Microsoft: Two New 0-Day Flaws in Exchange Server

Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks.

In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns.

Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser.

“We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.”

GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now.

In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server.

Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers.

Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server.

Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials.

In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging.

If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.

Final Beta of Ubuntu 22.10 ‘Kinetic Kudu’ is Released

Ubuntu 22.10, code name ‘Kinetic Kudu’, is now in beta stage. The final release expected on October 20, 2022. See what’s new in the next release of the popular Linux distribution.

Ubuntu 22.10 features Linux Kernel 5.19 with new hardware support. The default desktop environment is GNOME 43, that features a new flat system menu.

Ubuntu 22.10 new system menu

The ‘Background’ settings tab has been removed from Gnome Control Center. Instead, user can choose wallpaper using the ‘Appearance’ tab. And, a new ‘Ubuntu Desktop’ tab is present for the dock and desktop icons settings.

New Ubuntu Desktop settings tab

Files app (aka Nautilus) has been ported to GTK4 plus LibAdwaita, so it has adaptive UI that show/hide left sidebar automatically according to app window size. In addition, the “undo” pop up has been moved to bottom in file manager, which no longer interrupt your workflow. Context (right-click) menu, file properties, and about dialog have been redesigned with touch-friendly UI.

Ubuntu 22.10 Desktop finally uses Pipewire as default sound server instead of Pulseaudio. WebP image format is supported out-of-the-box. And, gedit has been replaced with GNOME Text Editor.

Other changes in Ubuntu 22.10 include:

  • Files (Nautilus file manager) now support Undo/Redo actions.
  • Support light/dark wallpaper in Appearance settings page.
  • No longer pre-install GNOME To Do, and remove Gnome-books from system repository.
  • Click app icon on dock to switch windows if multiple instances opened.
  • New icon in top-right system menu to launch screenshot UI

Compare to Ubuntu 22.04 LTS, Ubuntu 22.10 runs apparently faster and smoother, especially when switching light and dark theme and accent colors. It however has only 9 months of life as a short term release.

Download Ubuntu 22.10:

Ubuntu 22.10 desktop and server .iso images are available to download at the link below:

Ubuntu 22.04 users can now upgrade to this Beta by following the official guide. Though, it’s recommended to disable third-party repositories, PPAs, and uninstall proprietary drivers before doing the upgrade process.

For more about Ubuntu 22.10, see the official release note.

LeakBase Announces Swachhata Platform Breached, 16 Million User PII Records Exposed

Yesterday, data breach notification website Leakbase said someone allegedly hacked the Swachhata Platform in India and stole 16 million user records.

Security researchers at CloudSEK , reported the news as they discovered a post by Leakbase sharing data samples containing personally identifiable information (PII), including email addresses, hashed passwords and user IDs.

Earlier this week, an advisory published by CloudSEK reported that 6GB of compromised data from the  Swachhata Platform – an initiative in association with the Ministry of Housing and Urban Affairs of India – is being shared via a popular file–hosting platform.

“[Leakbase is] previously known from providing reliable information and data breaches from companies around the world,” wrote CloudSEK. “[Threat actors on the platform] often operate for financial gain and conduct sales on their marketplace forum Leakbase.”

The platform in 2017 was at the center of a massive data breach at Taringa, a Reddit–like social network website for Latin American users.

Further to this, CloudSEK said Leakbase users often offer access to admin panels and servers of several content management systems (CMSs), allegedly gained via unauthorized means and sold for monetary profit.

“This information can be aggregated to further be sold as leads on cybercrime forums,” the company wrote.

In addition, the security experts said the data could be harvested by threat actors to conduct phishing, smishing and social engineering attacks.

In order to mitigate the impact of attacks like this, CloudSEK recommended system administrators to implement a strong password policy and enable multi–factor authentication (MFA) across logins.

It’s recommended that vulnerable and exploitable endpoints should be patched, and user account anomalies that could indicate possible account takeovers monitored regularly.

