|
|
|
|
|
|
by arcanemachiner
74 days ago
|
|
|
See, I like this. "Create a new user account" is much better advice than "don't use a container". My problem with the latter advice is that I know for a fact that people will read it, then continue to use absolutely no protection whasoever. I have also wanted to use a simple file permission system, but I started with a container and I can't be troubled to switch yet. |
|
|
That wasn't exactly what PunchyHamster was saying. PH was saying that putting an untrusted workload in a container doesn't prevent it from scanning (and attacking) your network... so your IP network security is just as bad when that untrusted workload is containerized as when it's not. Containers/sandboxes can provide filesystem segmentation (except when they don't! [0]), but the way they're typically used, they provide zero network segmentation.
I mention in my comment here [1] that it's useful for whatever isolation mechanism you use (even if it's "just" 'a separate minimally-privileged user') to ensure that programs its spawns are on separate VLANs that your router prevents from talking to anywhere other than the Internet.
[0] <https://github.com/flatpak/flatpak/security/advisories/GHSA-...>
[1] <https://news.ycombinator.com/item?id=47690425>