When using “docker run”, I would like to be able to pass in the uid/gid, (–user) to override the user specified in the container, but I also want to ensure it is the same as the current user running the “docker run” command. In other words, if I have uid/gid of 1000/1000, I don’t want to be able to pass in 1001/1001 (and, therefore, potentially have access to that user’s files on the host). Is there a secure way of doing this?

Thank you.

I am currious about your use case.

For me it is quite simple: if you don’t trust your users don’t give them shell acccess and don’t allow them to use the remote socket. Isn’t permitting access to the docker.sock to anyone else than the root user and group already a massive softening of the security itself?

If your restricted users would be able to pull images from docker hub or build their own images with root access, and are able to declare their own volume mappings at the same time, the whole approach of enforcing that the uid outside the container has too match the uid inside the container is not goig to work when you put into account that --useronly applies if the image has at least one declaration for a restricted user.