Check in Andreas Gruenbacher's nfs v4 acl tests into the xfstests suite.

Merge of master-melb:xfs-cmds:32058a by kenmcd. Run all the tests in xfstests/nfs4acl
2026-05-01 15:01:44 -07:00 · 2008-09-05 06:18:15 +00:00
parent ed08552846
commit 841b609ec9
15 changed files with 1283 additions and 0 deletions
@@ -0,0 +1,62 @@
+#!/bin/sh
+# FS QA Test No. 191
+#
+# To call into the nfs4acl qa suite of Andreas Gruenbacher.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2008 Silicon Graphics, Inc.  All Rights Reserved.
+#-----------------------------------------------------------------------
+#
+# creator
+owner=tes@emu.melbourne.sgi.com
+
+seq=`basename $0`
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "rm -f $tmp.*; exit \$status" 0 1 2 3 15
+
+# get standard environment, filters and checks
+. ./common.rc
+. ./common.filter
+
+# real QA test starts here
+
+# Modify as appropriate.
+_supported_fs xfs
+_supported_os Linux
+
+_require_scratch
+_scratch_mkfs_xfs -i nfs4acl 1>$tmp.mkfs 2>$seq.full
+if [ $? -ne 0 ]
+then
+	_notrun "no mkfs support for NFS v4 ACLs"
+fi
+
+_scratch_mount 2>/dev/null
+if [ $? -ne 0 ]
+then
+	_notrun "no kernel mount support for NFS v4 ACLs"
+fi
+
+set_prog_path nfs4acl >>$seq.full
+if [ $? -ne 0 ]
+then
+	_notrun "no nfs4acl utility found"
+fi
+
+cd $SCRATCH_MNT
+for file in $here/nfs4acl/*.test
+do
+	print_file=`echo $file | sed 's/.*nfs4acl/nfs4acl/'`
+	echo ""
+	echo "*** $print_file ***"
+	echo ""
+	$here/nfs4acl/run $file
+done
+
+# success, all done
+status=0
+exit
@@ -0,0 +1,324 @@
+QA output created by 191
+
+*** nfs4acl/apply-mask.test ***
+
+[1] $ rm -rf d -- ok
+[2] $ mkdir d -- ok
+[3] $ cd d -- ok
+[5] $ touch x -- ok
+[7] $ nfs4acl --set 'owner@:rw::allow group@:rw::allow everyone@:r::allow' x -- ok
+[8] $ nfs4acl --get x -- ok
+[15] $ nfs4acl --set 'everyone@:w::allow owner@:r::allow group@:r::allow' x -- ok
+[16] $ chmod 664 x -- ok
+[17] $ nfs4acl --get x -- ok
+[23] $ nfs4acl --set 'everyone@:w::deny owner@:rw::allow group@:rw::allow' x -- ok
+[24] $ chmod 664 x -- ok
+[25] $ nfs4acl --get x -- ok
+[31] $ nfs4acl --set 'owner@:rwmo::allow' x -- ok
+[32] $ nfs4acl --get x -- ok
+[37] $ chmod 644 x -- ok
+[38] $ nfs4acl --get x -- ok
+[43] $ nfs4acl --set 'root:rw::allow' x -- ok
+[44] $ chmod 664 x -- ok
+[45] $ nfs4acl --get x -- ok
+[50] $ chmod 644 x -- ok
+[51] $ nfs4acl --get x -- ok
+[56] $ chmod 664 x -- ok
+[57] $ nfs4acl --get x -- ok
+[62] $ nfs4acl --set 'root:rw::allow everyone@:r::allow' x -- ok
+[63] $ chmod 664 x -- ok
+[64] $ nfs4acl --get x -- ok
+[70] $ nfs4acl --set 'root:r::allow everyone@:rw::allow' x -- ok
+[71] $ chmod 664 x -- ok
+[72] $ nfs4acl --get x -- ok
+[80] $ nfs4acl --set 'root:w::deny everyone@:rw::allow' x -- ok
+[81] $ chmod 664 x -- ok
+[82] $ nfs4acl --get x -- ok
+[91] $ nfs4acl --set 'root:rw::allow root:w::deny everyone@:rw::allow' x -- ok
+[92] $ chmod 664 x -- ok
+[93] $ nfs4acl --get x -- ok
+[102] $ nfs4acl --set 'everyone@:rw::allow' x -- ok
+[103] $ chmod 066 x -- ok
+[104] $ nfs4acl --get x -- ok
+[110] $ chmod 006 x -- ok
+[111] $ nfs4acl --get x -- ok
+[118] $ chmod 606 x -- ok
+[119] $ nfs4acl --get x -- ok
+[125] $ nfs4acl --set 'root:rw::allow everyone@:rw::allow' x -- ok
+[126] $ chmod 606 x -- ok
+[127] $ nfs4acl --get x -- ok
+[133] $ chmod 646 x -- ok
+[134] $ nfs4acl --get x -- ok
+[142] $ cd .. -- ok
+[143] $ rm -rf d -- ok
+49 commands (49 passed, 0 failed)
+
+*** nfs4acl/basic.test ***
+
+[1] $ rm -rf d -- ok
+[2] $ mkdir d -- ok
+[3] $ cd d -- ok
+[5] $ chown bin . -- ok
+[6] $ su bin -- ok
+[8] $ touch x -- ok
+[9] $ nfs4acl --set 'everyone@:rw::allow' x -- ok
+[10] $ ls -l x | cut -d ' ' -f 1 -- ok
+[13] $ nfs4acl --get x -- ok
+[18] $ chmod 664 x -- ok
+[19] $ ls -l x | cut -d ' ' -f 1 -- ok
+[22] $ nfs4acl --get x -- ok
+[29] $ mkdir sub -- ok
+[30] $ nfs4acl --set 'everyone@:rwax:fd:allow' sub -- ok
+[31] $ ls -dl sub | cut -d ' ' -f 1 -- ok
+[34] $ nfs4acl --get sub -- ok
+[39] $ chmod 775 sub -- ok
+[40] $ ls -dl sub | cut -d ' ' -f 1 -- ok
+[42] $ nfs4acl --get sub -- ok
+[50] $ touch sub/f -- ok
+[51] $ ls -l sub/f | cut -d ' ' -f 1 -- ok
+[54] $ nfs4acl --get sub/f -- ok
+[59] $ mkdir sub/sub2 -- ok
+[60] $ ls -dl sub/sub2 | cut -d ' ' -f 1 -- ok
+[63] $ nfs4acl --get sub/sub2 -- ok
+[68] $ su -- ok
+[69] $ cd .. -- ok
+[70] $ rm -rf d -- ok
+28 commands (28 passed, 0 failed)
+
+*** nfs4acl/chmod.test ***
+
+[1] $ mkdir d -- ok
+[2] $ cd d -- ok
+[4] $ whoami -- ok
+[7] $ touch a -- ok
+[10] $ su bin -- ok
+[11] $ chmod 666 a -- ok
+[13] $ nfs4acl --set 'bin:rwM::allow' a -- ok
+[16] $ su -- ok
+[17] $ nfs4acl --set 'bin:rwm::allow' a -- ok
+[20] $ su bin -- ok
+[21] $ nfs4acl --set 'bin:rwm::allow' a -- ok
+[25] $ chmod 666 a -- ok
+[26] $ nfs4acl --set 'bin:rwm::allow' a -- ok
+[29] $ su -- ok
+[30] $ cd .. -- ok
+[31] $ rm -rf d -- ok
+16 commands (16 passed, 0 failed)
+
+*** nfs4acl/chown.test ***
+
+[1] $ mkdir d -- ok
+[2] $ cd d -- ok
+[4] $ whoami -- ok
+[7] $ id -Gn daemon -- ok
+[10] $ touch a -- ok
+[13] $ su daemon -- ok
+[14] $ chown daemon a -- ok
+[16] $ chgrp daemon a -- ok
+[18] $ nfs4acl --set 'daemon:rwo::allow' a -- ok
+[23] $ su -- ok
+[24] $ nfs4acl --set 'daemon:rwo::allow' a -- ok
+[27] $ su daemon -- ok
+[28] $ chown root a -- ok
+[30] $ chgrp root a -- ok
+[35] $ su -- ok
+[36] $ ls -l a | cut -d ' ' -f1 -- ok
+[38] $ chmod 660 a -- ok
+[42] $ su daemon -- ok
+[43] $ chown daemon a -- ok
+[45] $ chgrp daemon a -- ok
+[47] $ chgrp bin a -- ok
+[51] $ su -- ok
+[52] $ nfs4acl --set 'daemon:rwo::allow' a -- ok
+[56] $ su daemon -- ok
+[57] $ chgrp daemon a -- ok
+[58] $ chgrp bin a -- ok
+[59] $ chown daemon a -- ok
+[61] $ su -- ok
+[62] $ cd .. -- ok
+[63] $ rm -rf d -- ok
+30 commands (30 passed, 0 failed)
+
+*** nfs4acl/computed-mode.test ***
+
+[1] $ rm -rf d -- ok
+[2] $ mkdir d -- ok
+[3] $ cd d -- ok
+[5] $ mkdir e -- ok
+[7] $ nfs4acl --set 'owner@:rwx:f:allow' e -- ok
+[8] $ touch e/f -- ok
+[9] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[11] $ rm e/f -- ok
+[13] $ nfs4acl --set 'group@:rwx:f:allow' e -- ok
+[14] $ touch e/f -- ok
+[15] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[17] $ rm e/f -- ok
+[19] $ nfs4acl --set 'everyone@:rwx:f:allow' e -- ok
+[20] $ touch e/f -- ok
+[21] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[23] $ rm e/f -- ok
+[25] $ nfs4acl --set 'owner@:rwx:f:allow root:rx:f:deny root:rx:f:allow' e -- ok
+[26] $ touch e/f -- ok
+[27] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[29] $ rm e/f -- ok
+[31] $ nfs4acl --set 'owner@:rwx::allow everyone@:w:fi:deny everyone@:rwx:fi:allow' e -- ok
+[32] $ touch e/f -- ok
+[33] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[35] $ rm e/f -- ok
+[37] $ nfs4acl --set 'owner@:rwx::allow root:rx:fi:deny root:rx:fi:allow' e -- ok
+[38] $ touch e/f -- ok
+[39] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[41] $ rm e/f -- ok
+[43] $ nfs4acl --set 'owner@:rx:fi:allow group@:rwx:fi:deny everyone@:rwx:f:allow' e -- ok
+[44] $ touch e/f -- ok
+[45] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[47] $ rm e/f -- ok
+[49] $ nfs4acl --set 'owner@:rx:fi:allow root:rwx:fi:deny everyone@:rwx:f:allow' e -- ok
+[50] $ touch e/f -- ok
