• hottari@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    2
    ·
    1 year ago

    Not sure relying on podman alone as a security tool might be advisable. Podman is a container technology first, security is not the main goal.

    Read more about rootless docker here.

    • Dandroid@dandroid.app
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I never said I was relying on it alone. Not sure why you think that.

      That’s a great link. Thank you for sharing. It’s good that docker supports this functionality now.

      • hottari@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        arrow-down
        1
        ·
        1 year ago

        I never said I was relying on it alone. Not sure why you think that.

        …all my services aren’t running as root.

        If it turns out a vulnerability is discovered in lemmy tomorrow that allows people to access my server through my lemmy container, the attacker will only have access to a dummy account that hosts my containers.

        This was your argument according to you for why you think podman is more secure (than docker I presume). Seemed to imply rootless podman will save you from an attacker. I was simply disproving the flawed notion.

        • BlueBockser@programming.dev
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          1 year ago

          I think you’re interpreting too much. Security is about layers and making it harder for attackers, and that’s exactly what using a non-root user does.

          In that scenario, the attacker needs to find and exploit another vulnerability to gain root access, which takes time - time which the attacker might not be willing to spend and time which you can use to respond.

          • hottari@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            1 year ago

            You don’t know enough about security to lecture me. The kernel has before/continues to suffer(ed) from successful root shell exploits, particularly in this case via unprivileged userns. Something podman or even rootless docker can’t do anything about.

            • BlueBockser@programming.dev
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              2
              ·
              1 year ago

              Funny how you claim to know so much about security but can’t even seem to comprehend my comment. I know root shell exploits exist, that’s why I wrote that it takes additional time to get root access, not that it’s impossible. And that’s still a security improvement because it’s an additional hurdle for the adversary.

              • apigban@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                3
                arrow-down
                1
                ·
                1 year ago

                the person you are replying to either lacks comprehension or maybe just wants to be argumentative and doesn’t want to comprehend.

              • hottari@lemmy.ml
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                1 year ago

                Containers cannot be viewed as security tools. They suffer from poor isolation and inadequate and some cases non-existent sandboxing. All these are proven security essentials. You would know about them if you knew anything about (defensive) security!

                • BlueBockser@programming.dev
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  1 year ago

                  Once again, you’re going off on an unrelated tangent. If you don’t want to listen, I can’t help you. We’re done here.