Remix.run Logo
j-bos 2 hours ago

While I agree, containerization is awesome, on linux, you can just create a devUser and `sudo devUser theThing`

reactordev an hour ago | parent [-]

not the same thing. Containerization prevents devUser from accessing your machine root with its root. By containerizing, if devUser tries to sudo or su and gets a root, it will only be their root and not your root. Read up on cgroups.

progval an hour ago | parent | next [-]

Successful sudo from a cgroup still makes you root on the machine. What you want for this is user namespaces, not (just) cgroups.

reactordev 41 minutes ago | parent [-]

yes, you would setup namespace and unshare it once mounted to isolate the sandbox so root only sees the sandbox / and not your /

grosswait an hour ago | parent | prev [-]

Why would you allow devUser sudo?

reactordev 38 minutes ago | parent [-]

normally you wouldn't but there are some instances where a script or something requires sudo in which case you would need to namespace the cgroup and do a little more work to prevent escaping the sandbox. I can think of a few cases where sudo is required for cgroups/containers from the sandbox side so it can install services and things but ideally you would isolate everything to the devUser UID or GID.