Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Processes already should be running as different uids so they cant actually do anything to each other, so not being in the same namespace makes no real difference. There is slightly better information hiding, you cant see command lines of other processes and other info from /proc but no "significant" enhancement.


I disagree (or I'm misinformed). Aren't just unable to see other processes, but they don't see anything of the host system: the filesystem, ethernet adapters, memory usage, cpu usage, etc. Namespaces can hide a lot of information as far as I know.


The OP was asking about process isolation in particular. You still get to see memory usage and CPU usage globally. Not being able to see the host filesystem is not a huge security benefit, again your pid should not have any significant access anyway, so this should not be a security enhancement.


>Not being able to see the host filesystem is not a huge security benefit, again your pid should not have any significant access anyway, so this should not be a security enhancement.

Nope, it very much is. The fact that "your pid should not have any significant access anyway" doesn't mean that having that made certain and very easy by namespacing is not a security enhancement.

Perhaps you mean something else by "security enhancement" compared to what others here mean. You seem to mean: "extra security that couldn't be achieved by totally finely tuned apps running on the host with all the proper pids and permissions".

Whereas by "security enhancement" people mean: "achieving the same level of security of finely tuned apps running on the host with all the proper pids and permissions with much better EASE, and without having to repeat the whole fine tuning for each new app I add".


The point is, nice as it may be, it's still pretty new, and not specifically a security product. It's not appropriate to rely on it as a significant part of your security plan for your business.

But still, layers and all that.


Remind me never to use any service you ever create.


Processes already should be running as different uids

Docker makes that way easier.

If I want 3 instances of nginx running for different projects, I don't really want to setup 3 nginx users (nginx1, nginx2, nginx3).

With Docker, I just start the container and it's isolated from everything else.


In Unix & Linux, you don't need to setup users, you can just run the processes under different uids (most process managers support this). Adding a user to /etc/passwd is only needed if you want them to have an username and password.


I had no idea this was possible - googling "process under different uid" doesn't yield anything obvious. Any hints on how to do this on a standard command linux prompt?


This is one way:

    # sudo -u "#10000" -g "#10000" id
    uid=10000 gid=10000 groups=10000


"I had no idea this was possible - googling "process under different uid" doesn't yield anything obvious.""

I am looking at the name of this website and I see that this website is named "hacker news".


>I am looking at the name of this website and I see that this website is named "hacker news"

As in "hackers"? People, that is, from all ages, that weren't necessarily born knowing everything, and are not afraid to ask around when they don't know how to do something?

If so, then this is the wrong website for this kind of snark.


So unimpressed with this arrogant, insecure behavior. See someone learning something, slap them down.


It's not so hard. I do this myself, I just ran:

    adduser one; adduser two; adduser three
I have about ten UIDs all running their own chrooted copy of thttpd, and then I have a nodejs proxy to route incoming traffic to each instance (which listens on localhost:XXX - where XXX is the UID of the user for neatness).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: