Hacker News new | past | comments | ask | show | jobs | submit login

su "limited account" -c "questionable binary"?



A large value of app sandboxes are easy but controlled ways to allow exceptions. E.g.: an app can ask the sandbox for file access, the sandbox then prompts the user to select a file and only that file is then exposed to the app.

Or even giving global access to functionality from a manifest file, without having to set up a restricted user/environment manually. (I wouldn't know without looking it up how to set up a linux user account that can't talk to the network. Or even better, only can talk to some part of the network.)


Reminds me of a friend of mine that when provided with a manual for how to do something "that's too complicated, please do it for me".

Meaning that "containers" just becomes a wrapper for things that can already be done, if one just learn to do it rather than pointing and drooling (as someone once referred to the GUI as).


Who needs restricted user permissions, you can just review the machine code of all your executables before running them ;)


har har har...


Doing it for the humans is exactly the raison d'etre of software.


Yes and no. The problem is that the magic word "container" obscured what is actually being done (cgroups, namespaces, iptables, etc etc etc).

Its one more thing that result in confusion between user and computer about the state of the machine.


It's a bit extreme, if you follow your logic why even bother with an OS ?!


I prefer to encode my bits on the disk with a needle and magnet, thank you very much...




Consider applying for YC's first-ever Fall batch! Applications are open till Aug 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: