sudneo
tl;dr, yes, it does.
Containers are nothing like VMs, and containers in Linux are basically a combination of a feature called Cgroups, which allows to restrict the resources (like memory, etc.) available to a process or group of processes, and namespaces. Namespaces are a construct in which certain namespaced resources are separated from each other, and processes can only see those belonging to their namespace. A simple example is a mount namespace. When you launch a container, you see a / directory which is not the root directory of your system.
Now, the problem is, that not all the resources are namespaced, so there is still quite a lot that processes within containers can do interacting with the main system resources, especially if they are root.
A root process within a container generally can do lots of things that the actual root process can do outside of it. For example, mounting parts of the filesystem (if you run with --privileged), loading kernel modules, etc. Podman can run rootless, in the sense that it uses also User namespaces, meaning a user 0 (root) inside a container is actually mapped to something else outside, but also docker nowadays can do the same.
So yeah, in general, running the applications with the less amount of privileges is a good idea and you should do it whenever you can. Even if you do need some privileges, you should add only the Capabilities needed, not just go straight to root.
I know what you are referring to with regards to the LGBTQ+ matter, but the only source is the user who reported it (with a screenshot that did not show anything), the same user who used some completely dishonest and bad faith arguments* to slander the CEO guy. I wouldn’t take that at face value and I have absolutely no problem to see, instead, a reason to moderate their comments.
* the CEO of kagi has a website with a “best country ranking”, which is just a stupid page with 15 criterias chosen to rank which country is the greatest. The argument was that the guy must be a racist/white suprematist because the top countries for the most part were white (and wealthy. Duh). Apparently they were especially pissed about the fact that he decided to include the Olympic medals pro capite, despite the fact that it’s one of the few metrics in which first world countries were not at the top.
They have literally an explanation for this on their website. You might disagree, but saying “it makes no sense”…makes no sense.
Also, they discontinued the earbuds and still no jack on FP5, so the idea that “they wanted to sell their own buds” doesn’t seem to be likely.
Add the DAC_READ_SEARCH capability to the restic binary (using setcap).This is what allows to read all files. Obviously this means being able to read all, all, files including shadow etc.