How do i you decide whats safe to run

I recently ran Gossa on my home server using Docker, mounting it to a folder. Since I used rootless Docker, I was curious - if Gossa were to be a virus, would I have been infected? Have any of you had experience with Gossa?

  • kevincox
    link
    fedilink
    English
    arrow-up
    1
    ·
    5 months ago

    hypervisors get escape vulnerabilities every now and then

    Yes, they do. That is why separate hardware is the best solution. But much like going from containers to VMs the extra isolation has costs. But most modern hypervisors are relatively simple and well tested, the security of huge cloud platforms like AWS and GCP are dependant on them. So if I was running a nuclear power plant I absolutely would not trust a VM boundary, but if I am running some shitty home server there are millions of more valuable VMs running in public cloud providers that will likely be attacked first.

    is a good security boundary.

    “Good” will always depend on your use case. In many cases isolation against bugs and simple malicious behaviour like uploading /etc/shadow somewhere are good enough. In most organizations containers are good enough for running separate applications on the same machine as they are “mostly trusted”. In fact for my home server I run lots of applications as different users and I am fine with that level of security.

    If I was letting untrusted people upload and run arbitrary code I would definitely not be ok with that level of isolation.

    The original question was “if Gossa were to be a virus, would I have been infected?” Good security habit is to assume the worst. If I knew that one container or user on my machine was running malicious code I would absolutely assume the worst by default. I would wipe and re-install that machine unless I had strong reason to know that the malware didn’t attempt any privilege escalation.