5432 zoneadm install could fix zonepath permissions automatically

Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>

2 files changed, 26 insertions, 11 deletions

diff --git a/usr/src/cmd/zoneadm/zoneadm.c b/usr/src/cmd/zoneadm/zoneadm.c
index 2c25e18a53..6d80fcd8c3 100644
--- a/usr/src/cmd/zoneadm/zoneadm.c
+++ b/usr/src/cmd/zoneadm/zoneadm.c
@@ -1023,6 +1023,18 @@ validate_zonepath(char *path, int cmd_num)
 		(void) fprintf(stderr, gettext("%s is not owned by root.\n"),
 		    rpath);
 		err = B_TRUE;
+
+		/* Try to change owner */
+		if (cmd_num != CMD_VERIFY) {
+			(void) fprintf(stderr, gettext("%s: changing owner "
+			    "to root.\n"), rpath);
+			if (chown(rpath, 0, -1) != 0) {
+				zperror(rpath, B_FALSE);
+				return (Z_ERR);
+			} else {
+				err = B_FALSE;
+			}
+		}
 	}
 	err |= bad_mode_bit(stbuf.st_mode, S_IRUSR, B_TRUE, rpath);
 	err |= bad_mode_bit(stbuf.st_mode, S_IWUSR, B_TRUE, rpath);
@@ -1034,6 +1046,17 @@ validate_zonepath(char *path, int cmd_num)
 	err |= bad_mode_bit(stbuf.st_mode, S_IWOTH, B_FALSE, rpath);
 	err |= bad_mode_bit(stbuf.st_mode, S_IXOTH, B_FALSE, rpath);
 
+	/* If the group perms are wrong, fix them */
+	if (err && (cmd_num != CMD_VERIFY)) {
+		(void) fprintf(stderr, gettext("%s: changing permissions "
+		    "to 0700.\n"), rpath);
+		if (chmod(rpath, S_IRWXU) != 0) {
+			zperror(path, B_FALSE);
+		} else {
+			err = B_FALSE;
+		}
+	}
+
 	(void) snprintf(ppath, sizeof (ppath), "%s/..", path);
 	if ((res = resolvepath(ppath, rppath, sizeof (rppath))) == -1) {
 		zperror(ppath, B_FALSE);
diff --git a/usr/src/man/man1m/zoneadm.1m b/usr/src/man/man1m/zoneadm.1m
index 21a87e2924..6006e53b65 100644
--- a/usr/src/man/man1m/zoneadm.1m
+++ b/usr/src/man/man1m/zoneadm.1m
@@ -4,7 +4,7 @@
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH ZONEADM 1M "Oct 30, 2013"
+.TH ZONEADM 1M "Dec 26, 2014"
 .SH NAME
 zoneadm \- administer zones
 .SH SYNOPSIS
@@ -26,17 +26,14 @@ zoneadm \- administer zones
 .fi
 
 .SH DESCRIPTION
-.sp
 .LP
 The \fBzoneadm\fR utility is used to administer system zones. A zone is an
 application container that is maintained by the operating system runtime.
 .SH SECURITY
-.sp
 .LP
 Once a process has been placed in a zone other than zone \fB0\fR, the process
 or any of its children cannot change zones.
 .SH OPTIONS
-.sp
 .LP
 The following options are supported:
 .sp
@@ -74,7 +71,6 @@ String identifier for a zone.
 .RE
 
 .SH SUBCOMMANDS
-.sp
 .LP
 Subcommands which can result in destructive actions or loss of work have a
 \fB-F\fR flag to force the action. If input is from a terminal device, the user
@@ -279,8 +275,8 @@ Display general help. If you specify \fIsubcommand\fR, displays help on
 .sp .6
 .RS 4n
 Install the specified zone on the system. This subcommand automatically
-attempts to verify first. It refuses to install if the verify step fails. See
-the \fBverify\fR subcommand.
+attempts to verify first, most verification errors are fatal. See the
+\fBverify\fR subcommand.
 .sp
 .ne 2
 .na
@@ -599,7 +595,6 @@ The following command illustrates the use of the \fB-s\fR option.
 .sp
 
 .SH EXIT STATUS
-.sp
 .LP
 The following exit values are returned:
 .sp
@@ -633,7 +628,6 @@ Invalid usage.
 .RE
 
 .SH ATTRIBUTES
-.sp
 .LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
@@ -649,7 +643,6 @@ Interface Stability	Committed
 .TE
 
 .SH SEE ALSO
-.sp
 .LP
 \fBread\fR(1), \fBsvcs\fR(1), \fBzlogin\fR(1), \fBzonename\fR(1),
 \fBinit\fR(1M), \fBkernel\fR(1M), \fBsvcadm\fR(1M), \fBsvc.startd\fR(1M),
@@ -657,7 +650,6 @@ Interface Stability	Committed
 \fBattributes\fR(5), \fBbrands\fR(5), \fBnative\fR(5), \fBsmf\fR(5),
 \fBzones\fR(5)
 .SH NOTES
-.sp
 .LP
 The \fBzones\fR(5) service is managed by the service management facility,
 \fBsmf\fR(5), under the service identifier: