Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

A root user inside the container can cause more havoc inside the container. One issue is that you might have sensitive data accessible from within inside the container. A hacker replacing system binaries inside the container might also affect how your application inside the container runs, a read-only user makes this much more difficult.

You can't assume all containers have same access and trust-level as a user because at some point you also have to process your requests and store your data - and that processing is most likely also be done in another container (even if your actual data-volume is mounted outside the container). For such containers same security measures as for a physicial machine applies.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: