Hacker News new | ask | show | jobs
by RyEgswuCsn 1481 days ago
No it’s not. File written from inside the container into a mounted volume as root will be owned by root outside the container (uid 0, to be specific; doesn’t matter what the user is named).

Edit: I might have misunderstood parent, who might be referring to Podman attempting to manage the uid mapping.
2 comments
gnfurlong 1481 days ago
The parent comment is still talking about rootless podman (and really just user namespaces). Root in the container is absolutely mapped to the user executing podman outside the container.

If it mapped to root outside the container, you could just use podman to create setuid scripts owned by root for very trivial privelege escalation.

link
RyEgswuCsn 1480 days ago
Yes I think you are right --- I was mistaken. Docker without the rootless operate in the way I described.
link
weitzj 1481 days ago
Last thing I remember you can tweak your /etc/setuid, setgid to properly map between the user inside the container and outside
link