From e0808db2da9673a79f3b51ff2bbb0e005ab6a83d Mon Sep 17 00:00:00 2001
From: Andreas Rogge <andreas.rogge@bareos.com>
Date: Wed, 19 Aug 2020 16:39:54 +0200
Subject: [PATCH] systemtests: add acl test

A simple test to check whether attributes set with setfacl are backed
up and restored properly.
---
 cmake/BareosCheckAcl.cmake                    | 34 +++++++++
 systemtests/CMakeLists.txt                    |  7 ++
 .../bareos-dir.d/catalog/MyCatalog.conf.in    |  8 +++
 .../bareos-dir.d/client/bareos-fd.conf.in     |  7 ++
 .../bareos-dir.d/console/bareos-mon.conf.in   |  7 ++
 .../bareos-dir.d/director/bareos-dir.conf.in  | 27 +++++++
 .../bareos-dir.d/fileset/Catalog.conf.in      | 11 +++
 .../bareos-dir.d/fileset/SelfTest.conf.in     | 10 +++
 .../bareos-dir.d/job/BackupCatalog.conf.in    | 20 ++++++
 .../bareos-dir.d/job/RestoreFiles.conf.in     | 11 +++
 .../bareos-dir.d/job/backup-bareos-fd.conf.in |  5 ++
 .../bareos-dir.d/jobdefs/DefaultJob.conf.in   | 15 ++++
 .../bareos-dir.d/messages/Daemon.conf.in      |  7 ++
 .../bareos-dir.d/messages/Standard.conf.in    |  7 ++
 .../bareos-dir.d/pool/Differential.conf       | 10 +++
 .../etc/bareos/bareos-dir.d/pool/Full.conf    | 10 +++
 .../bareos/bareos-dir.d/pool/Incremental.conf | 10 +++
 .../etc/bareos/bareos-dir.d/pool/Scratch.conf |  4 ++
 .../bareos/bareos-dir.d/profile/operator.conf | 18 +++++
 .../bareos/bareos-dir.d/storage/File.conf.in  |  8 +++
 .../bareos/bareos-fd.d/client/myself.conf.in  | 20 ++++++
 .../bareos-fd.d/director/bareos-dir.conf.in   |  5 ++
 .../bareos-fd.d/director/bareos-mon.conf.in   |  6 ++
 .../bareos/bareos-fd.d/messages/Standard.conf |  5 ++
 .../bareos-sd.d/device/FileStorage.conf       | 11 +++
 .../bareos-sd.d/director/bareos-dir.conf.in   |  5 ++
 .../bareos-sd.d/director/bareos-mon.conf.in   |  6 ++
 .../bareos/bareos-sd.d/messages/Standard.conf |  5 ++
 .../bareos-sd.d/storage/bareos-sd.conf.in     | 14 ++++
 .../tests/acl/etc/bareos/bconsole.conf.in     | 10 +++
 systemtests/tests/acl/testrunner              | 71 +++++++++++++++++++
 31 files changed, 394 insertions(+)
 create mode 100644 cmake/BareosCheckAcl.cmake
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/job/BackupCatalog.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Daemon.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Standard.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Differential.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Full.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Incremental.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Scratch.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/profile/operator.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-dir.d/storage/File.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-fd.d/client/myself.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-dir.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-mon.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-fd.d/messages/Standard.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-sd.d/device/FileStorage.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-dir.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-mon.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-sd.d/messages/Standard.conf
 create mode 100644 systemtests/tests/acl/etc/bareos/bareos-sd.d/storage/bareos-sd.conf.in
 create mode 100644 systemtests/tests/acl/etc/bareos/bconsole.conf.in
 create mode 100755 systemtests/tests/acl/testrunner

diff --git a/cmake/BareosCheckAcl.cmake b/cmake/BareosCheckAcl.cmake
new file mode 100644
index 00000000000..2d9268ab1ac
--- /dev/null
+++ b/cmake/BareosCheckAcl.cmake
@@ -0,0 +1,34 @@
+# BAREOS® - Backup Archiving REcovery Open Sourced
+#
+# Copyright (C) 2020-2020 Bareos GmbH & Co. KG
+#
+# This program is Free Software; you can redistribute it and/or modify it under
+# the terms of version three of the GNU Affero General Public License as
+# published by the Free Software Foundation and included in the file LICENSE.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+# details.