+[51] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[53] $ rm e/f -- ok
+[55] $ nfs4acl --set 'everyone@:w:fi:deny root:rx:fi:allow everyone@:rwx:f:allow' e -- ok
+[56] $ touch e/f -- ok
+[57] $ ls -l e/f | cut -d ' ' -f 1 -- ok
+[59] $ rm e/f -- ok
+[61] $ cd .. -- ok
+[62] $ rm -rf d -- ok
+42 commands (42 passed, 0 failed)
+
+*** nfs4acl/create.test ***
+
+[1] $ mkdir d -- ok
+[2] $ cd d -- ok
+[4] $ whoami -- ok
+[7] $ mkdir d1 d2 d3 d4 -- ok
+[8] $ nfs4acl --set 'daemon:wx::allow' d2 -- ok
+[9] $ nfs4acl --set 'daemon:ax::allow' d3 -- ok
+[10] $ nfs4acl --set 'daemon:wax::allow' d4 -- ok
+[12] $ su daemon -- ok
+[15] $ touch d1/f -- ok
+[17] $ mkdir d1/d -- ok
+[21] $ touch d2/f -- ok
+[22] $ mkdir d2/d -- ok
+[26] $ touch d3/f -- ok
+[28] $ mkdir d3/d -- ok
+[31] $ touch d4/f -- ok
+[32] $ mkdir d4/d -- ok
+[33] $ su -- ok
+[34] $ cd .. -- ok
+[35] $ rm -rf d -- ok
+19 commands (19 passed, 0 failed)
+
+*** nfs4acl/ctime.test ***
+
+[1] $ mkdir d -- ok
+[2] $ cd d -- ok
+[4] $ whoami -- ok
+[7] $ touch a b -- ok
+[8] $ sleep 1 -- ok
+[11] $ su bin -- ok
+[12] $ touch a -- ok
+[17] $ su -- ok
+[18] $ nfs4acl --set 'bin:rw::allow' a -- ok
+[20] $ su bin -- ok
+[21] $ touch a -- ok
+[22] $ [ b -ot a ] || echo 'b should be older than a' -- ok
+[23] $ touch -r b a -- ok
+[27] $ su -- ok
+[28] $ nfs4acl --set 'bin:rwt::allow' a -- ok
+[30] $ su bin -- ok
+[31] $ touch -r b a -- ok
+[32] $ [ b -ot a -o a -ot b ] && echo 'a should be as old as b' -- ok
+[34] $ su -- ok
+[35] $ cd .. -- ok
+[36] $ rm -rf d -- ok
+21 commands (21 passed, 0 failed)
+
+*** nfs4acl/delete.test ***
+
+[1] $ mkdir d -- ok
+[2] $ cd d -- ok
+[4] $ whoami -- ok
+[7] $ id -Gn daemon -- ok
+[10] $ mkdir n1 -- ok
+[11] $ touch n1/f -- ok
+[13] $ mkdir d2 d3 d4 d5 d6 d7 -- ok
+[14] $ touch d2/f d3/f d4/f d5/f d6/f d7/f d7/g -- ok
+[15] $ chown daemon d2 -- ok
+[16] $ chgrp bin d3 -- ok
+[17] $ chmod g+w d3 -- ok
+[18] $ nfs4acl --set 'daemon:wx::allow' d4 -- ok
+[19] $ nfs4acl --set 'daemon:d::allow' d5 -- ok
+[20] $ nfs4acl --set 'daemon:xd::allow' d6 -- ok
+[21] $ nfs4acl --set 'daemon:D::allow' d7/f d7/g -- ok
+[22] $ chmod 664 d7/g -- ok
+[24] $ mkdir s2 s3 s4 s5 s6 s7 -- ok
+[25] $ chmod +t s2 s3 s4 s5 s6 s7 -- ok
+[26] $ touch s2/f s3/f s4/f s5/f s6/f s7/f s7/g -- ok
+[27] $ chown daemon s2 -- ok
+[28] $ chgrp bin s3 -- ok
+[29] $ chmod g+w s3 -- ok
+[30] $ nfs4acl --set 'daemon:wx::allow' s4 -- ok
+[31] $ nfs4acl --set 'daemon:d::allow' s5 -- ok
+[32] $ nfs4acl --set 'daemon:xd::allow' s6 -- ok
+[33] $ nfs4acl --set 'daemon:D::allow' s7/f -- ok
+[34] $ nfs4acl --set 'daemon:D::allow' s7/g s7/g -- ok
+[35] $ chmod 664 s7/g -- ok
+[37] $ su daemon -- ok
+[40] $ rm n1/f -- ok
+[44] $ rm d2/f s2/f -- ok
+[48] $ rm d3/f s3/f -- ok
+[53] $ rm d4/f s4/f -- ok
+[58] $ rm d5/f s5/f -- ok
+[64] $ rm d6/f s6/f -- ok
+[68] $ rm d7/f s7/f -- ok
+[71] $ rm d7/g s7/g -- ok
+[75] $ su -- ok
+[76] $ cd .. -- ok
+[77] $ rm -rf d -- ok
+40 commands (40 passed, 0 failed)
+
+*** nfs4acl/unrepresentable.test ***
+
+[4] $ rm -rf d -- ok
+[5] $ mkdir d -- ok
+[6] $ cd d -- ok
+[8] $ touch x -- ok
+[10] $ nfs4acl --set 'group@:rw::allow' x -- ok
+[11] $ chmod 600 x -- ok
+[12] $ ls -l x | cut -d ' ' -f 1 -- ok
+[14] $ nfs4acl --get x -- ok
+[17] $ rm -f x -- ok
+[19] $ cd .. -- ok
+[20] $ rm -rf d -- ok
+11 commands (11 passed, 0 failed)
+
+*** nfs4acl/write-vs-append.test ***
+
+[1] $ mkdir d -- ok
+[2] $ cd d -- ok
+[4] $ whoami -- ok
+[7] $ touch a b c d e f -- ok
+[8] $ nfs4acl --set 'owner@:*::allow' a -- ok
+[9] $ nfs4acl --set 'owner@:*::allow bin:w::allow' b -- ok
+[10] $ nfs4acl --set 'owner@:*::allow bin:a::allow' c -- ok
+[11] $ nfs4acl --set 'owner@:*::allow bin:wa::allow' d -- ok
+[12] $ nfs4acl --set 'bin:a::deny owner@:*::allow bin:w::allow' e -- ok
+[13] $ nfs4acl --set 'bin:w::deny owner@:*::allow bin:a::allow' f -- ok
+[15] $ su bin -- ok
+[16] $ echo a > a -- ok
+[18] $ echo b > b -- ok
+[19] $ echo c > c -- ok
+[21] $ echo d > d -- ok
+[22] $ echo e > e -- ok
+[23] $ echo f > f -- ok
+[26] $ echo A >> a -- ok
+[28] $ echo B >> b -- ok
+[30] $ echo C >> c -- ok
+[31] $ echo D >> d -- ok
+[32] $ echo E >> e -- ok
+[34] $ echo F >> f -- ok
+[36] $ su -- ok
+[37] $ cat a b c d e f -- ok
+[45] $ cd .. -- ok
+[46] $ rm -rf d -- ok
+27 commands (27 passed, 0 failed)
@@ -284,3 +284,4 @@ mount		tes@sgi.com
 188 ci dir auto
 189 mount auto
 190 rw auto
+191 nfs4acl
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2008 Silicon Graphics, Inc.  All Rights Reserved.
+#
+
+TOPDIR = ..
+include $(TOPDIR)/include/builddefs
+
+LSRCFILES = run \
+	    apply-mask.test chmod.test computed-mode.test ctime.test \
+	    unrepresentable.test basic.test chown.test create.test \
+	    delete.test write-vs-append.test
+
+include $(BUILDRULES)
+
+default install install-dev install-lib:
@@ -0,0 +1,143 @@
+$ rm -rf d
+$ mkdir d
+$ cd d
+
+$ touch x
+
+$ nfs4acl --set 'owner@:rw::allow group@:rw::allow everyone@:r::allow' x
+$ nfs4acl --get x
+> x:
+> owner@:rw::allow
+> group@:rw::allow
+> everyone@:r::allow
+>
+
+$ nfs4acl --set 'everyone@:w::allow owner@:r::allow group@:r::allow' x
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> owner@:rw::allow
+> group@:rw::allow
+>
+
+$ nfs4acl --set 'everyone@:w::deny owner@:rw::allow group@:rw::allow' x
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> owner@:r::allow
+> group@:r::allow
+>
+
+$ nfs4acl --set 'owner@:rwmo::allow' x
+$ nfs4acl --get x
+> x:
+> owner@:rwmo::allow
+>
+
+$ chmod 644 x
+$ nfs4acl --get x
+> x:
+> owner@:rw::allow
+>
+
+$ nfs4acl --set 'root:rw::allow' x
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> root:rw::allow
+>
+
+$ chmod 644 x
+$ nfs4acl --get x
+> x:
+> root:r::allow
+>
+
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> root:rw::allow
+>
+
+$ nfs4acl --set 'root:rw::allow everyone@:r::allow' x
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> root:rw::allow
+> everyone@:r::allow
+>
+
+$ nfs4acl --set 'root:r::allow everyone@:rw::allow' x
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> root:rw::allow
+> owner@:rw::allow
+> group@:rw::allow
+> everyone@:r::allow
+>
+
+$ nfs4acl --set 'root:w::deny everyone@:rw::allow' x
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> root:w::deny
+> owner@:rw::allow
+> group@:rw::allow
+> root:r::allow
+> everyone@:r::allow
+>
+
+$ nfs4acl --set 'root:rw::allow root:w::deny everyone@:rw::allow' x
+$ chmod 664 x
+$ nfs4acl --get x
+> x:
+> root:rw::allow
+> root:w::deny
+> owner@:rw::allow
+> group@:rw::allow
+> everyone@:r::allow
+>
+
+$ nfs4acl --set 'everyone@:rw::allow' x
+$ chmod 066 x
+$ nfs4acl --get x
+> x:
+> owner@:rw::deny
+> everyone@:rw::allow
+> 
+
+$ chmod 006 x
+$ nfs4acl --get x
+> x:
+> owner@:rw::deny
+> group@:rw::deny
+> everyone@:rw::allow
+> 
+
+$ chmod 606 x
+$ nfs4acl --get x
+> x:
+> group@:rw::deny
+> everyone@:rw::allow
+> 
+
+$ nfs4acl --set 'root:rw::allow everyone@:rw::allow' x
+$ chmod 606 x
+$ nfs4acl --get x
+> x:
+> group@:rw::deny
+> everyone@:rw::allow
+> 
+
+$ chmod 646 x
+$ nfs4acl --get x
+> x:
+> root:r::allow
+> group@:w::deny
+> root:w::deny
+> everyone@:rw::allow
+> 
+
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,70 @@
+$ rm -rf d
+$ mkdir d
+$ cd d
+
+$ chown bin .
