Am 14.06.2021 um 16:44 hat Max Reitz geschrieben: > We cannot reasonably test the main point of allow-other, which is to > allow users other than the current one to access the FUSE export, > because that would require access to sudo, which this test most likely > will not have. (Also, we would need to figure out some user/group that > is on the machine and that is not the current user/group, which may > become a bit hairy.) > > But we can test some byproducts: First, whether changing permissions > works (our FUSE code only allows so for allow-other=true), and second, > whether the kernel applies permission checks with allow-other=true > (because that implies default_permissions). > > Signed-off-by: Max Reitz <mre...@redhat.com>
This seems to have the problem that you mentioned: --- /home/kwolf/source/qemu/tests/qemu-iotests/308.out +++ 308.out.bad @@ -205,7 +205,9 @@ 'writable': true, 'allow-other': true } } -{"return": {}} +fusermount3: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf +{"error": {"class": "GenericError", "desc": "Failed to mount FUSE session to export"}} +Timeout waiting for return on handle 2 (Invoking chmod) Permissions post-chmod: 666 (Removing all permissions) Maybe it should be a separate test case that is skipped with user_allow_other is disabled. > tests/qemu-iotests/308 | 91 ++++++++++++++++++++++++++++++++++++++ > tests/qemu-iotests/308.out | 47 ++++++++++++++++++++ > 2 files changed, 138 insertions(+) > > diff --git a/tests/qemu-iotests/308 b/tests/qemu-iotests/308 > index f122065d0f..1b2f908947 100755 > --- a/tests/qemu-iotests/308 > +++ b/tests/qemu-iotests/308 > @@ -334,6 +334,97 @@ echo '=== Compare copy with original ===' > > $QEMU_IMG compare -f raw -F $IMGFMT "$COPIED_IMG" "$TEST_IMG" > > +echo > +echo '=== Test permissions ===' > + > +# Test that you can only change permissions on the export with > allow-other=true. > +# We cannot really test the primary reason behind allow-other (i.e. to allow > +# users other than the current one access to the export), because for that we > +# would need sudo, which realistically nobody will allow this test to use. > +# What we can do is test that allow-other=true also enables > default_permissions, > +# i.e. whether we can still read from the file if we remove the read > permission. We already have other test cases that use sudo if available. Though I guess it means that these tests aren't run very often. Kevin