+#
+# You should have received a copy of the GNU Affero General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc., 51
+# Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+# Extract version information and commit timestamp if run in a git checkout
+
+find_program(SETFACL_PROG setfacl)
+find_program(GETFACL_PROG getfacl)
+
+set(SETFACL_WORKS NO)
+if(SETFACL_PROG AND GETFACL_PROG)
+  file(TOUCH "${CMAKE_CURRENT_BINARY_DIR}/acl-test-file.txt")
+  exec_program(${SETFACL_PROG}
+    ${CMAKE_CURRENT_BINARY_DIR}
+    ARGS "-m user:0:rw- acl-test-file.txt"
+    RETURN_VALUE SETFACL_RETURN)
+  if(SETFACL_RETURN EQUAL 0)
+    set(SETFACL_WORKS YES)
+  endif()
+endif()
+
diff --git a/systemtests/CMakeLists.txt b/systemtests/CMakeLists.txt
index 4fb78faffb3..80b93fa287b 100644
--- a/systemtests/CMakeLists.txt
+++ b/systemtests/CMakeLists.txt
@@ -684,6 +684,13 @@ else()
   list(APPEND SYSTEM_TESTS_DISABLED xattr)
 endif()
 
+include(BareosCheckAcl)
+if(SETFACL_WORKS)
+  list(APPEND SYSTEM_TESTS acl)
+else()
+  list(APPEND SYSTEM_TESTS_DISABLED acl)
+endif()
+
 if(TARGET droplet)
   list(APPEND SYSTEM_TESTS droplet-s3)
 else()
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in
new file mode 100644
index 00000000000..479bc6fecbb
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/catalog/MyCatalog.conf.in
@@ -0,0 +1,8 @@
+Catalog {
+  Name = MyCatalog
+  #dbdriver = "@DEFAULT_DB_TYPE@"
+  dbdriver = "XXX_REPLACE_WITH_DATABASE_DRIVER_XXX"
+  dbname = "@db_name@"
+  dbuser = "@db_user@"
+  dbpassword = "@db_password@"
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in
new file mode 100644
index 00000000000..59b61700966
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/client/bareos-fd.conf.in
@@ -0,0 +1,7 @@
+Client {
+  Name = bareos-fd
+  Description = "Client resource of the Director itself."
+  Address = @hostname@
+  Password = "@fd_password@"          # password for FileDaemon
+  FD PORT = @fd_port@
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in
new file mode 100644
index 00000000000..d276adcb87d
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/console/bareos-mon.conf.in
@@ -0,0 +1,7 @@
+Console {
+  Name = bareos-mon
+  Description = "Restricted console used by tray-monitor to get the status of the director."
+  Password = "@mon_dir_password@"
+  CommandACL = status, .status
+  JobACL = *all*
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in
new file mode 100644
index 00000000000..33b3a426e3a
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/director/bareos-dir.conf.in
@@ -0,0 +1,27 @@
+Director {                            # define myself
+  Name = bareos-dir
+  QueryFile = "@scriptdir@/query.sql"
+  Maximum Concurrent Jobs = 10
+  Password = "@dir_password@"         # Console password
+  Messages = Daemon
+  Auditing = yes
+
+  # Enable the Heartbeat if you experience connection losses
+  # (eg. because of your router or firewall configuration).
+  # Additionally the Heartbeat can be enabled in bareos-sd and bareos-fd.
+  #
+  # Heartbeat Interval = 1 min
+
+  # remove comment in next line to load dynamic backends from specified directory
+  Backend Directory = @backenddir@
+
+  # remove comment from "Plugin Directory" to load plugins from specified directory.
