Print this page
OS-2837 lx brand only works with shared IP stacks
@@ -19,10 +19,11 @@
* CDDL HEADER END
*/
/*
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2014, Joyent, Inc. All rights reserved.
*/
/*
* Main door handler functions used by ipmgmtd to process the different door
* call requests, issued by the library libipadm.so.
@@ -110,11 +111,13 @@
ipmgmt_log(LOG_ERR, "Invalid door command specified");
err = EINVAL;
goto fail;
}
- /* check for solaris.network.interface.config authorization */
+ /*
+ * if not root, check for solaris.network.interface.config authorization
+ */
if (infop->idi_set) {
uid_t uid;
struct passwd pwd;
char buf[1024];
@@ -122,29 +125,37 @@
err = errno;
ipmgmt_log(LOG_ERR, "Could not get user credentials.");
goto fail;
}
uid = ucred_getruid(cred);
+ ucred_free(cred);
if ((int)uid < 0) {
err = errno;
ipmgmt_log(LOG_ERR, "Could not get user id.");
goto fail;
}
- if (getpwuid_r(uid, &pwd, buf, sizeof (buf)) ==
- NULL) {
+
+ /*
+ * Branded zones may have different auth, but root always
+ * allowed.
+ */
+ if (uid != 0) {
+ if (getpwuid_r(uid, &pwd, buf, sizeof (buf)) == NULL) {
err = errno;
- ipmgmt_log(LOG_ERR, "Could not get password entry.");
+ ipmgmt_log(LOG_ERR,
+ "Could not get password entry.");
goto fail;
}
if (chkauthattr(NETWORK_INTERFACE_CONFIG_AUTH,
pwd.pw_name) != 1) {
err = EPERM;
- ipmgmt_log(LOG_ERR, "Not authorized for operation.");
+ ipmgmt_log(LOG_ERR,
+ "Not authorized for operation.");
goto fail;
}
- ucred_free(cred);
}
+ }
/* individual handlers take care of calling door_return */
infop->idi_handler((void *)argp);
return;
fail: