CME-703
Rootless Containers
Description
Containers run entirely without root privileges on the host. The container runtime, image pull, and all container processes run as an unprivileged user, eliminating host-level root compromise from container escape.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Scope (S) | C → U | Container escape lands as unprivileged host user, not root |
| Privileges Required (PR) | L → H | Even root inside container is unprivileged on host |
CWE Relationships
Verification
Verify podman/docker running rootless
$ podman info | grep rootless
# Expected: rootless: true
# Expected: rootless: true
Platform: linux