pam: fix race in cgroup creation

If we find that a cgroup already exists, we should

1. remove all the cgroups which we've created so far
2. set existed to true
3. return failure

The caller should then detect that existed == true,
and re-try with the next index.

Signed-off-by: Serge Hallyn <serge@hallyn.com>

diff --git a/pam/pam_cgfs.c b/pam/pam_cgfs.c
index 08f0694985c281771162c5d627079a3a90387609..24510e103833a8b26b9409f6a7c446375dcecbdc 100644 (file)
--- a/pam/pam_cgfs.c
+++ b/pam/pam_cgfs.c
@@ -585,7 +585,7 @@ static bool cgfs_create_forone(struct controller *c, uid_t uid, gid_t gid, const
 #if DEBUG
                        fprintf(stderr, "%s existed\n", path);
 #endif
-                       return true;
+                       return false;
                }
 
                bool pass = mkdir_p(c->mount_path, path);
@@ -794,16 +794,16 @@ static int handle_login(const char *user)
                        return PAM_SESSION_ERR;
                }
 
+               existed = false;
                if (!cgfs_create(cg, uid, gid, &existed)) {
+                       if (existed) {
+                               idx++;
+                               continue;
+                       }
                        mysyslog(LOG_ERR, "Failed to create a cgroup for user %s\n", user);
                        return PAM_SESSION_ERR;
                }
 
-               if (existed == 1) {
-                       idx++;
-                       continue;
-               }
-
                if (!cgfs_enter(cg, false)) {
                        mysyslog(LOG_ERR, "Failed to enter user cgroup %s for user %s\n", cg, user);
                        return PAM_SESSION_ERR;