machinectl shell is only incidentally similar to su. Its primary purpose is to establish an su-like session on a different container or VM. Systemd refers to these as 'machines', hence the name machinectl.
It's a privilege escalation inside a very complex environment. Su is a simple shell interface to a system call.
I'll tell you what - as long as I can turn the option of escalation privilege to arbitrary processes off inside systemd, in a safe and predictable manner, and the option to turn it off is heavily documented, I'm happy.
So, wait, the reason I can't see any authentication going on in the examples is because it's actually creating a container that, presumably, has no access outside of itself?
Which would mean it's actually useless as a replacement for su.
I believe it is creating a session in an existing container, and if you are root on the host you don't need to authenticate. There is another option called "machinectl login" that does normal authentication. Check out the man page linked above.
So it's kind of like jexec to run a command in a BSD jail, but for a container? Why not call it something short and sweet like "cexec" or "mexec" (for container, or machine if they insist on using "machine" in such as wierd way). If I'm typing commands all day long, I don't want each one to be an essay--I already have RSI.
The road to ruin is always in good repair, and the travellers pay the
expense of it.
-- Josh Billings
Only incidentally similar to su (Score:5, Informative)
machinectl shell is only incidentally similar to su. Its primary purpose is to establish an su-like session on a different container or VM. Systemd refers to these as 'machines', hence the name machinectl.
http://www.freedesktop.org/sof... [freedesktop.org]
su cannot and does not do that sort of thing. machinectl shell is more like a variant of rsh than a replacement for su.
Re: (Score:2)
It's a privilege escalation inside a very complex environment. Su is a simple shell interface to a system call.
I'll tell you what - as long as I can turn the option of escalation privilege to arbitrary processes off inside systemd, in a safe and predictable manner, and the option to turn it off is heavily documented, I'm happy.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I believe it is creating a session in an existing container, and if you are root on the host you don't need to authenticate. There is another option called "machinectl login" that does normal authentication. Check out the man page linked above.
Re: (Score:2)
So it's kind of like jexec to run a command in a BSD jail, but for a container? Why not call it something short and sweet like "cexec" or "mexec" (for container, or machine if they insist on using "machine" in such as wierd way). If I'm typing commands all day long, I don't want each one to be an essay--I already have RSI.