From: Michel Normand <normand@fr.ibm.com>
Date: Wed, 7 Oct 2009 14:06:08 +0000 (+0200)
Subject: check permissions when receiving command
X-Git-Tag: lxc_0_6_4~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cc5de3619c0ac6c2a9046ff7e50e9d6dfc1d0fd;p=thirdparty%2Flxc.git

check permissions when receiving command

report to command requester the errno if credential failure,
rather than to only close the connection.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Signed-off-by: Michel Normand <normand@fr.ibm.com>
---

diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 98e6121d8..662ad9e15 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -128,7 +128,12 @@ static int command_handler(int fd, void *data,
 	struct lxc_handler *handler = data;
 
 	ret = lxc_af_unix_rcv_credential(fd, &request, sizeof(request));
-	if (ret < 0) {
+	if (ret < 0 && ret == -EACCES) {
+		/* we don't care for the peer, just send and close */
+		struct lxc_answer answer = { .ret = ret };
+		send(fd, &answer, sizeof(answer), 0);
+		goto out_close;
+	} else if (ret < 0) {
 		SYSERROR("failed to receive data on command socket");
 		goto out_close;
 	}
diff --git a/src/lxc/console.c b/src/lxc/console.c
index d32941c16..92bbd47c6 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -51,6 +51,12 @@ extern int lxc_console(const char *name, int ttynum, int *fd)
 		return -1;
 	}
 
+	if (command.answer.ret) {
+		ERROR("console access denied: %s",
+			strerror(-command.answer.ret));
+		return -1;
+	}
+
 	*fd = command.answer.fd;
 	if (*fd <0) {
 		ERROR("unable to allocate fd for tty %d", ttynum);