• @[email protected]
    link
    fedilink
    English
    01 year ago

    I think you’re interpreting too much. Security is about layers and making it harder for attackers, and that’s exactly what using a non-root user does.

    In that scenario, the attacker needs to find and exploit another vulnerability to gain root access, which takes time - time which the attacker might not be willing to spend and time which you can use to respond.

    • @[email protected]
      link
      fedilink
      English
      -31 year ago

      You don’t know enough about security to lecture me. The kernel has before/continues to suffer(ed) from successful root shell exploits, particularly in this case via unprivileged userns. Something podman or even rootless docker can’t do anything about.

      • @[email protected]
        link
        fedilink
        English
        -11 year ago

        Funny how you claim to know so much about security but can’t even seem to comprehend my comment. I know root shell exploits exist, that’s why I wrote that it takes additional time to get root access, not that it’s impossible. And that’s still a security improvement because it’s an additional hurdle for the adversary.

        • apigban
          link
          fedilink
          English
          21 year ago

          the person you are replying to either lacks comprehension or maybe just wants to be argumentative and doesn’t want to comprehend.

        • @[email protected]
          link
          fedilink
          English
          -31 year ago

          Containers cannot be viewed as security tools. They suffer from poor isolation and inadequate and some cases non-existent sandboxing. All these are proven security essentials. You would know about them if you knew anything about (defensive) security!

          • @[email protected]
            link
            fedilink
            English
            11 year ago

            Once again, you’re going off on an unrelated tangent. If you don’t want to listen, I can’t help you. We’re done here.