Commit Graph

2 Commits

Author SHA1 Message Date
Robby
b613a42393 security(sandbox): add non-root user to Docker sandbox
Problem:
The sandbox container runs as root by default. If untrusted code runs
in the sandbox and a container escape vulnerability exists, the attacker
gains root access to the host.

Solution:
Add a non-privileged user following principle of least privilege:
```dockerfile
RUN useradd -m -s /bin/bash -u 1000 sandbox
USER sandbox
WORKDIR /home/sandbox
```

Fixes #3277 (partial)
[AI-assisted: lightly tested, code understood]
2026-01-28 10:53:30 +00:00
Peter Steinberger
3b075dff8a feat: add per-session agent sandbox 2026-01-03 21:41:58 +01:00