[Podman] Re: Should I run podman-based systemd services as root?

On 2023-07-28T09:13:14 -0400 Daniel Walsh <dwalsh(a)redhat.com&gt; wrote: > The issue with running all of your containers as a non root users, is if > every container runs as a non-root user, then the containers would be > allowed to attack the user account and every other container, if they > were to escape confinement (SELinux). Hello! I read back what I wrote and realized it was a bit ambiguous. To be clear: I'm running each container as a separate non-root user; one user ID per container (not one user ID shared between all containers). > Running containers with the least privs possible is always the goal, > but it really is up to the application. This is where I'm still not entirely clear: Is running a container as root with SELinux and with flags such as --unprivileged=false really more powerful than as a regular user with the same kinds of flags?

I haven't heard of anyone escaping SELinux confinement, although I'm guessing it has probably been done. I'd assume a kernel-level exploit would probably be required and, in that case, running under a different UID wouldn't help matters.

I've tried setting up machines with all of the containers running as root, and it's certainly a lot less of an administrative burden. I run my own registry so I'm not _too_ concerned about hostile images making it into production containers. I feel like there's a huge hole in the documentation around this subject, and it's really weird that noone appears to be talking about it. Fedora Server runs all containers as root if configured via Cockpit, so presumably someone at least considered the issue?

_______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io