give permission to using ACLs. root`
			`# is a good candidate: exists on all unices, and it has permission`
			`# anyway, so we don't create a security hole running the testsuite.`
t1304: improve setfacl prerequisite setup t1304 first runs setfacl as an experiment to see whether the filesystem supports ACLs, and skips the remaining tests if it does not. However, our setfacl run did not exercise the ACLs very well, and some filesystems may support our initial setfacl, but not the rest of the test. In particular, some versions of ecryptfs will erroneously apply the umask on top of an inherited directory ACL, causing our tests to fail. Let's be more careful and make sure both that we can read back the user ACL we set, and that the inherited ACL is propagated correctly. The latter catches the ecryptfs bug, but may also catch other bugs (e.g., an implementation which does not handle inherited ACLs at all). Since we're making the setup more complex, let's move it into its own test. This will hide the output for us unless the user wants to run "-v" to see it (and we don't need to bother printing anything about setfacl failing; the remaining tests will properly print "skip" due to the missing prerequisite). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2012-06-06 13:28:24 +00:00			`test_expect_success 'checking for a working acl setup' '`
			`if setfacl -m d:m:rwx -m u:root:rwx . &&`
			`getfacl . \| grep user:root:rwx &&`
			`touch should-have-readable-acl &&`
t: convert egrep usage to "grep -E" Despite POSIX states that: > The old egrep and fgrep commands are likely to be supported for many > years to come as implementation extensions, allowing historical > applications to operate unmodified. GNU grep 3.8 started to warn[1]: > The egrep and fgrep commands, which have been deprecated since > release 2.5.3 (2007), now warn that they are obsolescent and should > be replaced by grep -E and grep -F. Prepare for their removal in the future. [1]: https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html Signed-off-by: Đoàn Trần Công Danh <congdanhqx@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-09-21 13:02:31 +00:00			`getfacl should-have-readable-acl \| grep -E "mask::?rw-"`
t1304: improve setfacl prerequisite setup t1304 first runs setfacl as an experiment to see whether the filesystem supports ACLs, and skips the remaining tests if it does not. However, our setfacl run did not exercise the ACLs very well, and some filesystems may support our initial setfacl, but not the rest of the test. In particular, some versions of ecryptfs will erroneously apply the umask on top of an inherited directory ACL, causing our tests to fail. Let's be more careful and make sure both that we can read back the user ACL we set, and that the inherited ACL is propagated correctly. The latter catches the ecryptfs bug, but may also catch other bugs (e.g., an implementation which does not handle inherited ACLs at all). Since we're making the setup more complex, let's move it into its own test. This will hide the output for us unless the user wants to run "-v" to see it (and we don't need to bother printing anything about setfacl failing; the remaining tests will properly print "skip" due to the missing prerequisite). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2012-06-06 13:28:24 +00:00			`then`
			`test_set_prereq SETFACL`
			`fi`
			`'`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00
t1304: fall back to $USER if $LOGNAME is not defined For some reason $LOGNAME is not set anymore for me after an upgrade from Ubuntu 11.04 to 11.10. Use $USER in such a case. Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-10-14 17:44:45 +00:00			`if test -z "$LOGNAME"`
			`then`
t1304: Set LOGNAME even if USER is unset or null Avoid: # ./t1304-default-acl.sh ok 1 - checking for a working acl setup ok 2 - Setup test repo not ok 3 - Objects creation does not break ACLs with restrictive umask # # # SHA1 for empty blob # check_perms_and_acl .git/objects/e6/9de29bb2d1d6434b8b29ae775ad8c2e48c5391 # not ok 4 - git gc does not break ACLs with restrictive umask # # git gc && # check_perms_and_acl .git/objects/pack/*.pack # # failed 2 among 4 test(s) 1..4 on systems where USER isn't set. It's usually set by the login process, but it isn't set when launching some Docker images. For example: $ docker run --rm debian env HOME=/ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin HOSTNAME=b2dfdfe797ed 'id -u -n' has been in POSIX from Issue 2 through 2013 [1], so I don't expect compatibility issues. [1]: http://pubs.opengroup.org/onlinepubs/9699919799/utilities/id.html Signed-off-by: W. Trevor King <wking@tremily.us> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2014-10-17 21:39:00 +00:00			`LOGNAME="${USER:-$(id -u -n)}"`
t1304: fall back to $USER if $LOGNAME is not defined For some reason $LOGNAME is not set anymore for me after an upgrade from Ubuntu 11.04 to 11.10. Use $USER in such a case. Signed-off-by: Rene Scharfe <rene.scharfe@lsrfire.ath.cx> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2011-10-14 17:44:45 +00:00			`fi`

Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`check_perms_and_acl () {`
t/t1304: use 'test -r' to test readability rather than looking at mode bits This test was using the group read permission bit as an indicator of the default ACL mask. This behavior is valid on Linux but not on other platforms like Solaris. So, rather than looking at mode bits, just test readability for the user. This, along with the checks for the existence of the ACL's that were set on the parent directories, should be enough. Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-03-15 17:14:35 +00:00			`test -r "$1" &&`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`getfacl "$1" > actual &&`
			`grep -q "user:root:rwx" actual &&`
			`grep -q "user:${LOGNAME}:rwx" actual &&`
t: convert egrep usage to "grep -E" Despite POSIX states that: > The old egrep and fgrep commands are likely to be supported for many > years to come as implementation extensions, allowing historical > applications to operate unmodified. GNU grep 3.8 started to warn[1]: > The egrep and fgrep commands, which have been deprecated since > release 2.5.3 (2007), now warn that they are obsolescent and should > be replaced by grep -E and grep -F. Prepare for their removal in the future. [1]: https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00001.html Signed-off-by: Đoàn Trần Công Danh <congdanhqx@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2022-09-21 13:02:31 +00:00			`grep -E "mask::?r--" actual > /dev/null 2>&1 &&`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`grep -q "group::---" actual \|\| false`
			`}`

			`dirs_to_set="./ .git/ .git/objects/ .git/objects/pack/"`

t/t1304-default-acl: change from skip_all=* to prereq skip Change this test to skip test with test prerequisites, and to do setup work in tests. This improves the skipped statistics on platforms where the test isn't run. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-08-11 19:04:04 +00:00			`test_expect_success SETFACL 'Setup test repo' '`
t/t1304: set the Default ACL base entries According to the Linux setfacl man page, in order for an ACL to be valid, the following rules must be satisfied: * Whenever an ACL contains any Default ACL entries, the three Default ACL base entries (default owner, default group, and default others) must also exist. * Whenever a Default ACL contains named user entries or named group objects, it must also contain a default effective rights mask. Some implementations of setfacl (Linux) do this automatically when necessary, some (Solaris) do not. Solaris's setfacl croaks when trying to create a default user ACL if the above rules are not satisfied. So, create them before modifying the default user ACL's. Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-03-15 17:14:34 +00:00			`setfacl -m d:u::rwx,d:g::---,d:o:---,d:m:rwx $dirs_to_set &&`
t/t1304: set the ACL effective rights mask Some implementations of setfacl do not recalculate the effective rights mask when the ACL is modified. So, set the effective rights mask explicitly to ensure that the ACL's that are set on the directories will have effect. Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-03-15 18:35:03 +00:00			`setfacl -m m:rwx $dirs_to_set &&`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`setfacl -m u:root:rwx $dirs_to_set &&`
t/t1304: avoid -d option to setfacl Some platforms (Solaris) have a setfacl whose -d switch works differently than the one on Linux. On Linux, it causes all operations to be applied to the Default ACL. There is a notation for operating on the Default ACL: [d[efault]:] [u[ser]:]uid [:perms] so use it instead of the -d switch. Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-03-15 17:14:33 +00:00			`setfacl -m d:u:"$LOGNAME":rwx $dirs_to_set &&`
			`setfacl -m d:u:root:rwx $dirs_to_set &&`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00
			`touch file.txt &&`
			`git add file.txt &&`
			`git commit -m "init"`
			`'`

t/t1304-default-acl: change from skip_all=* to prereq skip Change this test to skip test with test prerequisites, and to do setup work in tests. This improves the skipped statistics on platforms where the test isn't run. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-08-11 19:04:04 +00:00			`test_expect_success SETFACL 'Objects creation does not break ACLs with restrictive umask' '`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`# SHA1 for empty blob`
t1304: abstract away SHA-1-specific constants Adjust the test so that it uses the $EMPTY_BLOB value instead of hard-coding the hash. Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2018-03-25 19:20:47 +00:00			`check_perms_and_acl .git/objects/$(echo $EMPTY_BLOB \| sed -e "s,^\(..\),\1/,")`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`'`

t/t1304-default-acl: change from skip_all=* to prereq skip Change this test to skip test with test prerequisites, and to do setup work in tests. This improves the skipped statistics on platforms where the test isn't run. Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-08-11 19:04:04 +00:00			`test_expect_success SETFACL 'git gc does not break ACLs with restrictive umask' '`
Add a testcase for ACL with restrictive umask. Right now, Git creates unreadable pack files on non-shared repositories when the user has a umask of 077, even when the default ACLs for the directory would give read/write access to a specific user. Loose object files are created world-readable, which doesn't break ACLs, but isn't necessarily desirable. Signed-off-by: Matthieu Moy <Matthieu.Moy@imag.fr> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2010-02-22 22:32:11 +00:00			`git gc &&`
			`check_perms_and_acl .git/objects/pack/*.pack`
			`'`

			`test_done`