+$ su bin
+
+$ touch x
+$ nfs4acl --set 'everyone@:rw::allow' x
+$ ls -l x | cut -d ' ' -f 1
+> -rw-rw-rw-
+
+$ nfs4acl --get x
+> x:
+> everyone@:rw::allow
+>
+
+$ chmod 664 x
+$ ls -l x | cut -d ' ' -f 1
+> -rw-rw-r--
+
+$ nfs4acl --get x
+> x:
+> owner@:rw::allow
+> group@:rw::allow
+> everyone@:r::allow
+>
+
+$ mkdir sub 
+$ nfs4acl --set 'everyone@:rwax:fd:allow' sub
+$ ls -dl sub | cut -d ' ' -f 1
+> drwxrwxrwx
+
+$ nfs4acl --get sub
+> sub:
+> everyone@:rwax:fd:allow
+>
+
+$ chmod 775 sub
+$ ls -dl sub | cut -d ' ' -f 1
+> drwxrwxr-x
+$ nfs4acl --get sub
+> sub:
+> owner@:rwax::allow
+> group@:rwax::allow
+> everyone@:rwax:fdi:allow
+> everyone@:rx::allow
+>
+
+$ touch sub/f
+$ ls -l sub/f | cut -d ' ' -f 1
+> -rw-rw-rw-
+
+$ nfs4acl --get sub/f
+> sub/f:
+> everyone@:rwa::allow
+>
+
+$ mkdir sub/sub2
+$ ls -dl sub/sub2 | cut -d ' ' -f 1
+> drwxrwxrwx
+
+$ nfs4acl --get sub/sub2
+> sub/sub2:
+> everyone@:rwax:fd:allow
+>
+
+$ su
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,31 @@
+$ mkdir d
+$ cd d
+
+$ whoami
+> root
+
+$ touch a
+	
+Neet to have write_acl permission to chmod or set the acl:
+	$ su bin
+	$ chmod 666 a
+	> chmod: changing permissions of `a': Operation not permitted
+	$ nfs4acl --set 'bin:rwM::allow' a
+	> a: Operation not permitted
+	
+$ su
+$ nfs4acl --set 'bin:rwm::allow' a
+	
+Can set the acl now:
+	$ su bin
+	$ nfs4acl --set 'bin:rwm::allow' a
+	
+A chmod limits the permissions to the specified mode, which always disables
+write_acl:
+	$ chmod 666 a
+	$ nfs4acl --set 'bin:rwm::allow' a
+	> a: Operation not permitted
+
+$ su
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,63 @@
+$ mkdir d
+$ cd d
+
+$ whoami
+> root
+
+$ id -Gn daemon
+> daemon bin
+
+$ touch a
+
+Chown and chgrp with no take ownership permission fails:
+	$ su daemon
+	$ chown daemon a
+	> chown: changing ownership of `a': Operation not permitted
+	$ chgrp daemon a
+	> chgrp: changing group of `a': Operation not permitted
+	$ nfs4acl --set 'daemon:rwo::allow' a
+	> a: Operation not permitted
+
+Add the take_ownership permission. This is reflected in the file masks; the
+file mode cannot show this though:
+	$ su
+	$ nfs4acl --set 'daemon:rwo::allow' a
+
+Chown and chgrp to an arbitrary other user or group fails:
+	$ su daemon
+	$ chown root a
+	> chown: changing ownership of `a': Operation not permitted
+	$ chgrp root a
+	> chgrp: changing group of `a': Operation not permitted
+
+Changing the mode makes that an upper bound of the permissions granted, even
+when the file mode stays the same:
+	$ su
+	$ ls -l a | cut -d ' ' -f1
+	> -rw-rw----
+	$ chmod 660 a
+
+Chown and chgrp to the same user or a group the process is in now fails
+because the masks now do not grant change_ownership access:
+	$ su daemon
+	$ chown daemon a
+	> chown: changing ownership of `a': Operation not permitted
+	$ chgrp daemon a
+	> chgrp: changing group of `a': Operation not permitted
+	$ chgrp bin a
+	> chgrp: changing group of `a': Operation not permitted
+
+Add back change_ownership:
+	$ su
+	$ nfs4acl --set 'daemon:rwo::allow' a
+
+Now, chgrp to one of the groups the process is in and chown to the same user
+succeeds:
+	$ su daemon
+	$ chgrp daemon a
+	$ chgrp bin a
+	$ chown daemon a
+
+$ su
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,62 @@
+$ rm -rf d
+$ mkdir d
+$ cd d
+
+$ mkdir e
+
+$ nfs4acl --set 'owner@:rwx:f:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -rw-------
+$ rm e/f
+
+$ nfs4acl --set 'group@:rwx:f:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -rw-rw----
+$ rm e/f
+
+$ nfs4acl --set 'everyone@:rwx:f:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -rw-rw-rw-
+$ rm e/f
+
+$ nfs4acl --set 'owner@:rwx:f:allow root:rx:f:deny root:rx:f:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -rw-------
+$ rm e/f
+
+$ nfs4acl --set 'owner@:rwx::allow everyone@:w:fi:deny everyone@:rwx:fi:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -r--r--r--
+$ rm e/f
+
+$ nfs4acl --set 'owner@:rwx::allow root:rx:fi:deny root:rx:fi:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> ----------
+$ rm e/f
+
+$ nfs4acl --set 'owner@:rx:fi:allow group@:rwx:fi:deny everyone@:rwx:f:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -rw----rw-
+$ rm e/f
+
+$ nfs4acl --set 'owner@:rx:fi:allow root:rwx:fi:deny everyone@:rwx:f:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -rw-rw-rw-
+$ rm e/f
+
+$ nfs4acl --set 'everyone@:w:fi:deny root:rx:fi:allow everyone@:rwx:f:allow' e
+$ touch e/f
+$ ls -l e/f | cut -d ' ' -f 1
+> -r--r--r--
+$ rm e/f
+
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,35 @@
+$ mkdir d
+$ cd d
+
+$ whoami
+> root
+
+$ mkdir d1 d2 d3 d4
+$ nfs4acl --set 'daemon:wx::allow' d2
+$ nfs4acl --set 'daemon:ax::allow' d3
+$ nfs4acl --set 'daemon:wax::allow' d4
+
+$ su daemon
+
+Cannot create files or directories without permissions:
+	$ touch d1/f
+	> touch: cannot touch `d1/f': Permission denied
+	$ mkdir d1/d
+	> mkdir: cannot create directory `d1/d': Permission denied
+
+Can create files with add_file (w) permission:
+	$ touch d2/f
+	$ mkdir d2/d
+	> mkdir: cannot create directory `d2/d': Permission denied
+
+Can create directories with add_subdirectory (p) permission:
+	$ touch d3/f
+	> touch: cannot touch `d3/f': Permission denied
+	$ mkdir d3/d
+
+Both permissions at the same time:
+	$ touch d4/f
+	$ mkdir d4/d
+$ su
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,36 @@
+$ mkdir d
+$ cd d
+
+$ whoami
+> root
+
+$ touch a b
+$ sleep 1
+
+Without write access, the ctime cannot be changed.
