Restricting the privileges of Linux services and reducing the actor vector has always been challenging. You need to adapt your software or start looking for a sandbox program or a manager that handles this for you. And at this moment you should look at systemd. systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system.
In our last blog post we gave you a short introduction to Linux namespaces. Part 2 will go deeper into user namespaces and current problems that Linux containers face today. Among them, resource accounting and container privileges are top culprits. Currently, processes on the host may still share some resource accounting within processes inside containers. The question of how many processes the same user and owner of containers must have is one of the many examples.
Containers are lightweight virtualization tools that give the illusion of separation and isolation to processes. They are not a security technology, but they do offer some isolation like filesystem operations and network operations, using Linux namespaces. However, as more containers are deployed we continue to find problems that need to be addressed. Among them, resource accounting and container privileges are top culprits. For now we will give you a quick overview over Linux namespaces.