To conclude, CloudSEK said companies should monitor cybercrime forums to keep up with the latest tactics employed by threat actors.

It appears that the alleged data leak comes days after Optus was hit by a cyber–attack that exposed the data of at least 10,000 Australians.

The post LeakBase Announces Swachhata Platform Breached, 16 Million User PII Records Exposed appeared first on IT Security Guru.

How To Download Music Directly To iPod Without iTunes

How To Download Music Directly To iPod Without iTunes

Description: In this article, we’ll show you step by step how to download music directly to your iPod quickly and easily.

How do I put music directly on my iPod?

The 2019 launch of the new iPod caused havoc. People from all over the globe took a trip down memory lane to recall their iPods and brought them back to life. Even though the iPod is no longer available, it remains a formidable competitor to other MP3 and media players. You might be one of those people who still cherish and treasure your iPods, or just recently bought a new one. If so, you may be searching for ways to add music to the iPod without iTunes.

Despite iTunes being popular in its day due to the limited number of iOS tools, it is not as preferred today. It comes with many complicated steps and takes a lot of time, making audio and video conversions and transfers simple.

iTunes is not available on all devices, and it can be confusing for even the most tech-savvy. This software was removed from Mac users. Only Windows PC owners can access the features offered by it. Even Windows users are urging you to avoid iTunes as it is becoming more time-consuming and inefficient.

But don’t worry! We have some great news for you who want music on your iPod, but don’t trust iTunes or any other unreliable tool!

Do you want to find out what we are talking about? Continue reading!

How can you put music on your iPod without iTunes?

Softorino, a US-based tech company can help you to put music on your iPod without using iTunes.

It works on both Windows PCs and Macs. The software makes file conversion and transfers simple, efficient, and easy. WALTR PRO is more reliable than iTunes and other unreliable online tools. It produces the highest quality output possible in the shortest time.

Download and install WALTR PRO:

Download the WALTR PRO trial from Softorino on your Mac or Windows PC. Once your download is completed, follow the on-screen instructions to install the software on the laptop. After the app has been installed, launch WALTR Pro for the first time. You’ll be prompted by an onboarding video to show you everything about the desktop tool.

Next, enter your email address to receive your trial code. After you have entered your email address, your trial key will be sent to you. Once it arrives, enter the key into the appropriate field.

Time to connect your iPod to your Mac or Windows PC:

You will need a USB cable to connect your iPod to your computer. You don’t have to do this again. If your devices are connected to the same network, you can transfer files via Wi-Fi.

After you have connected your iPod to the computer using the USB cable, go to the WALTR PRO settings window and choose the Enable WiFi connectivity option. You can then send all files to your iPod using WALTR PRO via Wi-Fi.

Drag, Drop, Relax:

You don’t have to go to Select Files to manually search your computer for music files that you wish to convert or transfer to your iPod. Instead, drag and drop them into the WALTR Pro window.

Drag and drop files to be transferred and the process will start immediately. You can also choose your iPod from the available devices and click the Convert and Transmit buttons.

WALTR PRO Features

  • WALTR PRO has many customization options
  • It features an easy drag-and-drop mechanism
  • Many useful features are available at a low cost
  • Editing your output file’s destination is easy
  • This tool allows wireless transfers between all iOS devices

Fake CISO Profiles on LinkedIn Target Fortune 500s

Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.

If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University.

The LinkedIn profile for Victor Sites, who is most certainly NOT the CISO of Chevron.

Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).

Helpfully, LinkedIn seems to be able to detect something in common about all these fake CISO profiles, because it suggested I view a number of them in the “People Also Viewed” column seen in the image above. There are two fake CISO profiles suggested there, including one for a Maryann Robles, who claims to be the CISO of another energy giant — ExxonMobil.

Maryann’s profile says she’s from Tupelo, Miss., and includes a quaint description of how she became a self-described “old-school geek.”

“Since playing Tradewars on my Tandy 1000 with a 300 baud modem in the early ’90s, I’ve had a lifelong passion for technology, which I’ve carried with me as Deputy CISO of the world’s largest health plan,” her profile reads.

However, this description appears to have been lifted from the profile for the real CISO at the Centers for Medicare & Medicaid Services in Baltimore, Md.

Interestingly, Maryann’s LinkedIn profile was accepted as truth by Cybercrime Magazine’s CISO 500 listing, which claims to maintain a list of the current CISOs at America’s largest companies:

The fake CISO for ExxOnMobil was indexed in Cybercrime Magazine’s CISO 500.

Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week.

“It’s interesting the downstream sources that repeat LinkedIn bogus content as truth,” Mason said. “This is dangerous,, Signalhire, and Cybersecurity Ventures.”

Google wasn’t fooled by the phony LinkedIn profile for Jennie Biller, who claims to be CISO at biotechnology giant Biogen (the real Biogen CISO is Russell Koste). But Biller’s profile is worth mentioning because it shows how some of these phony profiles appear to be quite hastily assembled. Case in point: Biller’s name and profile photo suggest she is female, however the “About” description of her accomplishments uses male pronouns. Also, it might help that Jennie only has 18 connections on LinkedIn.

Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.

None of the profiles listed here responded to requests for comment (or to become a connection).

In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.

“We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam.”

LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.

The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.

“If I saw that a LinkedIn profile had been domain-validated, then my confidence in that profile would go way up,” Mason said, noting that many of the fake profiles had hundreds of followers, including dozens of real CISOs. Maryann’s profile grew by a hundred connections in just the past few days, he said.

“If we have CISOs that are falling for this, what hopes do the masses have?” Mason said.

Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company.

“I shot a note to LinkedIn and said please remove this, and they said, well, we have to contact that person and arbitrate this,” he said. “They gave the guy two weeks and he didn’t respond, so they took it down. But that doesn’t scale, and there needs to be a mechanism where an employer can contact LinkedIn and have these fake profiles taken down in less than two weeks.”

Avidemux 2.8.1 is out with New Filters & HiDPI Improvements

Avidemux video editor released version 2.8.1 a few days ago. Here’s the new features and how to install instruction for Ubuntu 22.04 and Ubuntu 20.04.

The new release improved HiDPI displays support by updating the icon set, and using OpenGL for rendering on-the-fly preview in video filter dialog.

Avidemux 2.8.1 also introduced new filters: 3D LUT, Decimate, and Arbitrary Rotate, as well as new video encoder: VideoToolbox HEVC for macOS users.

It also added support for decoding 8-bit VP9 on Windows using DXVA2 and Linux using VDPAU with graphics card that features a VP9 decoder.

Avidemux Dark Theme

Other changes include:

  • Light and Dark themes in ‘View’ menu.
  • CTRL+F shortcut to add partial filters.
  • configurable compressor
  • 3-band equalizer
  • independent channel gain/delay options
  • channel remap options
  • new downmix options
  • audio track configuration up to 32 tracks
  • save volume settings on exit.
  • See release note for more details.

How to Install Avidemux 2.8.1 in Ubuntu Linux

Option 1: AppImage

The video editor software offers official Linux package via non-install AppImage, available to download at the link below:

Just grab the package, right-click and go to it’s “Properties” dialog, add executable permission and finally click run the package to launch the video editor.

Avidemux AppImage

Ubuntu 22.04 & Ubuntu 22.10 however does not support AppImage out-of-the-box. To enable it, open terminal (Ctrl+Alt+T) and run command:

sudo apt install libfuse2

Option 2: Ubuntu PPA

For those prefer the native .deb package format, the Avidemux website refers to this unofficial PPA.

1. First, press Ctrl+Alt+T on keyboard to open a terminal window. When it opens, run command to add the PPA:

sudo add-apt-repository ppa:xtradeb/apps

Type user password when it asks (no asterisk feedback) and hit Enter to continue.

