Root vs Non Root User when building images

[Nebulised]

Apologies if I have somehow missed the answer to this elsewhere but I can't seem to find one for podman specifically.

When building images using a containerfile, is it still best practice to run as a non root user? E.g. for node npm ci/pythons pip install?

Presumably if so, rather than using userns=keep-id you would instead map it to the non root user created inside?

Does this have security benefits to do it as a non root user, considering root is in fact just your user account anyway outside of the container?

Thanks for your time

[baude]

I guess I look at it inversely; is there any reason to build with privileges? I cant think of anything offhand unless your containerfile needs specific privileges.

[YitzhakMizrahi]

I would separate two concerns: the user used while building the image, and the user used by the final running container.

For Podman rootless builds, UID 0 inside the build container is mapped through a user namespace, so it is not the same as real host root. That reduces the host-risk side of the question. But it does not mean the final image should run as root.

A common pattern is:

FROM node:22 AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM node:22-slim
WORKDIR /app
RUN useradd --create-home --shell /usr/sbin/nologin appuser
COPY --from=build --chown=appuser:appuser /app /app
USER appuser
CMD ["node", "server.js"]

For Python, the same idea applies: install OS packages or system-level dependencies as root if needed, then copy/chown the app and switch to a non-root user in the final stage.

So my rule of thumb is:

• Build steps may use root when package managers or OS packages need it.
• The final runtime stage should use USER some-non-root-user unless the app truly needs root.
• userns=keep-id is more useful for local development bind mounts than for defining the image itself.
• Running as non-root inside the final container still has value: it reduces blast radius if the process is compromised and catches accidental writes to paths the app should not own.

So yes, there are still security and correctness benefits, but I would not force every build step to be non-root. Focus on the final runtime image first.