From a security perspective: Is it necessary that a user, that runs OCI containers with Podman, is not at the same time a member of the
From what I understand the idea behind Podman is to re-map the user ids, such that the root user within the container is equivalent to the user on the host. The security concept is better because if a user can take over the container and break out, the user is not automatically root user on the host (given that the process within the container was started as the container’s root user).
Now if the user on the host is in the
docker group it should be equivalent of having root access as stated in the Docker post-installation guide:
The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
So if an attacker breaks out of a container managed by Podman, and at the same time the user who started the container is in the
docker group, the security gain should be none compared to managing containers with Docker. Is this correct?