The PPA however offers the latest packages for only Ubuntu 22.04. For Ubuntu 20.04 and old Ubuntu 18.04, you may use this one instead:

sudo add-apt-repository ppa:ubuntuhandbook1/avidemux

2. After adding the PPA, run the command below to update package cache for old Ubuntu or Linux Mint:

sudo apt update

3. Finally install the software by running the command below in terminal:

sudo apt install avidemux-qt

Uninstall Avidemux

For the video editor packages installed from Ubuntu PPA, remove it by running command in terminal:

sudo apt remove --autoremove avidemux-qt

And, remove the Ubuntu PPA either via command below:

sudo add-apt-repository --remove ppa:ubuntuhandbook1/avidemux

or by using ‘Software & Updates’ utility.

Pandora Radio Client Pithos 1.6.0 Now Uses CSD Header bar [Ubuntu PPA]

Pithos, native Linux client for Pandora Radio, got a new release update few days ago. Here’s how to install it in Ubuntu 22.04, Ubuntu 20.04 & Ubuntu 18.04 via PPA.

It’s been almost 2 years since the last release update. The new Pithos 1.6.0 now uses the GNOME style client-side decorations (CSD) for its header bar, instead of the old title bar. So, the app UI will look like the screenshot below:

Pithos 1.6.0

Plus rounded window corner extension, it now looks good in recent Ubuntu releases.

This release also adds Ctrl+r shortcut to open stations popover, removes access to host keyring when in flatpak. And, libappindicator is no longer required as dependency as it now supports status notifier directly.

How to Install Pithos 1.6.0 in Ubuntu:

For current 3 Ubuntu LTS releases and their based systems, I’ve uploaded the software package into this unofficial Ubuntu PPA.

1. First, press Ctrl+Alt+T key combination on keyboard to open terminal. When it opens, run the command below to add the PPA:

sudo add-apt-repository ppa:ubuntuhandbook1/apps

Type user password when it asks (no asterisk feedback) and hit Enter to continue.

2. Then, run command to fresh the package cache for old Ubuntu 18.04 and Linux Mint:

sudo apt update

3. Finally, install or update the lightweight Pandora Radio client to listen online music:

sudo apt install pithos

As the application does not update frequently, you may also download & install the .deb package directly from this page.

Uninstall Pithos

To remove the Ubuntu PPA, open terminal and run command:

sudo add-apt-repository --remove ppa:ubuntuhandbook1/apps

Or, open ‘Software & Updates’ utility and remove the source line under ‘Other Software’ tab.

To remove Pithos, use command:

sudo apt remove --autoremove pithos

Install XFCE In Linux Mint 21

Install XFCE In Linux Mint 21

XFCE desktop environment is one of the popular desktop environments for the Linux-based operating system. XFCE desktop environment is a lightweight desktop environment. In this tutorial, we will show you the methods to install XFCE in Linux Mint 21.

Install XFCE In Linux Mint 21

Go through the following steps to install the XFCE desktop environment in Linux Mint 21.

Step 1:

Run the update command so that your Linux Mint 21 is updated.

sudo apt update

Step 2:

Now, run the following command to install the  XFCE Desktop on Linux Mint 21

sudo apt install xfce4

Step 3:

Now, run the following command to switch your desktop environment from your current DE to the XFCE desktop environment. You can switch the XFCE environment by executing the following command shown below:

sudo systemctl set-default

Now, you are ready to use the XFCE desktop environment on Linux Mint 21. Meanwhile, if you want to remove the XFCE desktop environment from your Linux Mint 21 then run the following command.

sudo apt-get purge --autoremove xfce4

How to Follow Symbolic Links

How to Follow Symbolic Links

A symbolic link (also known as soft link) is a kind of shortcut to another file. It’s heavily used in Linux for shared libraries.

But how do you know to which original file the link points to?

