<!--
It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
to determine the number of interfaces which the calling user is allowed to
- create, and which bridge he may attach them to. It tracks the
+ create, and which bridge they may attach them to. It tracks the
number of interfaces each user has created using the file
<filename>@LXC_USERNIC_DB@</filename>. It ensures that the calling
user is privileged over the network namespace to which the interface
the container at some <filename>path</filename>, and then mounts
under <filename>path</filename>, then a TOCTTOU attack would be
possible where the container user modifies a symbolic link under
- his home directory at just the right time.
+ their home directory at just the right time.
-->
注意: 通常 LXC は、マウント対象と相対パス指定のバインドマウントを、適切にコンテナルート以下に閉じ込めます。
これは、ホストのディレクトリやファイルに対して重ね合わせを行うようなマウントによる攻撃を防ぎます。(絶対パス指定のマウントソース中の各パスがシンボリックリンクである場合は無視されます。)
<!--
It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
to determine the number of interfaces which the calling user is allowed to
- create, and which bridge he may attach them to. It tracks the
+ create, and which bridge they may attach them to. It tracks the
number of interfaces each user has created using the file
<filename>@LXC_USERNIC_DB@</filename>. It ensures that the calling
user is privileged over the network namespace to which the interface
the container at some <filename>path</filename>, and then mounts
under <filename>path</filename>, then a TOCTTOU attack would be
possible where the container user modifies a symbolic link under
- his home directory at just the right time.
+ their home directory at just the right time.
-->
주의 - 보통 LXC는 마운트 대상과 상대 경로로 된 바인드 마운트 소스들이 컨테이너의 루트 아래에 있도록 보장할 것이다. 이는 호스트 디렉토리와 파일들을 겹쳐서 마운트하는 유형의 공격을 피하기 위한 것이다. (절대 경로로 된 마운트 소스 내에 존재하는 심볼릭 링크들은 무시될 것이다.)
하지만, 만약 컨테이너 설정에서 컨테이너 사용자가 제어할 수 있는, 예를 들어 /home/joe와 같은 디렉토리를 컨테이너 내의 <filename>path</filename>에 먼저 마운트 하고 나서, <filename>path</filename> 내에 또 마운트를 하는 경우가 있다면,
state change and exit. This is useful for scripting to
synchronize the launch of a container or the end. The
parameter is an ORed combination of different states. The
- following example shows how to wait for a container if he went
+ following example shows how to wait for a container if they went
to the background.
<programlisting>
<para>
It will consult the configuration file <filename>@LXC_USERNIC_CONF@</filename>
to determine the number of interfaces which the calling user is allowed to
- create, and which bridge he may attach them to. It tracks the
+ create, and which bridge they may attach them to. It tracks the
number of interfaces each user has created using the file
<filename>@LXC_USERNIC_DB@</filename>. It ensures that the calling
user is privileged over the network namespace to which the interface
the container at some <filename>path</filename>, and then mounts
under <filename>path</filename>, then a TOCTTOU attack would be
possible where the container user modifies a symbolic link under
- his home directory at just the right time.
+ their home directory at just the right time.
</para>
<variablelist>
<varlistentry>
}
/* Check if we really need to use newuidmap and newgidmap.
- * If the user is only remapping his own {g,u}id, we don't need it.
+ * If the user is only remapping their own {g,u}id, we don't need it.
*/
if (use_shadow && lxc_list_len(idmap) == 2) {
use_shadow = false;
/* This isn't a regular file. so rotating the file seems a
* dangerous thing to do, size limits are also very
* questionable. Let's not risk anything and tell the user that
- * he's requesting us to do weird stuff.
+ * they're requesting us to do weird stuff.
*/
if (terminal->log_rotate > 0 || terminal->log_size > 0)
return -EINVAL;
projects / thirdparty / lxc.git / commitdiff