+  # if "Plugin Names" is defined, only the specified plugins will be loaded,
+  # otherwise all director plugins (*-dir.so) from the "Plugin Directory".
+  #
+  # Plugin Directory = "@python_plugin_module_src_dir@"
+  # Plugin Names = ""
+  Working Directory =  "@working_dir@"
+  Pid Directory =  "@piddir@"
+  DirPort = @dir_port@
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in
new file mode 100644
index 00000000000..c7cdc433fe1
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/Catalog.conf.in
@@ -0,0 +1,11 @@
+FileSet {
+  Name = "Catalog"
+  Description = "Backup the catalog dump and Bareos configuration files."
+  Include {
+    Options {
+      signature = MD5
+    }
+    File = "@working_dir@/@db_name@.sql" # database dump
+    File = "@confdir@"                   # configuration
+  }
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in
new file mode 100644
index 00000000000..428059cba39
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/fileset/SelfTest.conf.in
@@ -0,0 +1,10 @@
+FileSet {
+  Name = "SelfTest"
+  Description = "fileset just to backup some files for selftest"
+  Include {
+    Options {
+      Signature = MD5 # calculate md5 checksum per file
+    }
+    File=@tmpdir@/file-with-acl
+  }
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/BackupCatalog.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/BackupCatalog.conf.in
new file mode 100644
index 00000000000..1da2a7af657
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/BackupCatalog.conf.in
@@ -0,0 +1,20 @@
+Job {
+  Name = "BackupCatalog"
+  Description = "Backup the catalog database (after the nightly save)"
+  JobDefs = "DefaultJob"
+  Level = Full
+  FileSet="Catalog"
+
+  # This creates an ASCII copy of the catalog
+  # Arguments to make_catalog_backup.pl are:
+  #  make_catalog_backup.pl <catalog-name>
+  RunBeforeJob = "@scriptdir@/make_catalog_backup.pl MyCatalog"
+
+  # This deletes the copy of the catalog
+  RunAfterJob  = "@scriptdir@/delete_catalog_backup"
+
+  # This sends the bootstrap via mail for disaster recovery.
+  # Should be sent to another system, please change recipient accordingly
+  Write Bootstrap = "|@bindir@/bsmtp -h @smtp_host@ -f \"\(Bareos\) \" -s \"Bootstrap for Job %j\" @job_email@" # (#01)
+  Priority = 11                   # run after main backup
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in
new file mode 100644
index 00000000000..89256864d9a
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/RestoreFiles.conf.in
@@ -0,0 +1,11 @@
+Job {
+  Name = "RestoreFiles"
+  Description = "Standard Restore template. Only one such job is needed for all standard Jobs/Clients/Storage ..."
+  Type = Restore
+  Client = bareos-fd
+  FileSet = SelfTest
+  Storage = File
+  Pool = Incremental
+  Messages = Standard
+  Where = @tmp@/bareos-restores
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in
new file mode 100644
index 00000000000..ca1891f9620
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf.in
@@ -0,0 +1,5 @@
+Job {
+  Name = "backup-bareos-fd"
+  JobDefs = "DefaultJob"
+  Client = "bareos-fd"
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in
new file mode 100644
index 00000000000..563126477c9
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/jobdefs/DefaultJob.conf.in
@@ -0,0 +1,15 @@
+JobDefs {
+  Name = "DefaultJob"
+  Type = Backup
+  Level = Incremental
+  Client = bareos-fd
+  FileSet = "SelfTest"
+  Storage = File
+  Messages = Standard
+  Pool = Incremental
+  Priority = 10
+  Write Bootstrap = "@working_dir@/%c.bsr"
+  Full Backup Pool = Full                  # write Full Backups into "Full" Pool
+  Differential Backup Pool = Differential  # write Diff Backups into "Differential" Pool
+  Incremental Backup Pool = Incremental    # write Incr Backups into "Incremental" Pool
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Daemon.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Daemon.conf.in
new file mode 100644
index 00000000000..cf6a8cfa1e2
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Daemon.conf.in
@@ -0,0 +1,7 @@
+Messages {
+  Name = Daemon
+  Description = "Message delivery for daemon messages (no job)."
