[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Login to a guix container
From: |
Ricardo Wurmus |
Subject: |
Re: Login to a guix container |
Date: |
Mon, 25 Jan 2021 08:29:32 +0100 |
User-agent: |
mu4e 1.4.13; emacs 27.1 |
Ryan Prior <ryanprior@hey.com> writes:
> On January 24, 2021, Pjotr Prins <pjotr.public12@thebird.nl> wrote:
>> I was just thinking that it should be possible to login with ssh into
>> a GNU Guix shell running in a container that gets fired up by the
>> sshd. I am thinking about a safe shell for fetching files. If this
>> works no chroot setup is required.
>>
>> Or is this a really dumb idea :)
>
> I haven't seen any serious audit investigating security properties of
> Guix containers. I do not think it's dumb to try this as an experiment,
> but I do think it would be malpractice to trust user data with this
> system before appropriately thorough evaluation.
In your requirements for an audit, how does a “Guix container” differ
from a “Linux container”? Guix uses the kernel features like cloning
namespaces and unsharing the filesystem directly. It merely mounts
individual store locations into the filesystem namespace.
“Malpractice” is a very big word for using user namespaces instead of
chroot without a “serious audit”.
--
Ricardo