Comment by reactordev
12 hours ago
not the same thing. Containerization prevents devUser from accessing your machine root with its root. By containerizing, if devUser tries to sudo or su and gets a root, it will only be their root and not your root. Read up on cgroups.
Successful sudo from a cgroup still makes you root on the machine. What you want for this is user namespaces, not (just) cgroups.
yes, you would setup namespace and unshare it once mounted to isolate the sandbox so root only sees the sandbox / and not your /
Why would you allow devUser sudo?
normally you wouldn't but there are some instances where a script or something requires sudo in which case you would need to namespace the cgroup and do a little more work to prevent escaping the sandbox. I can think of a few cases where sudo is required for cgroups/containers from the sandbox side so it can install services and things but ideally you would isolate everything to the devUser UID or GID.