[cluckindan]

So a threat actor buys access to a managed kubernetes service, or other linux-based shared hosting platform, and now they have access to the computer.

Hell, GitHub Actions would do.

[echoangle]

Is there any service that relies on Linux user separation or containers to separate different user accounts? I’m pretty sure you’re not supposed to do that and the proper way is to run different instances in virtual machines.

[ndiddy]

Basically every shared webhost that uses cPanel works like this. The security mechanism they use is called CageFS (https://cloudlinux.com/getting-started-with-cloudlinux-os/41...), which makes it so users can't see other users, but it's not like a VM or something.

[LelouBil]

Right, you're not supposed to do that...

[ActorNightly]

Yes, because hypervisors are simply just a program that runs under linux, not total cpu/memory isolation......

Lemme guess, you probably think this can be used to hack into the backend that runs AWS from any EC2 lol?