subuser 0.6.1-3 / usr / share / doc / subuser / html / security.html

This file is indexed.

/usr/share/doc/subuser/html/security.html is in subuser 0.6.1-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
  <meta charset="utf-8">
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  
  <title>Security &mdash; Subuser 0.6.1 documentation</title>
  

  
  

  

  
  
    

  

  
  
    <link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
  

  

  
        <link rel="index" title="Index"
              href="genindex.html"/>
        <link rel="search" title="Search" href="search.html"/>
    <link rel="top" title="Subuser 0.6.1 documentation" href="index.html"/>
        <link rel="next" title="Installing subuser" href="installation.html"/>
        <link rel="prev" title="Screenshots" href="screenshots.html"/> 

  
  <script src="_static/js/modernizr.min.js"></script>

</head>

<body class="wy-body-for-nav" role="document">

  <div class="wy-grid-for-nav">

    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search">
          

          
            <a href="index.html" class="icon icon-home"> Subuser
          

          
          </a>

          
            
            
              <div class="version">
                0.6
              </div>
            
          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="search.html" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
                <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="features.html">Features!</a></li>
<li class="toctree-l1"><a class="reference internal" href="screenshots.html">Screenshots</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Security</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#how-secure-is-subuser">How secure is subuser?</a></li>
<li class="toctree-l2"><a class="reference internal" href="#security-bulletins">Security Bulletins</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#id1">2016</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="installation.html">Installing subuser</a></li>
<li class="toctree-l1"><a class="reference external" href="https://github.com/subuser-security/subuser">Download source</a></li>
<li class="toctree-l1"><a class="reference internal" href="tutorial-use.html">Using subuser - a quick tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="packaging.html">Packaging programs to run with subuser</a></li>
<li class="toctree-l1"><a class="reference internal" href="developers/index.html">Developers Corner</a></li>
<li class="toctree-l1"><a class="reference internal" href="news.html">News</a></li>
<li class="toctree-l1"><a class="reference internal" href="press.html">Press</a></li>
<li class="toctree-l1"><a class="reference internal" href="use-cases.html">Use cases</a></li>
<li class="toctree-l1"><a class="reference internal" href="presentations.html">Presentations</a></li>
<li class="toctree-l1"><a class="reference internal" href="community.html">Community</a></li>
<li class="toctree-l1"><a class="reference internal" href="community-guidelines.html">Community guidelines</a></li>
<li class="toctree-l1"><a class="reference internal" href="related-projects.html">Related projects</a></li>
<li class="toctree-l1"><a class="reference internal" href="flaws.html">Design flaws/bugs in subuser</a></li>
</ul>

            
          
        </div>
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" role="navigation" aria-label="top navigation">
        <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
        <a href="index.html">Subuser</a>
      </nav>


      
      <div class="wy-nav-content">
        <div class="rst-content">
          

 



<div role="navigation" aria-label="breadcrumbs navigation">
  <ul class="wy-breadcrumbs">
    <li><a href="index.html">Docs</a> &raquo;</li>
      
