Do not run containers with UID 0
Container runtimes can be instructed to perform running processes inside a container with a user ID that's different from the one that initially created the container, similar to what we saw for rootless containers. Running the container's processes as a non-root user can be helpful for security purposes. For example, using an unprivileged user in a container could limit the attack surface inside and outside that container.
By default, a Dockerfile and Containerfile may set the default user as root (that is, UID=0). To avoid this, we can leverage the USER instruction in those build files – for example, USER 1001 – to instruct Buildah or other container build tools to build and run the container image using that particular user (with UID 1001).
If we want to force a specific UID, we need to adjust the permissions of any file, folder, or mount we plan to use with our running containers.
Now, let's learn how to adapt...
