Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No, by making the bug impossible. Sandbox applications at the OS level so that they can't share /tmp. Apple has that for its OS, apps are jailed.


If we all lived in a fairy tale, sure, sandboxes are preferable. In this case to avoid the bug, every ssh server in the world would need a per-user tmpfs. Ideally, that would indeed be neat, short term it's not realistic. For the iterm2 case of a ssh client, an admin may also need to inspect the actual /tmp when debugging the server and then need to bypass the sandbox. A sandbox will never have the perfect granularity for every scenario. So we can't just throw our hands in the air and say "not my problem", alternative forms of verification are needed.

Besides, how do you test or review your sandbox and its configuration? Both are still needed.

Incidentally, k8s works a bit like this with no default shared tmpfs across containers. So such large scale production deployments are more protected against this type of issue. On the other hand, for debugging, as you would with ssh, it hardly has a concept of users at all, and lots of other ways to shoot yourself in the foot with :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: