|
| ▲ | oytis 6 hours ago | parent | next [-] |
| Rather, why do people still run agents as their own user. IMO, agent sessions should at least be containerised with just necessary code mounted. |
| |
| ▲ | ssl-3 6 hours ago | parent | next [-] | | Safety and simplicity are concepts that often won't get along very well with eachother. | | |
| ▲ | SoftTalker 5 hours ago | parent [-] | | And containers were initially and primarily about convenience not security. They were a way to quickly launch a preconfigured environment to respond to demand or to eliminate the need to manualy configure dev and test environments and avoid the "works on my machine" phenomenon. |
| |
| ▲ | throwaway613746 6 hours ago | parent | prev [-] | | People will more often than not, take the path of least resistance. Even if you tell them it's dangerous they will not care. People run this stuff on their primary workstation, unconfined, with permissions disabled because they don't want be bothered with accepting permission requests. This is all well and good until it decides to drop your production database or delete your home directory. Most of them don't even learn their lesson after that even. |
|
|
| ▲ | unglaublich 6 hours ago | parent | prev | next [-] |
| Convenience. Want to run `docker run ...` without password, want IDEs and agents to be able to run containers... |
| |
| ▲ | awoimbee 6 hours ago | parent | next [-] | | Use podman then, or rootless docker if you can make it work | |
| ▲ | tempest_ 6 hours ago | parent | prev [-] | | For most CRUD apps running in docker its enough to just tell the "agent" to use podman. |
|
|
| ▲ | jon-wood 5 hours ago | parent | prev | next [-] |
| Because it effectively makes no difference to my security posture. My user account also has sudo access (it requests TouchID but I also wouldn't die on the hill if someone said they have no password sudo access), and realistically everything of value on this machine exists in my home directory. Being able to escalate to root really doesn't give an attacker very much that they don't already have if they've got access to my user account. |
|
| ▲ | alephnerd 6 hours ago | parent | prev [-] |
| Becuase a lot of devs don't know this stuff. There's a reason security engineers (as in SWEs who specialize in securing specific attack surfaces) remain in hot demand. |
| |
| ▲ | H4lcyon an hour ago | parent [-] | | Security engineer here :) Just a little side note, docker is also very often useful for evading EDR/XDR/etc. Want to talk to a domain controller with something like impacket but your EDR kills it? Try a container. |
|
