[unglaublich]

This is why you need either a rootless container setup or user namespaces to remap the container user to irrelevant host users. https://docs.docker.com/engine/security/userns-remap/

Weak that this isn't the default.

[fpoling]

User namespaces significantly rise the risk of exploits and many setups disable them. One may argue that Docker should have used them when they were available, but that would break too many useful setups involving privileged containers.

[LtWorf]

Ah of course, we should not use userns because it might be vulnerable to some yet to be discovered vulnerability. The better alternative is to give full root access so we won't have surprises.

[fpoling]

The full access to the docker socket from a user account is typically used on a development machine where malware has many other opportunities to become a root.

[worik]

> User namespaces significantly rise the risk of exploits

How?

[tominous]

Here's one (CIFSwitch) from a couple of days ago: https://heyitsas.im/posts/cifswitch/

[gwerbin]

Is there a mitigation for Mac? Can you do the same with eg Lima or is this just a Docker thing?