+  console = all, !skipped, !saved, !audit
+  append = "@logdir@/bareos.log" = all, !skipped, !audit
+  append = "@logdir@/bareos-audit.log" = audit
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Standard.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Standard.conf.in
new file mode 100644
index 00000000000..b3556ba8c23
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/messages/Standard.conf.in
@@ -0,0 +1,7 @@
+Messages {
+  Name = Standard
+  Description = "Reasonable message delivery -- send most everything to email address and to the console."
+  console = all, !skipped, !saved, !audit
+  append = "@logdir@/bareos.log" = all, !skipped, !saved, !audit
+  catalog = all, !skipped, !saved, !audit
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Differential.conf b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Differential.conf
new file mode 100644
index 00000000000..25ce24821ab
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Differential.conf
@@ -0,0 +1,10 @@
+Pool {
+  Name = Differential
+  Pool Type = Backup
+  Recycle = yes                       # Bareos can automatically recycle Volumes
+  AutoPrune = yes                     # Prune expired volumes
+  Volume Retention = 90 days          # How long should the Differential Backups be kept? (#09)
+  Maximum Volume Bytes = 10G          # Limit Volume size to something reasonable
+  Maximum Volumes = 100               # Limit number of Volumes in Pool
+  Label Format = "Differential-"      # Volumes will be labeled "Differential-<volume-id>"
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Full.conf b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Full.conf
new file mode 100644
index 00000000000..867fc66b483
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Full.conf
@@ -0,0 +1,10 @@
+Pool {
+  Name = Full
+  Pool Type = Backup
+  Recycle = yes                       # Bareos can automatically recycle Volumes
+  AutoPrune = yes                     # Prune expired volumes
+  Volume Retention = 365 days         # How long should the Full Backups be kept? (#06)
+  Maximum Volume Bytes = 50G          # Limit Volume size to something reasonable
+  Maximum Volumes = 100               # Limit number of Volumes in Pool
+  Label Format = "Full-"              # Volumes will be labeled "Full-<volume-id>"
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Incremental.conf b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Incremental.conf
new file mode 100644
index 00000000000..f4dbbab6650
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Incremental.conf
@@ -0,0 +1,10 @@
+Pool {
+  Name = Incremental
+  Pool Type = Backup
+  Recycle = yes                       # Bareos can automatically recycle Volumes
+  AutoPrune = yes                     # Prune expired volumes
+  Volume Retention = 30 days          # How long should the Incremental Backups be kept?  (#12)
+  Maximum Volume Bytes = 1G           # Limit Volume size to something reasonable
+  Maximum Volumes = 100               # Limit number of Volumes in Pool
+  Label Format = "Incremental-"       # Volumes will be labeled "Incremental-<volume-id>"
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Scratch.conf b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Scratch.conf
new file mode 100644
index 00000000000..3a489b19871
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/pool/Scratch.conf
@@ -0,0 +1,4 @@
+Pool {
+  Name = Scratch
+  Pool Type = Scratch
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/profile/operator.conf b/systemtests/tests/acl/etc/bareos/bareos-dir.d/profile/operator.conf
new file mode 100644
index 00000000000..6edd0166dca
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/profile/operator.conf
@@ -0,0 +1,18 @@
+Profile {
+   Name = operator
+   Description = "Profile allowing normal Bareos operations."
