I’m new to the container world. Does it have any security benefits when I run my applications as a non-root user in a docker container? And how about Podman? There I’ll run the container as an unprivileged user anyway. Would changing the user in the container achieve anything?

  • sudneo@lemmy.world
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    Not really true, containers are based on namespaces which have always been also a security feature. Chroot has been a common “system” technique, afterall.

    Containers help security if built properly, and it’s easier to build a container securely (and run them), compared to proper SystemD unit security.

    • ck_@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      4
      ·
      edit-2
      1 year ago

      containers are based on namespaces which have always been also a security feature.

      Incorrect.

      Chroot has been a common “system” technique, afterall.

      Incorrect.

      • sudneo@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        OK :)

        So chroot has not been used to isolate processes for decades to a confined view of the filesystem (especially in combo with a restricted shell), and for example the networking namespace is not used to limit the impact on a compromise on the firewall, the user namespace is not used to allow privileged processes to run de-facto unprivileged.

        Whatever you say