You can use the ls command for this purpose. Surprised? Don’t be. The long listing ls -l displays where a symbolic link points:

ls -l /path/to/file

For example, I’ve created a soft link named MyTorrents that targets another disk so my command will be:

ls -l /home/sagar/Symbolics/MyTorrents
How to Follow Symbolic Links
A symbolic link is indicating to its original file

However, this is not a foolproof way to follow the symbolic link to the original file because if it’s a multilayer link (a link pointing to another link that points to a file), the ls command won’t display the source file.

It’s a no-brainer that with enough skills, you do have multiple ways of accomplishing the same thing, especially if we consider Linux.

So I’ll be utilizing the following command line utilities to follow symbolic links:

  • readlink
  • realpath
  • stat
  • file

You can use the ln command to create links and practice while you follow this tutorial.

A specific utility that is just made to accomplish our goal. Yes, that’s readlink.

It is quite easy to use and available by default on every Linux distro. So just give a path of symbolic link with readlink command and that’s it.

readlink /path/to/symbolic/link

My symbolic link is placed at /home/sagar/Symbolics/MyTorrents so my command would be:

readlink /home/sagar/Symbolics/MyTorrents
How to Follow Symbolic Links

But what if your symbolic link involves multiple layers such as one link indicted to another? Well, in that case, you’d have to use -f option.

For this example, I’ve created a new symbolic link located at /home/sagar/Documents/NewLink and maps to the other link to have a better idea of how to deal with such scenarios:

readlink -f /home/sagar/Documents/NewLink
How to Follow Symbolic Links

2. Using realpath command

As its name suggests, the realpath utility is used to get the path of files and directories but the interesting thing is when used without any option, it can get us to the source of the symbolic link.

Using realpath even without any options is equivalent to using readlink -f so don’t worry about being mapped to another symbolic link.

The syntax of realpath to follow symbolic link to the source file is:

realpath /path/to/symbolic/link

And after specifying the path, end result should look like this:

How to Follow Symbolic Links

Learn Linux Quickly – Linux Commands for Beginners
Learn Linux Quickly doesn’t assume any prior Linux knowledge, which makes it a perfect fit for beginners. Nevertheless, intermediate and advanced Linux users will still find this book very useful as it goes through a wide range of topics. Learn Linux Quickly will teach you the following topics:Insta…
How to Follow Symbolic Links

3. Using stat command

The stat utility is used to get the status of files and can also be utilized to find the original source of the symbolic link.

Just give a path of the symbolic link to the stat command and that’s it.

stat /path/to/symbolic/link
How to Follow Symbolic Links

And if you find the other details unnecessary, you can use the -c%N option to filter them out. Not the easiest option to remember and hence use the man or help command to recall it.

stat -c%N /path/to/symbolic/link
How to Follow Symbolic Links

4. Using file command

Well, using the file command is quite easy and you’re required to follow the same syntax that you saw earlier with other examples.

A file command with a path to a symbolic link. That’s all you’d need!

file /path/to/symbolic/link
How to Follow Symbolic Links

Final Words

If you’re dealing with multilayer soft link layers, I recommend using the first two ways of following symbolic links.

These utilities are quite basic and do not require any complex syntax but if you’re still confused, let me know in the comments.

Getting Started With Rootless Container Using Podman

Getting Started With Rootless Container Using Podman

Are you deploying software using containers? Are you using Podman? Do you want to up your security game by running containers with as little privilege as possible? Boy, do I have an article for you!

What is Podman?

Podman is a Red Hat product aimed as a replacement for Docker. For 99% of tasks, it is indeed a true Docker replacement. A few of its features are support for root-less containers, uses the fork/exec model to start containers, is daemon-less, and more.

The advantages of a rootless container are obvious. If it can be prevented from running as root, you run it without root privileges.


With this article, I hope to help remove some hurdles that may crop up when you use Podman to deploy rootless containers.