+
+   Command ACL = !.bvfs_clear_cache, !.exit, !.sql
+   Command ACL = !configure, !create, !delete, !purge, !prune, !sqlquery, !umount, !unmount
+   Command ACL = *all*
+
+   Catalog ACL = *all*
+   Client ACL = *all*
+   FileSet ACL = *all*
+   Job ACL = *all*
+   Plugin Options ACL = *all*
+   Pool ACL = *all*
+   Schedule ACL = *all*
+   Storage ACL = *all*
+   Where ACL = *all*
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-dir.d/storage/File.conf.in b/systemtests/tests/acl/etc/bareos/bareos-dir.d/storage/File.conf.in
new file mode 100644
index 00000000000..a2622f719e2
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-dir.d/storage/File.conf.in
@@ -0,0 +1,8 @@
+Storage {
+  Name = File
+  Address = @hostname@
+  Password = "@sd_password@"
+  Device = FileStorage
+  Media Type = File
+  SD Port = @sd_port@
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-fd.d/client/myself.conf.in b/systemtests/tests/acl/etc/bareos/bareos-fd.d/client/myself.conf.in
new file mode 100644
index 00000000000..e218bf06514
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-fd.d/client/myself.conf.in
@@ -0,0 +1,20 @@
+Client {
+  Name = @basename@-fd
+  Maximum Concurrent Jobs = 20
+
+  # remove comment from "Plugin Directory" to load plugins from specified directory.
+  # if "Plugin Names" is defined, only the specified plugins will be loaded,
+  # otherwise all filedaemon plugins (*-fd.so) from the "Plugin Directory".
+  #
+  # Plugin Directory = "@python_plugin_module_src_fd@"
+  # Plugin Names = ""
+
+  # if compatible is set to yes, we are compatible with bacula
+  # if set to no, new bareos features are enabled which is the default
+  # compatible = yes
+
+  Working Directory =  "@working_dir@"
+  Pid Directory =  "@piddir@"
+  FD Port = @fd_port@
+
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-dir.conf.in b/systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-dir.conf.in
new file mode 100644
index 00000000000..c8dc7085a45
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-dir.conf.in
@@ -0,0 +1,5 @@
+Director {
+  Name = bareos-dir
+  Password = "@fd_password@"
+  Description = "Allow the configured Director to access this file daemon."
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-mon.conf.in b/systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-mon.conf.in
new file mode 100644
index 00000000000..630c3a9abd3
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-fd.d/director/bareos-mon.conf.in
@@ -0,0 +1,6 @@
+Director {
+  Name = bareos-mon
+  Password = "@mon_fd_password@"
+  Monitor = yes
+  Description = "Restricted Director, used by tray-monitor to get the status of this file daemon."
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-fd.d/messages/Standard.conf b/systemtests/tests/acl/etc/bareos/bareos-fd.d/messages/Standard.conf
new file mode 100644
index 00000000000..97788e00573
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-fd.d/messages/Standard.conf
@@ -0,0 +1,5 @@
+Messages {
+  Name = Standard
+  Director = bareos-dir = all, !skipped, !restored
+  Description = "Send relevant messages to the Director."
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-sd.d/device/FileStorage.conf b/systemtests/tests/acl/etc/bareos/bareos-sd.d/device/FileStorage.conf
new file mode 100644
index 00000000000..11a639bc688
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-sd.d/device/FileStorage.conf
@@ -0,0 +1,11 @@
+Device {
+  Name = FileStorage
+  Media Type = File
+  Archive Device = storage
+  LabelMedia = yes;                   # lets Bareos label unlabeled media
+  Random Access = yes;
+  AutomaticMount = yes;               # when device opened, read it
+  RemovableMedia = no;
+  AlwaysOpen = no;
+  Description = "File device. A connecting Director must have the same Name and MediaType."
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-dir.conf.in b/systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-dir.conf.in
new file mode 100644
index 00000000000..deef3360c2d
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-dir.conf.in
@@ -0,0 +1,5 @@
+Director {
+  Name = bareos-dir
+  Password = "@sd_password@"
+  Description = "Director, who is permitted to contact this storage daemon."
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-mon.conf.in b/systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-mon.conf.in
new file mode 100644
index 00000000000..e3cfdee6315
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-sd.d/director/bareos-mon.conf.in
@@ -0,0 +1,6 @@
+Director {
+  Name = bareos-mon
+  Password = "@mon_sd_password@"
+  Monitor = yes
+  Description = "Restricted Director, used by tray-monitor to get the status of this storage daemon."
