undefined | Better HN

0 pointsX86BSD10y ago0 comments

My username gives away my bias however, I think you will find Jails and the work Joyent/Illumos have done with containers, to be actually engineered secure from the getgo. Linux, well, I think it's obvious the route Linux took. And none of their "container" solutions were ever designed with security as the starting point. It was always bolted on as an after thought.

Trust me people have been looking for kernel bugs in FreeBSD to exploit jails since it was created. The record their speaks for itself. It's not a lack of eyeballs.

0 comments

3 comments · 1 top-level

phaemon10y ago· 2 in thread

Jails are a powerful tool, but they are not a security panacea. While it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail to obtain elevated privileges in the host environment.

floatboth10y ago

Everyone says that, and that's right, but does that situation happen often? A typical "cloud" service like Heroku or Travis CI does NOT give you an unprivileged user outside the jail!

cyphar10y ago

Unless you consider someone who managed to break into a Heroku box but doesn't have root. They spin up a Heroku instance and now you have root. That's a security flaw.

j / k navigate · click thread line to collapse