+	$ su bin
+	$ touch a
+	> touch: cannot touch `a': Permission denied
+
+With write access, the ctime can be set to the current time, but not to
+any other time:
+	$ su
+	$ nfs4acl --set 'bin:rw::allow' a
+
+	$ su bin
+	$ touch a
+	$ [ b -ot a ] || echo 'b should be older than a'
+	$ touch -r b a
+	> touch: setting times of `a': Operation not permitted
+
+With set_attributes access, the ctime can be set to an arbitrary time:
+	$ su
+	$ nfs4acl --set 'bin:rwt::allow' a
+
+	$ su bin
+	$ touch -r b a
+	$ [ b -ot a -o a -ot b ] && echo 'a should be as old as b'
+
+$ su
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,77 @@
+$ mkdir d
+$ cd d
+
+$ whoami
+> root
+
+$ id -Gn daemon
+> daemon bin
+
+$ mkdir n1
+$ touch n1/f
+
+$ mkdir d2 d3 d4 d5 d6 d7
+$ touch d2/f d3/f d4/f d5/f d6/f d7/f d7/g
+$ chown daemon d2
+$ chgrp bin d3
+$ chmod g+w d3
+$ nfs4acl --set 'daemon:wx::allow' d4
+$ nfs4acl --set 'daemon:d::allow' d5
+$ nfs4acl --set 'daemon:xd::allow' d6
+$ nfs4acl --set 'daemon:D::allow' d7/f d7/g
+$ chmod 664 d7/g
+
+$ mkdir s2 s3 s4 s5 s6 s7
+$ chmod +t s2 s3 s4 s5 s6 s7
+$ touch s2/f s3/f s4/f s5/f s6/f s7/f s7/g
+$ chown daemon s2
+$ chgrp bin s3
+$ chmod g+w s3
+$ nfs4acl --set 'daemon:wx::allow' s4
+$ nfs4acl --set 'daemon:d::allow' s5
+$ nfs4acl --set 'daemon:xd::allow' s6
+$ nfs4acl --set 'daemon:D::allow' s7/f
+$ nfs4acl --set 'daemon:D::allow' s7/g s7/g
+$ chmod 664 s7/g
+
+$ su daemon
+
+Cannot delete files without permissions:
+	$ rm n1/f
+	> rm: cannot remove `n1/f': Permission denied
+
+Can delete files we own:
+	$ rm d2/f s2/f
+
+Cannot delete files where we are in the owning group in a non-sticky directory,
+but not in a sticky one:
+	$ rm d3/f s3/f
+	> rm: cannot remove `s3/f': Operation not permitted
+
+"Write_data/execute" access does not include delete_child access, and so this
+is not enough for deleting:
+	$ rm d4/f s4/f
+	> rm: cannot remove `d4/f': Permission denied
+	> rm: cannot remove `s4/f': Permission denied
+
+"Delete_child" access alone also is not sufficient:
+	$ rm d5/f s5/f
+	> rm: cannot remove `d5/f': Permission denied
+	> rm: cannot remove `s5/f': Permission denied
+
+"Execute/delete_child" on the directory does allow that, though, but only in
+a non-sticky directory:
+	$ rm d6/f s6/f
+	> rm: cannot remove `s6/f': Operation not permitted
+
+"Delete" on the child itself overrides the sticky check as well:
+	$ rm d7/f s7/f
+
+But Delete is not a subset of POSIX read/write, so chmod turns it off:
+	$ rm d7/g s7/g
+	> rm: cannot remove `d7/g': Permission denied
+	> rm: cannot remove `s7/g': Permission denied
+
+$ su
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,298 @@
+#!/usr/bin/perl -w -U
+
+#
+# Possible improvements:
+#
+# - distinguish stdout and stderr output
+# - add environment variable like assignments
+# - run up to a specific line
+# - resume at a specific line
+#
+
+use strict;
+use FileHandle;
+use Getopt::Std;
+use POSIX qw(isatty setuid getcwd);
+use vars qw($opt_l $opt_v);
+
+no warnings qw(taint);
+
+$opt_l = ~0;  # a really huge number
+getopts('l:v');
+
+my ($OK, $FAILED) = ("ok", "failed");
+if (isatty(fileno(STDOUT))) {
+	$OK = "\033[32m" . $OK . "\033[m";
+	$FAILED = "\033[31m\033[1m" . $FAILED . "\033[m";
+}
+
+sub exec_test($$);
+sub process_test($$$$);
+
+my ($prog, $in, $out) = ([], [], []);
+my $prog_line = 0;
+my ($tests, $failed) = (0,0);
+my $lineno;
+my $width = ($ENV{COLUMNS} || 80) >> 1;
+
+for (;;) {
+  my $line = <>; $lineno++;
+  if (defined $line) {
+    # Substitute %VAR and %{VAR} with environment variables.
