Sailor, a native and portable container system for NetBSD and Mac OS X

[iMil]

sailor's goal is definitely not to bring security, we all perfectly know chroot is not the way of isolating a host filesystem from attackers. Instead, sailor provides a convenient way of testing environments without compromising your workstation / dev station filesystem.

[geofft]

Which was, as it happens, the reason chroot was invented (to test the installer of newer versions of UNIX without having a brand-new physical system). Better tooling around chroot is absolutely useful.

I guess it's a misnomer to use the word "container", since that usually means things like Linux containers with security isolation almost as good as OS virtualization.

[iMil]

Right, the "container" word is now vastly associated to docker, yet I picked a word I know IT people will get and which is generic enough. I'll think on an alternative buzzword ;) Thanks for your support!

[jhardy54]

The word you're looking for is "chroot".

[q3k]

There is a difference between not bringing in additional security and bringing anti-security. In my eyes, you are doing the latter.

Your default examples elevate privilege, not warning the user about this fact anywhere.

[iMil]

Duly noted, I just added a word about it on the GitHub page, and you're right, I should run the examples services with a dedicated user as I already do for the nginx process. Thanks for your feedback!

[iMil]

And so it is, I just commited changes so both PM2 and gunicorn are started with a specific user.