run the container as a non root user (some containers won’t work so they need to be run as root user)
To avoid issues with containers, could also make use of user namespaces: https://docs.docker.com/engine/security/userns-remap/
Allows a process to have root privileges within the container, but be unprivileged on the host.
What is your worst case, if someone gains access to your stuff? We can’t answer that. That doesn’t necessarily depend on your applications, but more in the data behind them.
Can be everything. From nothing to financial ruin through identity theft.
I host it to have my own data under my own roof.
I’ve worked in the hosting industry. I’ve witnessed an internal breach, where an employee abused access over a few corners and fetched files matching a certain pattern from all customer VPSes (Virtuozzo container based VPSes have their root filesystem accessible from the host)
I’d argue it’s up there :) In the end you’re quite limited with what you can do as an unprivileged user.
Granted it’s not for Docker, but Kubernetes, but userns is userns. This Kubernetes blog post even has a short demo :) https://kubernetes.io/blog/2023/09/13/userns-alpha/