chetan-reddy
commented
3 weeks ago I assume this is non-trivial due to s6, and I can't blame anyone outside of the HA team for not wanting to bother with this, but since no-one is asking I figure I might as well.
FYI The s6-overlay README now says:
As of version 3.2.0.0, s6-overlay has limited support for running as a user other than root
Been looking around a bit at how to get Docker to run with a different --user, and it seems this is currently not possible.
Usually when this is brought up, i.e. in #31, the suggested solution is "drop the --user flag".
This is great if you just want your config files to be accessible by your host user, but for security, it leaves a lot to be desired. After all, the container is still started with full root privileges.
I only started using HA today and thus have no reason to implicitly trust them to know what they're doing (after all, aside from this, their official documentation tells you to run their container with --privileged without explanation, for the few cases where --device flags would suffice), so I would rather not leave the dropping privileges up to them, and would rather see them not have any more than necessary to begin with.
I assume this is non-trivial due to s6, and I can't blame anyone outside of the HA team for not wanting to bother with this, but since no-one is asking I figure I might as well.