Hi all !
As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.
Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?
It’s always effort vs risk.
Since it’s a do once and forget kind of thing I’d rate effort rather low.
As for risk in the worst case scenario a single service being compromised means all of them are with the attacker getting access to everything those services can access, including all the credentials. Will you make an effort to be on top of all the updates for all services?
As far as I’m concerned: At home all containers for each service get a separate user. At work every container does.