Podman in rootless execution

If you are a seasoned IT professional, you might have committed either one of the following crimes:

  • Running the docker command using sudo, escalating its privileges
  • Adding your user non-root user to the docker group. big oof

As you might have realized by now, this is a terrible security practice. You are giving the Docker daemon root access to your machine. That exposes two methods of exploitation:

  • The Docker daemon (dockerd) runs as root. If dockerd has a security vulnerability, your entire system is compromised because dockerd is a process owned by the root user.
  • An image that you use might have vulnerabilities. What if the vulnerable imgae is used by a container that is running as a process of the root user? An attacker can use the vulnerable image to gain access to your entire system.

The solution is simple, don’t run everything as root, even if you trust it. Remember, nothing is 100% secure. I present to you Podman’s ability to manage containers without root access.

If you start a container using Podman as a non-root user, said container does not gain any additional privileges, nor will Podman ask you for a sudo password.

Below are the benefits Podman provides when you use it for root-less containers (without any super-user privileges):

  • You can isolate a group of common containers per local user. (e.g., run Nextcloud and MariaDB under user nextcloud_user and containers Gitea and PostgreSQL under the user gitea_user)
  • Even if a container/Podman gets compromised, it can not get complete control over the host system, since the user executing the container is not root. But yes, the user under which the exploited container is running might as well be considered as user gone rogue.

Limits of root-less Podman

When you use root-full Podman/Docker, you are giving Podman/Docker super-user level privileges. That is certainly very bad, but it also means that all of the advertised functionalities work as intended.

Instead, when you run Podman containers without root privileges, it has some limits. Some of the major ones are as follows:

  • Container images can not be shared across users. If user0 pulls the ‘nginx:stable-alpine‘ image, user1 will have to separately pull the ‘nginx:stable-alpine‘ image for themselves. There is no way [at least not yet] that allows you to share images between users. But, you can copy images from one user to another user, refer to this guide by Red Hat.
  • Ports less than 1024 cannot be binded out of the box. A workaround exists.
  • A root-less container may not be able to ping any hosts. A workaround exists.
  • If you specify a UID in root-less Podman container, any UID that is not mapped to a pre-existing container may fail. Best to execute Podman from an existing user shell. Or better yet, create a systemd service to auto-start it.

podman/ at main · containers/podman
Podman: A tool for managing OCI containers and pods. – podman/ at main · containers/podman
Getting Started With Rootless Container Using Podman

Getting started with root-less Podman

Before you get started with the rootless execution of containers, there are a few prerequisites that need to be met.

Make sure you have slirp4netns installed

The slirp4netns package is used to provide user-mode networking for unprivileged network namespaces. This is a necessary if you want your root-less container to interact with any kind of network.

You can install the slirp4netns package on Debian/Ubuntu based Linux distributions using the apt package manager like so:

sudo apt install slirp4netns

On Fedora/RHEL based Linux distributions, use the dnf package manager to install slirp4netns like so:

sudo dnf install slirp4netns

You Arch Linux users know how to do it with pacman, but regardless, below is the command you might be looking for:

sudo pacman -Sy slirp4netns

Make sure that your subuid and subgid are properly configured

Since root-less Podman containers are run by an existing user on the system, said non-root users need permission to run a root-less container as a UID that is not their own UID. This also applies to the GID.

Each user is given a range of UIDs that it is allowed to use. This is specified in the /etc/subuid file; and the /etc/subgid file is for the GIDs a user is allowed to use.

The format of this file is as following:

username:initial UID/GID allocated to user:range/size of allowd UIDs/GIDs

So, let us say my user, pratham wants 100 UIDs for himself and krishna wants 1000 UIDs for himself. Below is how the /etc/subuid file would look like:


What this effectively means is that the user pratham can use UIDs between ‘100000’ and ‘100100’. Meanwhile, user krishna can use UIDs between ‘100100’ and ‘101100’.