+    $line =~ s[%(\w+)][$ENV{$1}]eg;
+    $line =~ s[%{(\w+)}][$ENV{$1}]eg;
+  }
+  if (defined $line) {
+    if ($line =~ s/^\s*< ?//) {
+      push @$in, $line;
+    } elsif ($line =~ s/^\s*> ?//) {
+      push @$out, $line;
+    } else {
+      process_test($prog, $prog_line, $in, $out);
+      last if $prog_line >= $opt_l;
+
+      $prog = [];
+      $prog_line = 0;
+    }
+    if ($line =~ s/^\s*\$ ?//) {
+      $line =~ s/\s+#.*//;  # remove comments here...
+      $prog = [ map { s/\\(.)/$1/g; $_ } split /(?<!\\)\s+/, $line ];
+      $prog_line = $lineno;
+      $in = [];
+      $out = [];
+    }
+  } else {
+    process_test($prog, $prog_line, $in, $out);
+    last;
+  }
+}
+
+my $status = sprintf("%d commands (%d passed, %d failed)",
+	$tests, $tests-$failed, $failed);
+if (isatty(fileno(STDOUT))) {
+	if ($failed) {
+		$status = "\033[31m\033[1m" . $status . "\033[m";
+	} else {
+		$status = "\033[32m" . $status . "\033[m";
+	}
+}
+print $status, "\n";
+exit $failed ? 1 : 0;
+
+
+sub process_test($$$$) {
+  my ($prog, $prog_line, $in, $out) = @_;
+
+  return unless @$prog;
+
+       my $p = [ @$prog ];
+       print "[$prog_line] \$ ", join(' ',
+             map { s/\s/\\$&/g; $_ } @$p), " -- ";
+       my $result = exec_test($prog, $in);
+       my @good = ();
+       my $nmax = (@$out > @$result) ? @$out : @$result;
+       for (my $n=0; $n < $nmax; $n++) {
+	   my $use_re;
+	   if (defined $out->[$n] && $out->[$n] =~ /^~ /) {
+		$use_re = 1;
+		$out->[$n] =~ s/^~ //g;
+	   }
+
+           if (!defined($out->[$n]) || !defined($result->[$n]) ||
+               (!$use_re && $result->[$n] ne $out->[$n]) ||
+               ( $use_re && $result->[$n] !~ /^$out->[$n]/)) {
+               push @good, ($use_re ? '!~' : '!=');
+	   }
+	   else {
+               push @good, ($use_re ? '=~' : '==');
+           }
+       }
+       my $good = !(grep /!/, @good);
+       $tests++;
+       $failed++ unless $good;
+       print $good ? $OK : $FAILED, "\n";
+       if (!$good || $opt_v) {
+         for (my $n=0; $n < $nmax; $n++) {
+	   my $l = defined($out->[$n]) ? $out->[$n] : "~";
+	   chomp $l;
+	   my $r = defined($result->[$n]) ? $result->[$n] : "~";
+	   chomp $r;
+	   print sprintf("%-" . ($width-3) . "s %s %s\n",
+			 $r, $good[$n], $l);
+         }
+       }
+}
+
+
+sub su($) {
+  my ($user) = @_;
+
+  $user ||= "root";
+
+  my ($login, $pass, $uid, $gid) = getpwnam($user)
+    or return [ "su: user $user does not exist\n" ];
+  my @groups = ();
+  my $fh = new FileHandle("/etc/group")
+    or return [ "opening /etc/group: $!\n" ];
+  while (<$fh>) {
+    chomp;
+    my ($group, $passwd, $gid, $users) = split /:/;
+    foreach my $u (split /,/, $users) {
+      push @groups, $gid
+	if ($user eq $u);
+    }
+  }
+  $fh->close;
+
+  my $groups = join(" ", ($gid, $gid, @groups));
+  #print STDERR "[[$groups]]\n";
+  $! = 0;  # reset errno
+  $> = 0;
+  $( = $gid;
+  $) = $groups;
+  if ($!) {
+    return [ "su: $!\n" ];
+  }
+  if ($uid != 0) {
+    $> = $uid;
+    #$< = $uid;
+    if ($!) {
+      return [ "su: $prog->[1]: $!\n" ];
+    }
+  }
+  #print STDERR "[($>,$<)($(,$))]";
+  return [];
+}
+
+
+sub sg($) {
+  my ($group) = @_;
+
+  my $gid = getgrnam($group)
+    or return [ "sg: group $group does not exist\n" ];
+  my %groups = map { $_ eq $gid ? () : ($_ => 1) } (split /\s/, $));
+  
+  #print STDERR "<<", join("/", keys %groups), ">>\n";
+  my $groups = join(" ", ($gid, $gid, keys %groups));
+  #print STDERR "[[$groups]]\n";
+  $! = 0;  # reset errno
+  if ($> != 0) {
+	  my $uid = $>;
+	  $> = 0;
+	  $( = $gid;
+	  $) = $groups;
+	  $> = $uid;
+  } else {
+	  $( = $gid;
+	  $) = $groups;
+  }
+  if ($!) {
+    return [ "sg: $!\n" ];
+  }
+  print STDERR "[($>,$<)($(,$))]";
+  return [];
+}
+
+
