1 files changed, 24 insertions, 3 deletions

diff --git a/usr/src/lib/libipadm/common/libipadm.c b/usr/src/lib/libipadm/common/libipadm.c
index e384229c29..9d57e1f16d 100644
--- a/usr/src/lib/libipadm/common/libipadm.c
+++ b/usr/src/lib/libipadm/common/libipadm.c
@@ -21,6 +21,7 @@
 
 /*
  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright 2015 Joyent, Inc.
  * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
  * Copyright (c) 2016, Chris Fraire <cfraire@me.com>.
  */
@@ -286,11 +287,19 @@ ipadm_close(ipadm_handle_t iph)
 boolean_t
 ipadm_check_auth(void)
 {
+	int		uid;
 	struct passwd	pwd;
 	char		buf[NSS_BUFLEN_PASSWD];
 
+	/*
+	 * Branded zones may have different kinds of auth, but root always
+	 * allowed.
+	 */
+	if ((uid = getuid()) == 0)
+		return (B_TRUE);
+
 	/* get the password entry for the given user ID */
-	if (getpwuid_r(getuid(), &pwd, buf, sizeof (buf)) == NULL)
+	if (getpwuid_r(uid, &pwd, buf, sizeof (buf)) == NULL)
 		return (B_FALSE);
 
 	/* check for presence of given authorization */
@@ -899,9 +908,21 @@ ipadm_door_call(ipadm_handle_t iph, void *arg, size_t asize, void **rbufp,
 
 reopen:
 	(void) pthread_mutex_lock(&iph->iph_lock);
-	/* The door descriptor is opened if it isn't already */
+	/*
+	 * The door descriptor is opened if it isn't already.
+	 */
 	if (iph->iph_door_fd == -1) {
-		if ((iph->iph_door_fd = open(IPMGMT_DOOR, O_RDONLY)) < 0) {
+		char door[MAXPATHLEN];
+		const char *zroot = zone_get_nroot();
+
+		/*
+		 * If this is a branded zone, make sure we use the "/native"
+		 * prefix for the door path:
+		 */
+		(void) snprintf(door, sizeof (door), "%s%s", zroot != NULL ?
+		    zroot : "", IPMGMT_DOOR);
+
+		if ((iph->iph_door_fd = open(door, O_RDONLY)) < 0) {
 			err = errno;
 			(void) pthread_mutex_unlock(&iph->iph_lock);
 			return (err);