Usually, this is already set up for each user you create. And usually, this range is set to ‘65536’ usable GIDs/UIDs. But in some cases, this needs to be done manually.

But hold on, if this is not already done for your user, you do not need to do this by hand for each user. You can just use the usermod command for this. Below is the command syntax to do so:

sudo usermod --add-subuids START-RANGE --add-subgids START-RANGE USERNAME 

Replace the strings START, RANGE and USERNAME according to your needs.

Make sure that the permissions for files /etc/subuid and /etc/subgid are set to 644 and is owned by root:root.

Want to bind Ports less than 1024?

If you are using a reverse proxy for SSL, you will know that ports 80 and 443 need to be accessible by a certificate provider like Let’s Encrypt.

If you try to bind ports lower than 1024 to a root-less container managed by Podman, you will notice that it is not possible. Well, it is possible, but that is not configured out of the box.

A non-root user is not allowed to bind anything on ports less than port 1024.

So, how do I bind ports lower than 1024 in root-less Podman? To do that, first determine the lowest port that you need. In my case, to deploy SSL, I need ports 80 and 443. So the lowest port that I need is port 80.

Once that is determined, add the following line to the /etc/sysctl.conf file:


Essentially, you are changing the value of net.ipv4.ip_unprivileged_port_start to the lowest port you need. If I substitute YOUR_PORT_NUMBER with 80, I can bind port 80 with Podman in a root-less container.


No need to scream at me buddy. I was going to tell you, eventually…

As I pointed out earlier, a limitation of Podman is that it can not share images between users. They either need to be pulled for each user or be copied from one user to another user. Both of these take up 2x/3x/4x space (depending on how many duplicates exist).

The image for any user is stored in their home directory. Specifically, they are stored inside the ~/.local/share/containers/storage/ directory.

Give it a try!

Once all the prerequisites are satisfied, you can run the podman run command from a non-user’s shell and start a container.

Since I use Caddy Server for my SSL, I will use that in this tutorial. To run Caddy Server as a root-less container using Podman, while binding it ports lower than 1024, I will simply run the following command:

$ whoami

$ podman run -d --name=prathams-caddy -p 80:80 -p 443:443 caddy:alpine

$ podman ps
CONTAINER ID  IMAGE                           COMMAND               CREATED        STATUS            PORTS                                     NAMES
e6ed67eb90e6  caddy run --confi...  2 seconds ago  Up 2 seconds ago>80/tcp,>443/tcp  prathams-caddy

$ ps aux | grep caddy
pratham     3022  0.0  0.0  85672  2140 ?        Ssl  06:53   0:00 /usr/bin/conmon --api-version 1 -c e6ed67eb90e6d0f3475d78b287af941bc873f6d62db60d5c13b1106af80dc5ff [...]
pratham     3025  0.1  0.3 753060 32320 ?        Ssl  06:53   0:00 caddy run --config /etc/caddy/Caddyfile --adapter caddyfile

As you can see, the user pratham is not root and also that I did not use the sudo command to escalate privileges of the user pratham. I was able to run the Caddy Server container with root-less privileges using Podman.

The output of ps command shows that the PID 3022 is of a process owned by the pratham user. This process is the Caddy Server container (I have trimmed the output). The PID 3025 is a child process of PID 3022 which is also under the pratham user.

Did I not address your issue?

I apologize if I did not cover your issue with root-less Podman containers. Since Podman is new (in software years), it will have some unexpected issues.

Fret not. I have included the official troubleshooting guide below. Refer to that when in doubt. It is also the one that will be updated frequently.

podman/ at main · containers/podman
Podman: A tool for managing OCI containers and pods. – podman/ at main · containers/podman
Getting Started With Rootless Container Using Podman


In this article I demonstrate how you can get started with managing root-less container using Podman. I talk about the necessary software that enables this functionality. I go over common issues you may face with root-less Podman containers and how to mitigate them. I also link to the official documentation where you might get a more technical troubleshooting guide.