Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
-
AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Because a container is only as isolated from the host as you want it to be.
Suppose you run a container and mount the entire filesystem into it. If that container is running as root, it can then read and write anything it likes (including password databases and /etc/sudo)
So what? If I mount / in the container and choose to run it as root that's my business. Why would the containerization engine second-guess what I'm doing?
How would you like it if sudo told you "I can't let you be root, you could read and write anything you like, including password databases and /etc/sudo"?
Nothing to stop running podman containers with full root access by creating & running them as root, you run them as whatever user you want. I've done it to troubleshoot containers on more than one occasion, usually when I want to play with VPN or privileged ports but too lazy to do it proper. The end goal for a lot of ppl, including myself, is to run as many things as non-root as possible. Why? Best practices around security have you give a service the minimal access & resources it needs to do it's tasks. Some people allow traffic from the internet to their containers & they probably feel a little bit safer running those programs as non-root since it can create an extra layer that may need to be broken to fully compromise a system.
The point is to minimize privilege to the least possible - not to make it impossible to create higher privileged containers. If a container doesn't need to get direct raw hardware access, manage low ports on the host network, etc. then why should I give it root and let it be able to do those things? Mapping it to a user, controlling what resources it has access to, and restricting it's capabilities means that in the event that my container gets compromised, my entire host isn't necessarily screwed.
We're not saying "sudo shouldn't be able to run as root" but that "by default things shouldn't be run with sudo - and you need a compelling reason to swap over when you do"