    <li>Security</li>
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="_sources/security.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
  </ul>
  <hr/>
</div>
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
  <div class="section" id="security">
<h1>Security<a class="headerlink" href="#security" title="Permalink to this headline"></a></h1>
<div class="section" id="how-secure-is-subuser">
<h2>How secure is subuser?<a class="headerlink" href="#how-secure-is-subuser" title="Permalink to this headline"></a></h2>
<p>Subuser provides security by isolation.  It isolates programs from one another so that one malicious or faulty program cannot harm the rest of the system.  Some paranoid people have been wondering just how secure/insecure subuser is.  It has been rightfully pointed out that Docker is not a specialized security solution and that there is a high likelihood that exploits for Docker will continue to appear at a relatively high rate.</p>
<p>Subuser is not, and will never be, completely secure.  However, there are degrees of security.  Some attacks can be blocked, while others get through.</p>
<p><strong>Levels of isolation:</strong></p>
<ol class="arabic simple" start="0">
<li>Most Linux distributions provide isolation between users out of the box.  They may also use AppArmor or SELinux to contain some daemons and applications.  If kept up to date they provide a relatively high level of security against remote network attackers and allow one to open common non-executable file formats without significant risk to your system.  However, installing untrusted software onto such a system is impossible without completely compromising the security of the system.</li>
<li>Linux, as secured with subuser, provides isolation at the application level.  Subuser should not reduce the security of single user computers.  It should have most of the same positive security properties as standard Linux.  However, it allows one to run untrusted code with a relatively high level of containment.  Up to date subuser installations are still susceptible to zero day kernel exploits.  If you&#8217;re trying to protect yourself from spyware and botnet software, then subuser will do a great deal of good. It is better than an antivirus program as the isolation model does not rely on the malware being known about.  It is also better than antivirus software in that it protects against SpWiCB (Spyware With Corporate Backing) a problem which the commercial AVs ignore. If the NSA thinks you are worth a custom zero day than subuser won&#8217;t help much.</li>
<li><a class="reference external" href="https://qubes-os.org">Qubes OS</a> provides a much higher level of security than subuser.  Qubes isolates security domains using individual virtual machines. It is forced to isolate &#8220;security domains&#8221; rather than individual programs due to the high overhead of the virtual machines.  This means that using subuser+Qubes is not a bad idea. You can use Qubes for low granularity isolation and subuser for high granularity isolation. Qubes&#8217; isolation is potentially NSA proof.  It is certainly <strong>very</strong> hard to defeat.</li>
</ol>
</div>
<div class="section" id="security-bulletins">
<h2>Security Bulletins<a class="headerlink" href="#security-bulletins" title="Permalink to this headline"></a></h2>
<div class="section" id="id1">
<h3>2016<a class="headerlink" href="#id1" title="Permalink to this headline"></a></h3>
<ol class="arabic simple">
<li>02.03.2016 - Container break out possible when enabling the sound-card permission. Due to mounting the <code class="docutils literal"><span class="pre">/dev/snd</span></code> volume as read-write rather than read only it is possible to escape a subuser container when running the development version of Docker. This is a chain of two factors: It is possible to get root in a container using a <a class="reference external" href="https://github.com/subuser-security/subuser/issues/229">SUID binary</a>.  The <code class="docutils literal"><span class="pre">--device</span></code> flag now <a class="reference external" href="https://github.com/docker/docker/pull/20684#discussion_r54466051">follows symlinks</a>. This issue is fixed in subuser-0.5.3.</li>
</ol>
</div>
</div>
</div>


           </div>
          </div>
          <footer>
  
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
      
        <a href="installation.html" class="btn btn-neutral float-right" title="Installing subuser" accesskey="n">Next <span class="fa fa-arrow-circle-right"></span></a>
      
      
        <a href="screenshots.html" class="btn btn-neutral" title="Screenshots" accesskey="p"><span class="fa fa-arrow-circle-left"></span> Previous</a>
      
    </div>
  

  <hr/>

  <div role="contentinfo">
    <p>
        &copy; Copyright Creative Commons Attribution - Timothy Hobbs.

    </p>
  </div>
  Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/snide/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. 

</footer>

        </div>
      </div>

    </section>

  </div>
  


  

    <script type="text/javascript">
        var DOCUMENTATION_OPTIONS = {
            URL_ROOT:'./',
            VERSION:'0.6.1',
            COLLAPSE_INDEX:false,
            FILE_SUFFIX:'.html',
            HAS_SOURCE:  true,
            SOURCELINK_SUFFIX: '.txt'
        };
    </script>
      <script type="text/javascript" src="_static/jquery.js"></script>
      <script type="text/javascript" src="_static/underscore.js"></script>
      <script type="text/javascript" src="_static/doctools.js"></script>

  

  
  
    <script type="text/javascript" src="_static/js/theme.js"></script>
  

  
  
  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.StickyNav.enable();
      });
  </script>
   

</body>
</html>

APT Browse - Built by Thomas Orozco.