Oops -- A developer whose app needs to run as root (for a well-documented reason... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		01HNNWZ0MV43FF on Sept 4, 2024 \| parent \| context \| favorite \| on: The Insecurity of Debian Oops -- A developer whose app needs to run as root (for a well-documented reason, and with a tight systemd sandbox hiding most of the filesystem from it)

NewJazz on Sept 4, 2024 [–]

If it is running as root, can't it just manipulate its mount namespace at will? Mount devtmpfs, then mount user partitions.

hackernudes on Sept 4, 2024 | | [–]

I believe one can use "capabilities" and seccomp to lock down a superuser process.

superb_dev on Sept 4, 2024 | | [–]

Systemd can put it in its own namespaces, like a container

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact