To keep your machine secure, run third-party tools inside Docker

hulitu · 2025-08-09T10:09:28 1754734168

> To keep your machine secure, run third-party tools inside Docker

Firefox and Chrome ? Building programs for languages which connect to the internet (python, rust), although that does not protect against random malicious packages?

ashishb · 2025-08-09T17:36:38 1754760998

Third-party CLI tools. It is doable, but hard to run a browser inside Docker. Further, the browser itself has a layer of safety against executing malicious code.

unixhero · 2025-08-09T09:56:31 1754733391

95% of the OS is third party and everything I install afterwards is 3rd party.

ashishb · 2025-08-09T09:58:56 1754733536

That's true.

However, you are reducing your attack surface by running some of those tools inside Docker.

soraminazuki · 2025-08-11T01:49:37 1754876977

By running Docker, you are introducing tons of more code that runs with root privileges. There are numerous privilege escalation vulnerabilities discovered over the years. Combined with the fact that root inside a Docker container is root on the host, you are increasing your attack surface instead of reducing it. It's the wrong tool to be using for security.

unixhero · 2025-08-09T17:04:01 1754759041

Well maybe not on the bsds when I come to think of it

atmanactive · 2025-08-10T02:03:01 1754791381

Qubes OS, anyone?

ashishb · 2025-08-10T03:56:35 1754798195

Docker can be used on Mac, Linux, BSD [and probably even Windows]. Switching to Qubes OS requires a much bigger shift.

soraminazuki · 2025-08-11T02:07:08 1754878028

It's Linux VM on Mac, Linux, Linux VM on BSD, and Linux VM on Windows. I'm sure Qubes OS can run on VMs as well.

I mean for Windows, yes Windows containers technically exist, but no one uses them and therefore has no flourishing ecosystem.