[Feat]: In code-server，How to restrict users to only access files within the workspace directory

[isatis-summer]

In code-server, restrict users to only access files within the workspace directory. For example, if the set directory is /home/workspace, users are currently able to access the /home folder or even the root directory (/), which allows access to the entire container's directories. This poses a security risk.

[code-asher]

Thank you for the suggestion!

We could restrict the file picker to the workspace root(s), and do the same with the "open file" picker, but this would not really close any security holes as the user will still have access to the files through the command line, extensions, and the debugger.

I think the only way to reliably achieve this is to use a chroot or run code-server in a VM/container. It sounds like you are already running in a container though and I assume you have users and permissions on the directories set up correctly, so is there actually a security risk here?

Duplicate of https://github.com/coder/code-server/issues/600

[repo-ranger[bot]]

⚠️ This issue has been marked duplicate and will be closed in 2 days.