DigiNews

Summary

The article advocates adopting a least-privilege approach for Go programs, showing how to drop root privileges using chroot/setuid/setresuid and how to plan resource access from the start. It surveys OS-level sandboxing options (OpenBSD pledge/unveil, Linux seccomp and Landlock) and discusses practical caveats, including when and how to apply setrlimit to limit CPU and memory. It provides real-world examples and code patterns to reduce the attack surface in cross-platform environments.