Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] sandboxing web browsers

Richard Pieri wrote:
> Which in fact /reduces/ overall system security. Starting a Docker
> container requires root.

It's no worse than the previously mentioned solution that required sudo
to switch to a dedicated browser user. If you are running a shared
system (neither of these solutions are likely the right fit), and you
don't want the regular user to be in the privileged 'docker' group, then
use a SetUID script (or sudo rule) that is restricted to launching the
specific container.


> That's not even beginning to touch on the problems with updating the
> browsers. Because one doesn't update applications in a Docker container;
> one updates the whole container.

That's the recommended philosophy for using Docker in production
environments, but Docker also works perfectly well in a copy-on-change
model, just like a VM. Update the browser in-situ. (You can save the
state of the container if you want to be able to instantiate (or share)
clones of the updated container image.)

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/
BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix / webmaster@blu.org