Does running applications inside a container as an unprivileged user have any security benefits? - eviltoast

I’m new to the container world. Does it have any security benefits when I run my applications as a non-root user in a docker container? And how about Podman? There I’ll run the container as an unprivileged user anyway. Would changing the user in the container achieve anything?

  • sudneo@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    Not really true, containers are based on namespaces which have always been also a security feature. Chroot has been a common “system” technique, afterall.

    Containers help security if built properly, and it’s easier to build a container securely (and run them), compared to proper SystemD unit security.

    • ck_@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      8
      ·
      edit-2
      1 year ago

      containers are based on namespaces which have always been also a security feature.

      Incorrect.

      Chroot has been a common “system” technique, afterall.

      Incorrect.

      • sudneo@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        1 year ago

        OK :)

        So chroot has not been used to isolate processes for decades to a confined view of the filesystem (especially in combo with a restricted shell), and for example the networking namespace is not used to limit the impact on a compromise on the firewall, the user namespace is not used to allow privileged processes to run de-facto unprivileged.

        Whatever you say

        EDIT: Actually, if you are really convinced of what you are saying we can do the following experiment:

        • We spin up a VPS and run a web application with a RCE with a Systemd unit and run the same web app in a scratch container running under an unprivileged user

        Then we can compare the kind of impact that using containers to wrap applications has on the security of the system. My guess, even with a full RCE you will not be able to escape the container.

        Half-jokes aside, my stance is that isolation (namespacing and cgroups) allows to greatly reduce the attack surface and contain the blast radius of a compromise, which are security benefits. You can easily have a container with no shell, no binaries at all, no writable paths, read-only filesystem etc. You can do at least some of those things even in a regular Linux box of course, but it is much more uncommon, much harder, much less convenient (for example, no writeable /tmp is going to break a lot of stuff), much more error prone, etc.

        Your stance i.e.:

        running things inside of a container does not provide any security benefits as opposed to outside of the container

        is way too absolute, imo.