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-sd.d/messages/Standard.conf b/systemtests/tests/acl/etc/bareos/bareos-sd.d/messages/Standard.conf
new file mode 100644
index 00000000000..468348e62fc
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-sd.d/messages/Standard.conf
@@ -0,0 +1,5 @@
+Messages {
+  Name = Standard
+  Director = bareos-dir = all
+  Description = "Send all messages to the Director."
+}
diff --git a/systemtests/tests/acl/etc/bareos/bareos-sd.d/storage/bareos-sd.conf.in b/systemtests/tests/acl/etc/bareos/bareos-sd.d/storage/bareos-sd.conf.in
new file mode 100644
index 00000000000..3e1723fa60c
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bareos-sd.d/storage/bareos-sd.conf.in
@@ -0,0 +1,14 @@
+Storage {
+  Name = bareos-sd
+  Maximum Concurrent Jobs = 20
+
+  # remove comment from "Plugin Directory" to load plugins from specified directory.
+  # if "Plugin Names" is defined, only the specified plugins will be loaded,
+  # otherwise all storage plugins (*-sd.so) from the "Plugin Directory".
+  #
+  # Plugin Directory = "@python_plugin_module_src_sd@"
+  # Plugin Names = ""
+  Working Directory =  "@working_dir@"
+  Pid Directory =  "@piddir@"
+  SD Port = @sd_port@
+}
diff --git a/systemtests/tests/acl/etc/bareos/bconsole.conf.in b/systemtests/tests/acl/etc/bareos/bconsole.conf.in
new file mode 100644
index 00000000000..50b647c1d71
--- /dev/null
+++ b/systemtests/tests/acl/etc/bareos/bconsole.conf.in
@@ -0,0 +1,10 @@
+#
+# Bareos User Agent (or Console) Configuration File
+#
+
+Director {
+  Name = @basename@-dir
+  DIRport = @dir_port@
+  Address = @hostname@
+  Password = "@dir_password@"
+}
diff --git a/systemtests/tests/acl/testrunner b/systemtests/tests/acl/testrunner
new file mode 100755
index 00000000000..ea6ffdd0043
--- /dev/null
+++ b/systemtests/tests/acl/testrunner
@@ -0,0 +1,71 @@
+#!/bin/sh
+set -e
+#
+# Run a simple backup
+#   then restore it.
+#
+TestName="$(basename "$(pwd)")"
+export TestName
+
+JobName=backup-bareos-fd
+
+#shellcheck source=../environment.in
+. ./environment
+
+#shellcheck source=../scripts/functions
+. "${rscripts}"/functions
+"${rscripts}"/cleanup
+"${rscripts}"/setup
+
+
+# Directory to backup.
+# This directory will be created by setup_data "$@"().
+BackupDirectory="${tmp}/data"
+BackupFile="${tmp}/file-with-acl"
+RestoreFile="${tmp}/bareos-restores/${BackupFile}"
+
+acl_should="${tmp}/acl_should.txt"
+acl_is="${tmp}/acl_is.txt"
+
+mkdir -p "${BackupDirectory}"
+touch "${BackupFile}"
+setfacl -m user:0:r-x "${BackupFile}"
+getfacl "${BackupFile}" | grep -vF file: >"$acl_should"
+
+start_test
+
+cat <<END_OF_DATA >$tmp/bconcmds
+@$out /dev/null
+messages
+@$out $tmp/log1.out
+label volume=TestVolume001 storage=File pool=Full
+setdebug level=1000 client=bareos-fd trace=1
+run job=$JobName yes
+status director
+status client
+status storage=File
+wait
+messages
+@#
+@# now do a restore
+@#
+@$out $tmp/log2.out
+wait
+restore client=bareos-fd fileset=SelfTest where=$tmp/bareos-restores select all done
+yes
+wait
+messages
+quit
+END_OF_DATA
+
+run_bareos "$@"
+check_for_zombie_jobs storage=File
+stop_bareos
+
+check_two_logs
+
+getfacl "${RestoreFile}" | grep -vF file: >"$acl_is"
+
+diff -u "$acl_should" "$acl_is" || estat=1
+
+end_test