There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

just_another_person , (edited )

Containers are isolated from the host by default. If you give a container a mount, it can only interact with the mount, but not the running host. If you further isolated and protected that mount, you would have been fine. Since you ran it as your unprivileged user, it’s one step safer from being able to hijack other parts of the machine, and if it was a “virus”, all it could do is write files to the mount and fill up your disk I guess, or drop a binary and hope you execute it.

asap , (edited )
@asap@lemmy.world avatar

Containers are isolated from the host by default.

Are you certain about that? My understanding is that Docker containers are literally just processes running on the host (ideally rootless), but with no isolation in the way that VMs are isolated from the host.

If you have some links for further reading it would be great, as I have been extremely cautious with my Docker usage so far.

I haven’t found anything to refute this, but this post from 2017 states:

In 2017 alone, 434 linux kernel exploits were found, and as you have seen in this post, kernel exploits can be devastating for containerized environments. This is because containers share the same kernel as the host, thus trusting the built-in protection mechanisms alone isn’t sufficient.

If someone exploits a kernel bug inside a container, they exploited it on the host OS. If this exploit allows for code execution, it will be executed on the host OS, not inside the container.

If this exploit allows for arbitrary memory access, the attacker can change or read any data for any other container.

Lemongrab ,

Idk how to decide what is safe or not, but as a warning, Docker containers can escape trivially and have access to the kernel.

just_another_person ,

This is not true. Perhaps on an already at-risk or exploitable machine, but even then it’s not trivial, and this is not a widespread thing that happens everywhere all the time

verstra ,

Can you expand on this wild claim? The whole point of containers is isolation so what you are saying is that containers fail at that all the time?

asap ,
@asap@lemmy.world avatar

They might be talking about posts like this (which I would love to have refuted, as this kind of info has so far kept me from using Docker significantly):

security.stackexchange.com/a/169649

j4k3 ,
@j4k3@lemmy.world avatar

Everything I run is behind a whitelist firewall on an external device largely for this reason, but also learning curiosity.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •