Hi all !
As of today, I am running my services with rootless podman pods and containers. Each functional stack gets its dedicated user (user cloud runs a pod with nextcloud-fpm, nginx, postgresql…) with user mapping. Now, my thought were that if an attack can escape a container, it should be contained to a specific user.
Is it really meaningful ? With service users’ home setup in /var/lib, it makes a lot of small stuff annoying and I wonder if the current setup is really worth it ?
The generally don’t containerize things because I’m too old and crusty, but segregating over several users is basically how it’s been done for ages, and while it may not be particularly useful in your case, I consider it a reasonable best practice that costs you nothing.