What are the unobvious implications of setting PGID but not PUID?

I understand that by setting PUID and PGID then:

  • The container can access files/folders owned by PUID and/or PGID
  • The files the container creates will be owned by PUID and/or PGID

But, what happens if I only set PGID and do not set/pass PUID?

  • The container can access files/folders owned by PGID – which is all that matters
  • The files the container creates will have group owner as PGID – but what will be the file owner?

And, are there any security implications to any of the combinations?

  • Will the container ever be able to access files outside of the volumes passed down? For example, if PUID is 1000 and /home/blah/file is passed to the container, will the container have access to /home/blah/...?
  • If I don’t pass PUID, will the container be able to go outside of the volume passed down to access files owned by root?

If you don’t set the PUID (or the PGID) it will be set to 911 by default.

Containers are by default sandboxed and only have access to whatever you define.

If you map /foo/bar on host, it will have access to /foo/bar inside the container at the mapped internal path, but not /foo/blah on host

Permissions are a different topic

Got it. Is there any pro/con to doing this?

I’m debating if I actually need to create a new user account or if I can just use the docker group. I don’t want to use my main ID.

Doing what exactly?

I feel like we’re hitting the https://xyproblem.info/
Why don’t you tell us what the underlying issue is, rather than ask about what you think may be possible solutions?

What problem do you think using your linux user’s uid would have?

I want there to be a distinction between my user’s files, vs the files my containers create. I want them to have a different UID.

I could create a new data user and group, but it doesn’t sound like I need a user, just the group. So I could just create a data group, add my user to the data group, and pass data’s GID to containers.