[coffeekid]

You can also call docker commands by being part of the docker group IIRC.

Doesn't this have more to do with the daemon that the user executing commands ?

[q3k]

> You can also call docker commands by being part of the docker group IIRC.

Which effectively gives you root on the host.

[prmoustache]

Which is an horrible practice and has roughly the same attack surface as login as root all the time.

[rythie]

With podman there is no daemon, everything is running as you. The standard setup for docker has a daemon running as root, which means when you start a container it has root privileges.