Home

rootless

Rootless is a term used to describe software, services, or environments that run without requiring root (superuser) privileges. In a rootless configuration, the majority of operations are performed by a non-privileged user; privileged actions are limited, and isolation mechanisms such as user namespaces, capabilities dropping, and sandboxing are employed to contain potential damage from misbehavior or compromise.

In containerization, rootless container runtimes run containers as non-privileged users. Examples include Podman in rootless mode

Rootless operation can also apply to how software is installed and run, using per-user prefixes and avoiding

Security considerations and limitations accompany rootless modes. They reduce the risk of privilege escalation and limit

and
Docker
in
rootless
mode.
In
these
setups,
the
container's
root
user
is
mapped
to
an
unprivileged
host
user,
and
operations
that
would
normally
require
root
are
restricted.
Benefits
include
safer
experimentation
and
enhanced
multi-tenant
security;
limitations
include
restricted
access
to
certain
host
resources,
need
for
kernel
support
for
user
namespaces,
and
sometimes
reduced
performance
or
compatibility
with
certain
images
or
features.
the
need
for
sudo.
Package
managers
and
runtimes
that
support
user-space
installations
illustrate
this,
as
do
applications
that
can
be
started
and
managed
entirely
by
a
non-root
user
without
affecting
system-wide
configuration.
the
potential
impact
of
a
compromised
process,
but
they
can
complicate
tasks
that
require
privileged
operations,
such
as
binding
to
low-numbered
ports,
mounting
file
systems,
or
performing
certain
networking
or
hardware
access.
Some
features
may
be
blocked
or
unavailable
in
rootless
configurations.