On 6/22/2015 12:19 PM, John Abreau wrote:
That fact that an incompetent buffoon can misuse a tool to create badly
designed software does not mean that it's impossible for a skilled
programmer to use the tool correctly to create well-designed software.
Agreed.
But what I've been seeing from
So your point is that some developers create piss-poor Docker deployments,
and therefore Docker is a piece of shit?. That logic could be applied to
any development system. I've seen plenty of piss-poor coding done in perl,
python, C, Fortran, and every other language I've ever reviewed.
That
On 6/21/2015 10:38 PM, Tom Metro wrote:
The Docker daemon runs as root. If the non-privileged user starting FF
is put in the docker group and allowed to start any container, then yes,
they have root. If instead a SetUID script or sudo rule is used to
launch a specific container, which does not
On 6/21/2015 12:59 PM, Tom Metro wrote:
How about running FF in a Docker container, so not only do you get the
privilege isolation from the different user, but also process isolation
and file system isolation. It would be the next best thing to running it
in a full VM, yet without the overhead.
Mike Small wrote:
What about creating a second, less privileged user for running firefox...
How about running FF in a Docker container, so not only do you get the
privilege isolation from the different user, but also process isolation
and file system isolation. It would be the next best thing to
Richard Pieri wrote:
Tom Metro wrote:
It's no worse than the previously mentioned solution that required sudo
to switch to a dedicated browser user. If you are running a shared
Docker is sudo root. Dedicated Firefox user is sudo !root.
That's a huge difference.
The Docker daemon runs as
Richard Pieri wrote:
Which in fact /reduces/ overall system security. Starting a Docker
container requires root.
It's no worse than the previously mentioned solution that required sudo
to switch to a dedicated browser user. If you are running a shared
system (neither of these solutions are
On 6/21/2015 3:23 PM, Tom Metro wrote:
It's no worse than the previously mentioned solution that required sudo
to switch to a dedicated browser user. If you are running a shared
Docker is sudo root. Dedicated Firefox user is sudo !root.
That's a huge difference.
That's the recommended