Comment by drnick1
17 hours ago
Do you not find a dedicated UNIX user to be sufficient for the sake of protecting personal files, SSH keys, etc?
17 hours ago
Do you not find a dedicated UNIX user to be sufficient for the sake of protecting personal files, SSH keys, etc?
It's all fun and games until the model is smart enough to figure out privilege escalation, i.e. a lot of people don't realize Docker enabled on a regular user is enough for privilege escalation if you "follow the tutorials."
Agent that can apt-get is more useful.
When I was in university in 2009, the student union I was in had set up their Linux computers with a small program that one of the members wrote, that had the suid bit set and would exec apt-get install passing the arguments along.
This way, all members of the student union were able to install any software they wanted to on the student union computers without having to give out blanket root access to the members. Only a select few members had full root access.
There’s other ways to achieve the same too.
And you can do this exact same sort of thing for the user that your agent runs as too, without having to give it access to do everything that root can.
I hope you see how this is less secure than a docker container?
Giving users ability to use apt with root privileges is pretty much game over security wise. Full root is a malicious package away
1 reply →
[dead]