willmcgugan
commented
2 months ago It's not possible to escape in to the shell with textual-serve. We use a custom protocol, and don't simply proxy a shell session.
Serving Textual apps is at least as secure (likely more so) as any other web application server. But I would of course be keen to support any additional security requirements beyond that. You might want to keep me informed of your progress as this project is still being actively worked on.
patha454
Hi Will and the Textual team...
I've just noticed textual-serve, and I'm interested in using it for some in-house projects. I'm interested in improving the security of the served subprocesses, and I'd like to know if you're open to PRs in the direction I have in mind...
I see you're currently creating a new subprocess running the target program or each connection. This is pretty lightweight - good enough for a beta and hobby use. I'm concerned about the security implications for industrial use - I'm thinking about isolating each subprocess inside a lightweight microVM, such as Firecracker, to isolate each subprocess against privileged escalation attacks or malicious users escaping into the shell.
I had considered running
textual-serveinside a single microVM, without any changes to the code. Running a single microVM would not isolate processes against each other. I'm interested in isolating each subprocess inside a microVM. Using a microVM per connection/subprocess would require us to modify textual-serve a bit.If we go ahead with isolation processes in microVMs, would you be interested in a PR to merge the code back to the mainline? If so, are there any considerations you have in mind?