@ariadne@treehouse.systems yes, this is terrible. The best approach (even if it can be effective only if the exploit is in the user part, not the kernel part) is the one I generally use in FreeBSD: putting every different client's VM inside a jail.