+sub exec_test($$) {
+  my ($prog, $in) = @_;
+  local (*IN, *IN_DUP, *IN2, *OUT_DUP, *OUT, *OUT2);
+  my $needs_shell = (join('', @$prog) =~ /[][|<>"'`\$\*\?]/);
+
+  if ($prog->[0] eq "umask") {
+    umask oct $prog->[1];
+    return [];
+  } elsif ($prog->[0] eq "cd") {
+    if (!chdir $prog->[1]) {
+      return [ "chdir: $prog->[1]: $!\n" ];
+    }
+    $ENV{PWD} = getcwd;
+    return [];
+  } elsif ($prog->[0] eq "su") {
+    return su($prog->[1]);
+  } elsif ($prog->[0] eq "sg") {
+    return sg($prog->[1]);
+  } elsif ($prog->[0] eq "export") {
+    my ($name, $value) = split /=/, $prog->[1];
+    # FIXME: need to evaluate $value, so that things like this will work:
+    # export dir=$PWD/dir
+    $ENV{$name} = $value;
+    return [];
+  } elsif ($prog->[0] eq "unset") {
+    delete $ENV{$prog->[1]};
+    return [];
+  }
+
+  pipe *IN2, *OUT
+    or die "Can't create pipe for reading: $!";
+  open *IN_DUP, "<&STDIN"
+    or *IN_DUP = undef;
+  open *STDIN, "<&IN2"
+    or die "Can't duplicate pipe for reading: $!";
+  close *IN2;
+
+  open *OUT_DUP, ">&STDOUT"
+    or die "Can't duplicate STDOUT: $!";
+  pipe *IN, *OUT2
+    or die "Can't create pipe for writing: $!";
+  open *STDOUT, ">&OUT2"
+    or die "Can't duplicate pipe for writing: $!";
+  close *OUT2;
+
+  *STDOUT->autoflush();
+  *OUT->autoflush();
+
+  if (fork()) {
+    # Server
+    if (*IN_DUP) {
+      open *STDIN, "<&IN_DUP"
+        or die "Can't duplicate STDIN: $!";
+      close *IN_DUP
+        or die "Can't close STDIN duplicate: $!";
+    }
+    open *STDOUT, ">&OUT_DUP"
+      or die "Can't duplicate STDOUT: $!";
+    close *OUT_DUP
+      or die "Can't close STDOUT duplicate: $!";
+
+    foreach my $line (@$in) {
+      #print "> $line";
+      print OUT $line;
+    }
+    close *OUT
+      or die "Can't close pipe for writing: $!";
+
+    my $result = [];
+    while (<IN>) {
+      #print "< $_";
+      if ($needs_shell) {
+	s#^/bin/sh: line \d+: ##;
+      }
+      push @$result, $_;
+    }
+    return $result;
+  } else {
+    # Client
+    $< = $>;
+    close IN
+      or die "Can't close read end for input pipe: $!";
+    close OUT
+      or die "Can't close write end for output pipe: $!";
+    close OUT_DUP
+      or die "Can't close STDOUT duplicate: $!";
+    local *ERR_DUP;
+    open ERR_DUP, ">&STDERR"
+      or die "Can't duplicate STDERR: $!";
+    open STDERR, ">&STDOUT"
+      or die "Can't join STDOUT and STDERR: $!";
+
+    if ($needs_shell) {
+      exec ('/bin/sh', '-c', join(" ", @$prog));
+    } else {
+      exec @$prog;
+    }
+    print STDERR $prog->[0], ": $!\n";
+    exit;
+  }
+}
+
@@ -0,0 +1,20 @@
+Test cases for (acl, masks) pairs that cannot be represented as
+pure ACLs
+
+$ rm -rf d
+$ mkdir d
+$ cd d
+
+$ touch x
+
+$ nfs4acl --set 'group@:rw::allow' x
+$ chmod 600 x
+$ ls -l x | cut -d ' ' -f 1
+> -rw-------
+$ nfs4acl --get x
+> x:
+>
+$ rm -f x
+
+$ cd ..
+$ rm -rf d
@@ -0,0 +1,46 @@
+$ mkdir d
+$ cd d
+
+$ whoami
+> root
+
+$ touch a b c d e f
+$ nfs4acl --set 'owner@:*::allow' a
+$ nfs4acl --set 'owner@:*::allow bin:w::allow' b
+$ nfs4acl --set 'owner@:*::allow bin:a::allow' c
+$ nfs4acl --set 'owner@:*::allow bin:wa::allow' d
+$ nfs4acl --set 'bin:a::deny owner@:*::allow bin:w::allow' e
+$ nfs4acl --set 'bin:w::deny owner@:*::allow bin:a::allow' f
+
+$ su bin
+$ echo a > a
+> /bin/sh: a: Permission denied
+$ echo b > b
+$ echo c > c
+> /bin/sh: c: Permission denied
+$ echo d > d
+$ echo e > e
+$ echo f > f
+> /bin/sh: f: Permission denied
+
+$ echo A >> a
+> /bin/sh: a: Permission denied
+$ echo B >> b
+> /bin/sh: b: Permission denied
+$ echo C >> c
+$ echo D >> d
+$ echo E >> e
+> /bin/sh: e: Permission denied
+$ echo F >> f
+
+$ su
+$ cat a b c d e f
+> b
+> C
+> d
+> D
+> e
+> F
+
+$ cd ..
+$ rm -rf d