Hi Rod, I am seeing some of my messages bouncing back - perhaps they are too long so I apologize if this was already sent:
I am not sure if you're asking "why" I think it's a good idea to run as an arbitrary UID or the "why" behind what's going on with doing so...I try to touch on all of it: We don't know the UID until runtime (but we do know that user will be in the root group). While I acknowledge that this seems clumsy at first, and I am far from a security expert, it does seem more secure to me if one cannot predict the runtime UID as Red Hat describes in the OCP docs. If one is always using the *same known* UID, I think the attack surface changes a bit. If there is a need or desire in any given container/application to make that unknown UID be a particular user I see two options: One, we can change an already existing user which can be messy/hard/impossible depending file/directory ownership needs that are required for some applications and order of installation operations. (When I say impossible I am thinking of a particular situation I bumped into which is admittedly a corner case and most likely not applicable here.) The second option is just wait to create the user at runtime. Given the permission changes, we can modify /etc/passwd as described, which results in the creation of the user. In addition, other "chmod g=u" operations are what allows us to take ownership of other files/directories if/as needed at runtime. There are certainly situations where the username simply does not matter and the arbitrary UID in root group is used then there's no need to add a user. HTH, Carl
