[Discuss] sandboxing web browsers

Tom Metro tmetro+blu at gmail.com
Sun Jun 21 15:23:24 EDT 2015


Richard Pieri wrote:
> Which in fact /reduces/ overall system security. Starting a Docker
> container requires root.

It's no worse than the previously mentioned solution that required sudo
to switch to a dedicated browser user. If you are running a shared
system (neither of these solutions are likely the right fit), and you
don't want the regular user to be in the privileged 'docker' group, then
use a SetUID script (or sudo rule) that is restricted to launching the
specific container.


> That's not even beginning to touch on the problems with updating the
> browsers. Because one doesn't update applications in a Docker container;
> one updates the whole container.

That's the recommended philosophy for using Docker in production
environments, but Docker also works perfectly well in a copy-on-change
model, just like a VM. Update the browser in-situ. (You can save the
state of the container if you want to be able to instantiate (or share)
clones of the updated container image.)

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/



More information about the Discuss mailing list