← Back to context

Comment by j-bos

14 hours ago

While I agree, containerization is awesome, on linux, you can just create a devUser and `sudo devUser theThing`

not the same thing. Containerization prevents devUser from accessing your machine root with its root. By containerizing, if devUser tries to sudo or su and gets a root, it will only be their root and not your root. Read up on cgroups.

  • Successful sudo from a cgroup still makes you root on the machine. What you want for this is user namespaces, not (just) cgroups.

    • yes, you would setup namespace and unshare it once mounted to isolate the sandbox so root only sees the sandbox / and not your /

  • Why would you allow devUser sudo?

    • normally you wouldn't but there are some instances where a script or something requires sudo in which case you would need to namespace the cgroup and do a little more work to prevent escaping the sandbox. I can think of a few cases where sudo is required for cgroups/containers from the sandbox side so it can install services and things but ideally you would isolate everything to the devUser UID or GID.