[fpoling]

User namespaces significantly rise the risk of exploits and many setups disable them. One may argue that Docker should have used them when they were available, but that would break too many useful setups involving privileged containers.

[LtWorf]

Ah of course, we should not use userns because it might be vulnerable to some yet to be discovered vulnerability. The better alternative is to give full root access so we won't have surprises.

[fpoling]

The full access to the docker socket from a user account is typically used on a development machine where malware has many other opportunities to become a root.

[worik]

> User namespaces significantly rise the risk of exploits

How?

[tominous]

Here's one (CIFSwitch) from a couple of days ago: https://heyitsas.im/posts/cifswitch/