Hi all !
As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.
Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?
Af an attack can escape a container a lot of companies worldwide are going to need to patch a 0-day. I do not expect that to be part of my threat model for self-hosted services.
Woah, no. Sure escaping via a kernel bug or some issue in the container runtime is unexpected, but I “escape” containers all the time in my job because of configuration issues, poorly considered bind mounts, or the “contained” service itself ends up being designed to manage some things outside of the container.
Might be valid to not consider it with the services you run, but that reasoning is very wrong.
I guess I should define my threat model first. Your answer pulls me towards a single user though