mirror of
https://git.proxmox.com/git/mirror_lxc
synced 2025-07-25 11:19:40 +00:00
tree-wide: replace problematic terminology
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
This commit is contained in:
parent
4f6c7312ef
commit
f48e807159
@ -91,7 +91,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
|
||||
<!--
|
||||
It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
|
||||
to determine the number of interfaces which the calling user is allowed to
|
||||
create, and which bridge he may attach them to. It tracks the
|
||||
create, and which bridge they may attach them to. It tracks the
|
||||
number of interfaces each user has created using the file
|
||||
<filename>@LXC_USERNIC_DB@</filename>. It ensures that the calling
|
||||
user is privileged over the network namespace to which the interface
|
||||
|
@ -1487,7 +1487,7 @@ by KATOH Yasufumi <karma at jazz.email.ne.jp>
|
||||
the container at some <filename>path</filename>, and then mounts
|
||||
under <filename>path</filename>, then a TOCTTOU attack would be
|
||||
possible where the container user modifies a symbolic link under
|
||||
his home directory at just the right time.
|
||||
their home directory at just the right time.
|
||||
-->
|
||||
注意: 通常 LXC は、マウント対象と相対パス指定のバインドマウントを、適切にコンテナルート以下に閉じ込めます。
|
||||
これは、ホストのディレクトリやファイルに対して重ね合わせを行うようなマウントによる攻撃を防ぎます。(絶対パス指定のマウントソース中の各パスがシンボリックリンクである場合は無視されます。)
|
||||
|
@ -76,7 +76,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
|
||||
<!--
|
||||
It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
|
||||
to determine the number of interfaces which the calling user is allowed to
|
||||
create, and which bridge he may attach them to. It tracks the
|
||||
create, and which bridge they may attach them to. It tracks the
|
||||
number of interfaces each user has created using the file
|
||||
<filename>@LXC_USERNIC_DB@</filename>. It ensures that the calling
|
||||
user is privileged over the network namespace to which the interface
|
||||
|
@ -1060,7 +1060,7 @@ by Sungbae Yoo <sungbae.yoo at samsung.com>
|
||||
the container at some <filename>path</filename>, and then mounts
|
||||
under <filename>path</filename>, then a TOCTTOU attack would be
|
||||
possible where the container user modifies a symbolic link under
|
||||
his home directory at just the right time.
|
||||
their home directory at just the right time.
|
||||
-->
|
||||
주의 - 보통 LXC는 마운트 대상과 상대 경로로 된 바인드 마운트 소스들이 컨테이너의 루트 아래에 있도록 보장할 것이다. 이는 호스트 디렉토리와 파일들을 겹쳐서 마운트하는 유형의 공격을 피하기 위한 것이다. (절대 경로로 된 마운트 소스 내에 존재하는 심볼릭 링크들은 무시될 것이다.)
|
||||
하지만, 만약 컨테이너 설정에서 컨테이너 사용자가 제어할 수 있는, 예를 들어 /home/joe와 같은 디렉토리를 컨테이너 내의 <filename>path</filename>에 먼저 마운트 하고 나서, <filename>path</filename> 내에 또 마운트를 하는 경우가 있다면,
|
||||
|
@ -755,7 +755,7 @@ rootfs
|
||||
state change and exit. This is useful for scripting to
|
||||
synchronize the launch of a container or the end. The
|
||||
parameter is an ORed combination of different states. The
|
||||
following example shows how to wait for a container if he went
|
||||
following example shows how to wait for a container if they went
|
||||
to the background.
|
||||
|
||||
<programlisting>
|
||||
|
@ -81,7 +81,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
<para>
|
||||
It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
|
||||
to determine the number of interfaces which the calling user is allowed to
|
||||
create, and which bridge he may attach them to. It tracks the
|
||||
create, and which bridge they may attach them to. It tracks the
|
||||
number of interfaces each user has created using the file
|
||||
<filename>@LXC_USERNIC_DB@</filename>. It ensures that the calling
|
||||
user is privileged over the network namespace to which the interface
|
||||
|
@ -1125,7 +1125,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
the container at some <filename>path</filename>, and then mounts
|
||||
under <filename>path</filename>, then a TOCTTOU attack would be
|
||||
possible where the container user modifies a symbolic link under
|
||||
his home directory at just the right time.
|
||||
their home directory at just the right time.
|
||||
</para>
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
|
@ -3411,7 +3411,7 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
|
||||
}
|
||||
|
||||
/* Check if we really need to use newuidmap and newgidmap.
|
||||
* If the user is only remapping his own {g,u}id, we don't need it.
|
||||
* If the user is only remapping their own {g,u}id, we don't need it.
|
||||
*/
|
||||
if (use_shadow && lxc_list_len(idmap) == 2) {
|
||||
use_shadow = false;
|
||||
|
@ -251,7 +251,7 @@ static int lxc_terminal_write_log_file(struct lxc_terminal *terminal, char *buf,
|
||||
/* This isn't a regular file. so rotating the file seems a
|
||||
* dangerous thing to do, size limits are also very
|
||||
* questionable. Let's not risk anything and tell the user that
|
||||
* he's requesting us to do weird stuff.
|
||||
* they're requesting us to do weird stuff.
|
||||
*/
|
||||
if (terminal->log_rotate > 0 || terminal->log_size > 0)
|
||||
return -EINVAL;
|
||||
|
Loading…
Reference in New Issue
Block a user