|
|
|
|
|
|
by simoncion
73 days ago
|
|
|
> "Create a new user account" is much better advice than "don't use a container". That wasn't exactly what PunchyHamster was saying. PH was saying that putting an untrusted workload in a container doesn't prevent it from scanning (and attacking) your network... so your IP network security is just as bad when that untrusted workload is containerized as when it's not. Containers/sandboxes can provide filesystem segmentation (except when they don't! [0]), but the way they're typically used, they provide zero network segmentation. I mention in my comment here [1] that it's useful for whatever isolation mechanism you use (even if it's "just" 'a separate minimally-privileged user') to ensure that programs its spawns are on separate VLANs that your router prevents from talking to anywhere other than the Internet. [0] <https://github.com/flatpak/flatpak/security/advisories/GHSA-...> [1] <https://news.ycombinator.com/item?id=47690425> |
|
|