logoalt Hacker News

killerstormyesterday at 3:04 PM2 repliesview on HN

Privilege escalation (e.g. setuid), world-readable files might contain sensitive data, world-writeable files, unrestricted network access (including access to all locally running services)... If you have fully patched system without zero-days and it's configured in a perfect way, then, sure...

Container is quite like a "separate user" except you can explicitly define what it can access.

(Even if all your daemons have good auth, it's now quite common for _apps_ to open listening sockets without much auth...)


Replies

wilkystyleyesterday at 3:06 PM

Also, many of these sandboxing solutions provide features like network allowlists and credential masking/injection

vqtskayesterday at 3:07 PM

Sure, if you assume the agent will be hostile on you. I thought it's just so the agent doesn't accidentally rm -rf / on you

show 3 replies