diff --git a/_posts/2023-10-03-podman-userns.md b/_posts/2023-10-03-podman-userns.md index 56c1c98..1c1b7d5 100644 --- a/_posts/2023-10-03-podman-userns.md +++ b/_posts/2023-10-03-podman-userns.md @@ -6,7 +6,7 @@ title: How To Run Podman Containers Inside One User More Securely Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the `--userns` flag). -However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed. +However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger. An alternative to this approach is the usage of `--userns=auto`. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production. diff --git a/_site/2023/10/03/podman-userns.html b/_site/2023/10/03/podman-userns.html index c6f44d0..2a409ec 100644 --- a/_site/2023/10/03/podman-userns.html +++ b/_site/2023/10/03/podman-userns.html @@ -26,7 +26,7 @@

Previously, I ran containers as a single user with Podman mapping the UID in the container as root (without the --userns flag).

-

However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the whole user directory could be changed.

+

However, this means that when multiple containers are run with a single user, they share their permissions, which is less secure. This is because if one container is compromised, the harm done to the system could eventually be bigger.

An alternative to this approach is the usage of --userns=auto. This uses a separate user namespace as the root in the container. So every container has a different user namespace and therefore only permission to change files in this namespace. This is especially helpful in production.