Podman and user namespaces: A marriage made in heaven | Opensource.com

User namespace allows you to specify a user identifier (UID) and group identifier (GID) mapping to run your containers. This means you can run as UID 0 inside the container and UID 100000 outside the container. If your container processes escape the container, the kernel will treat them as UID 100000. Not only that, but any file object owned by a UID that isn’t mapped into the user namespace will be treated as owned by “nobody” (65534, kernel.overflowuid), and the container process will not be allowed access unless the object is accessible by “other” (world readable/writable).

Podman and user namespaces: A marriage made in heaven | Opensource.com https://opensource.com/article/18/12/podman-and-user-namespaces