How do i you decide whats safe to run

I recently ran Gossa on my home server using Docker, mounting it to a folder. Since I used rootless Docker, I was curious - if Gossa were to be a virus, would I have been infected? Have any of you had experience with Gossa?

  • kevincox
    link
    fedilink
    English
    arrow-up
    5
    ·
    5 months ago

    I never said it was trivial to escape, I just said it wasn’t a strong security boundary. Nothing is black and white. Docker isn’t going to stop a resourceful attacker but you may not need to worry about attackers who are going to spend >$100k on a 0-day vulnerability.

    The Linux kernel isn’t easy to exploit as if it was it wouldn’t be used so heavily in security sensitive environments

    If any “security sensitive” environment is relying on Linux kernel isolation I don’t think they are taking their sensitivity very seriously. The most security sensitive environments I am aware of doing this are shared hosting providers. Personally I wouldn’t rely on them to host anything particularly sensitive. But everyone’s risk tolerance is different.

    use podman with a dedicated user for sandboxing

    This is only every so slightly better. Users have existed in the kernel for a very long time so may be harder to find bugs in but at the end of the day the Linux kernel is just too complex to provide strong isolation.

    There isn’t any way to break out of a properly configured docker container right now but if there were it would mean that an attacker has root

    I would bet $1k that within 5 years we find out that this is false. Obviously all of the publicly known vulnerabilities have been patched. But more are found all of the time. For hobbyist use this is probably fine, but you should acknowledge the risk. There are almost certainly full kernel-privilege code execution vulnerabilities in the current Linux kernel, and it is very likely that at least one of these is privately known.

    • loudwhisper@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      Also hypervisors get escape vulnerabilities every now and then. I would say that in a realistic scale of difficulty of escape, a good container (doesn’t matter if using Docker or something else) is a good security boundary.

      If this is not the case, I wonder what your scale extremes are.

      A good container has very little attack surface, since it can have almost no code or tools available, a read-only fs, no user privileges or capabilities whatsoever and possibly even a syscall filter. Sure, the kernel is the same but then the only alternative is to split that per application VMs-like) and you move the problem to hypervisors.

      In the context of this asked question, I think the gains from reducing the attack surface are completely outweighed from the loss in functionality and waste of resources.

      • kevincox
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        hypervisors get escape vulnerabilities every now and then

        Yes, they do. That is why separate hardware is the best solution. But much like going from containers to VMs the extra isolation has costs. But most modern hypervisors are relatively simple and well tested, the security of huge cloud platforms like AWS and GCP are dependant on them. So if I was running a nuclear power plant I absolutely would not trust a VM boundary, but if I am running some shitty home server there are millions of more valuable VMs running in public cloud providers that will likely be attacked first.

        is a good security boundary.

        “Good” will always depend on your use case. In many cases isolation against bugs and simple malicious behaviour like uploading /etc/shadow somewhere are good enough. In most organizations containers are good enough for running separate applications on the same machine as they are “mostly trusted”. In fact for my home server I run lots of applications as different users and I am fine with that level of security.

        If I was letting untrusted people upload and run arbitrary code I would definitely not be ok with that level of isolation.

        The original question was “if Gossa were to be a virus, would I have been infected?” Good security habit is to assume the worst. If I knew that one container or user on my machine was running malicious code I would absolutely assume the worst by default. I would wipe and re-install that machine unless I had strong reason to know that the malware didn’t attempt any privilege escalation.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      5 months ago

      I think speculation is generally a bad security practice. What you need is least privilege and security in depth. At some point you need to trust something somewhere. Kernel level exploits are very rare