Add read permission checking for the container

From: Daniel Lezcano <dlezcano@fr.ibm.com>

When an user tries to look at the pids or network information belonging
to a container not owned by the user. The command silently fails, I changed
that to check the read permission, display an error and exit.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

diff --git a/src/lxc/lxc-netstat.in b/src/lxc/lxc-netstat.in
index 63728de144c24b2b869310ff561dcca0fbcdcd45..6603d4a20c304f36147955786807bc06217cfc89 100644 (file)
--- a/src/lxc/lxc-netstat.in
+++ b/src/lxc/lxc-netstat.in
@@ -30,10 +30,15 @@ if [ ! -d $lxcpath/$name ]; then
     exit 1
 fi
 
+if [ ! -r $lxcpath/$name ]; then
+    echo "Can not access '$name': permission denied"
+    exit 1
+fi
+
 if [ ! -f $lxcpath/$name/init ]; then
     exit 0
 fi
 
-initpid=$(cat $lxcpath/$name/init)
-
-mount --bind /proc/$initpid/net /proc/$$/net && exec netstat $*
\ No newline at end of file
+initpid=$(cat $lxcpath/$name/init) && \
+    mount --bind /proc/$initpid/net /proc/$$/net && \
+    exec netstat $*

diff --git a/src/lxc/lxc-ps.in b/src/lxc/lxc-ps.in
index a3439e9982b64d94b95036e80dc8f770a1777aa9..165726ae554339e0e3b37780bbb64f0951e45a20 100755 (executable)
--- a/src/lxc/lxc-ps.in
+++ b/src/lxc/lxc-ps.in
@@ -30,6 +30,11 @@ if [ ! -d $lxcpath/$name ]; then
     exit 1
 fi
 
+if [ ! -r $lxcpath/$name ]; then
+    echo "Can not access '$name', permission denied"
+    exit 1
+fi
+
 if [ -h $lxcpath/$name/nsgroup ]; then
     ps $* -p $(cat $lxcpath/$name/nsgroup/tasks)
 fi