So, @prologic@twtxt.net, I feel like I should convince you that your self-hosting solution you build should use containerized documents (Sandstorm calls them “grains” for kind of good reasons, but documents is usually applicable). This would have twofold benefits: 1. Your platform would be more secure/better. 2. Apps you build for it would probably be reasonably straightforward to also run on Sandstorm.
Essentially the key concept is to move as much of the management of security and access to the platform, and not the individual application. Sandstorm assumes the applications might be insecure, or even actively malicious, and so we want them as inaccessible and locked down as possible all the time.
With a platform like YunoHost without virtualization, an RCE in an app could compromise everything on your server. A Docker-host like Cloudron or Umbrel, an RCE in an app could compromise all of the data in that app. More often than not, an RCE in a Sandstorm app grants zero ability to compromise anything at all. This means Sandstorm very rarely cares that apps have any good security practice at all: In most cases it just doesn’t matter.
If you consider an application like Etherpad, which by default, one would run and have dozens, hundreds, or thousands of documents, and you might host it at etherpad.yourdomain.com. And it’s always running, and it’s data is always available, and it’s using system resources. Additionally, you might want to share some documents with people, so people might have access to your Etherpad instance, but maybe only read-only, and only to some documents, or whatever.
In a normal Docker setup, a flaw in Etherpad could lead unauthorized users to access documents they shouldn’t be able to, or of course, edit documents without permission, including documents they weren’t supposed to have access to. Since Sandstorm spins up Etherpad containers on demand, if a user doesn’t have access to a document via Sandstorm, the server isn’t even loaded/running anywhere, and nobody can access it. When we do spin it up, the authorized user gets a container with… only the one document they have access to. A flaw in Etherpad could let a read-only user exploit their way into editing, but only, again, for the one document they already had access to.
Also, Sandstorm spins up these containers on ethereal randomized subdomains, and requires a unique authorization cookie on your browser to access them when they’re up. So they’re also very difficult to access even when they’re spawned without authorization.
There’s some interesting impacts here: If you don’t share a document with anyone else, there’s really zero way any vulnerabilities in the app itself can be exploited in any way, it’s not even running unless you open it via Sandstorm. So it’s safe to use these apps basically forever even without security updates.
The other big one is performance: Since apps are only running while you’re accessing them, there’s no performance cost to having a lot of different apps “installed” on your server. The cost of installing an app on your server is the storage, and CPU/memory is only impacted on demand.
Hmmm interesting model I can see the benefits here for sure for a certain set of use-cases.
@prologic@twtxt.net There’s a few places users will tend to prefer a monolith (social networks and feed readers come to mind), but anything document-based it makes a huge difference. The biggest downside is that since “starting the web server” happens every time you open an document, apps have to start very very fast. It’s why we prefer SQLite over MySQL heavily, for example. Also, MySQL has a lot of overhead per-database, which makes file sizes annoying large, for example.
From a size, isolation, and performance standpoint, a lot of your small Go apps fit very well in the model already. :)
@ocdtrekkie@twtxt.net Fair enough 👌 I still have to think about this some more 👌