proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-06-16 07:53:44 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update lxc-attach manpage

Browse Source 
- explain rationale behind allocation of pty
- briefly explain how a pty is allocated
- add a short note that describes the changed behavior for lxc-attach when the
  user is not placed in a writeable cgroup at login

Signed-off-by: Christian Brauner <christian.brauner@mailbox.org>
This commit is contained in:
Christian Brauner 2016-02-22 23:23:58 +01:00
parent 6f92522ba5
commit e986ea3dfa
1 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
doc/lxc-attach.sgml.in
View File

@ -78,6 +78,23 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
inside the container or the container does not have a working inside the container or the container does not have a working
nsswitch mechanism. nsswitch mechanism.
</para> </para>
<para>
Previous versions of <command>lxc-attach</command> simply attached to the
specified namespaces of a container and ran a shell or the specified
command without allocating a pseudo terminal. This made them vulnerable to
input faking via a TIOCSTI <command>ioctl</command> call after switching
between userspace execution contexts with different privilegel levels. Newer
versions of <command>lxc-attach</command> will try to allocate a pseudo
terminal master/slave pair and attach any standard file descriptors which
refer to a terminal to the slave side of the pseudo terminal before
executing a shell or command. <command>lxc-attach</command> will first try
to allocate a pseudo terminal in the container. Should this fail it will try
to allocate a pseudo terminal on the host before finally giving up. Note,
that if none of the standard file descriptors refer to a terminal
<command>lxc-attach</command> will not try to allocate a pseudo terminal.
Instead it will simply attach to the containers namespaces and run a shell
or the specified command.
</para>
</refsect1> </refsect1>
@ -311,6 +328,16 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
except for the <replaceable>/proc</replaceable> and except for the <replaceable>/proc</replaceable> and
<replaceable>/sys</replaceable> filesystems. <replaceable>/sys</replaceable> filesystems.
</para> </para>
<para>
Previous versions of <command>lxc-attach</command> suffered a bug whereby
a user could attach to a containers namespace without being placed in a
writeable cgroup for some critical subsystems. Newer versions of
<command>lxc-attach</command> will check whether a user is in a writeable
cgroup for those critical subsystems. <command>lxc-attach</command> might
thus fail unexpectedly for some users (E.g. on systems where an
unprivileged user is not placed in a writeable cgroup in critical
subsystems on login.). However, this behavior is correct and more secure.
</para>
</refsect1> </refsect1>
<refsect1> <refsect1>