How do i you decide whats safe to run

I recently ran Gossa on my home server using Docker, mounting it to a folder. Since I used rootless Docker, I was curious - if Gossa were to be a virus, would I have been infected? Have any of you had experience with Gossa?

  • MaggiWuerze@feddit.org
    link
    fedilink
    English
    arrow-up
    5
    ·
    4 months ago

    Honestly security is not the main reason I use containers, but ease of use. Docker (or containerization in general) makes it really easy to keep a clean host system when you regularly try out new services, there’s no baggage left behind when you remove a container and once you remove their mount/volume, you are usually rid of them pretty cleanly. Additionally it makes migration to new machines/distros way easier and less time consuming.

    I don’t rely on docker seperation to keep my machine safe, although I probably could

  • Lemongrab@lemmy.one
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    4
    ·
    4 months ago

    Idk how to decide what is safe or not, but as a warning, Docker containers can escape trivially and have access to the kernel.

    • just_another_person@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      3
      ·
      4 months ago

      This is not true. Perhaps on an already at-risk or exploitable machine, but even then it’s not trivial, and this is not a widespread thing that happens everywhere all the time

    • verstra@programming.dev
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      Can you expand on this wild claim? The whole point of containers is isolation so what you are saying is that containers fail at that all the time?

      • Lemongrab@lemmy.one
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        4 months ago

        Docker/Podman and LXC linux containers share the same kernel with the host machine. Root in the container is root period (in the case of rootfull containers). Even without root, much of the data on your machine is readable from any user. With a exploit to escape the container (which are common) the malicious program has root on the machine. This is a known attack vector against linux containers. VMs are much better for isolating untrusted software from the host OS.

  • hperrin@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    4 months ago

    Nothing is safe to run unless you write it yourself. You just have to trust the source. Sometimes that’s easy, like Red Hat, and sometimes that’s hard. Sometimes it bites you in the ass, and sometimes it doesn’t.

    Docker is a good way to sandbox things, just be aware of the permissions and access you give a container. If you give it access to your network, that’s basically like letting the developer connect their computer to your wifi. It’s also not perfect, so again, you have to trust the source. Do some research, make sure they’re trustworthy.

    • Mora@pawb.social
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      You just have to trust the source. Sometimes that’s easy, like Red Hat, and sometimes that’s hard.

      FTFY

  • j4k3@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    4 months ago

    Everything I run is behind a whitelist firewall on an external device largely for this reason, but also learning curiosity.

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    4 months ago

    Containers are isolated from the host by default. If you give a container a mount, it can only interact with the mount, but not the running host. If you further isolated and protected that mount, you would have been fine. Since you ran it as your unprivileged user, it’s one step safer from being able to hijack other parts of the machine, and if it was a “virus”, all it could do is write files to the mount and fill up your disk I guess, or drop a binary and hope you execute it.

    • asap@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      4 months ago

      Containers are isolated from the host by default.

      Are you certain about that? My understanding is that Docker containers are literally just processes running on the host (ideally rootless), but with no isolation in the way that VMs are isolated from the host.

      If you have some links for further reading it would be great, as I have been extremely cautious with my Docker usage so far.

      I haven’t found anything to refute this, but this post from 2017 states:

      In 2017 alone, 434 linux kernel exploits were found, and as you have seen in this post, kernel exploits can be devastating for containerized environments. This is because containers share the same kernel as the host, thus trusting the built-in protection mechanisms alone isn’t sufficient.

      If someone exploits a kernel bug inside a container, they exploited it on the host OS. If this exploit allows for code execution, it will be executed on the host OS, not inside the container.

      If this exploit allows for arbitrary memory access, the attacker can change or read any data for any other container.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 months ago

        The Linux kernel recently became a CVE numbering authority. That means that there are now tons of CVEs coming out but the overwhelming majority aren’t easily exploitable. They can be rated pretty high with no actual impact. Furthermore, a lot of them require a very specific setup with specific kernel components. It is best to look at the exploitablity score and the recommended CISA actions.

  • chameleon@fedia.io
    link
    fedilink
    arrow-up
    2
    ·
    4 months ago

    Personally, I do believe that rootless Docker/Podman have a strong enough security boundary for personal/individual self-hosting where you have decent trust in the software you’re running. Linux privilege escalation and container escape exploits fetch decent amounts of money on the exploit market, and nobody’s gonna waste them on some people running software ending in *arr when Zerodium will pay five figures for a local privilege escalation or container escape. If you’re running a business or you might be targeted for whatever reason (journalist or whatever) then that doesn’t apply.

    If you want more security, there are container runtimes that do cooler security stuff under the hood, like Firecracker/Kata Containers implementing a managed VM, or Google’s gVisor which very strongly intercepts kernel syscalls and essentially reimplements Linux in userspace. Those are used by AWS and Google Cloud respectively. You can integrate those into Docker, though not all networking/etc options are supported.

    • miau@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      I dont get the downvotes. If op is into containers and security, podman sure is worth considering.

  • exu@feditown.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    Even without escaping the container a lot of stuff can be done. Maybe the program includes a cryptominer or acts as a node in a botnet.

    There’s no way to be sure unless you verify the source yourself.