A quick note for podman users running unprivileged containers.

Hardening-Guide.md

@@ -68,6 +68,10 @@ To do similarly in `docker-compose`:
         user: 1000:1000
         ... other configuration ...
 
+If you're running vaultwarden with podman as a rootless user, the uid/gid of your user on the host (e.g. 1000:1000) will be mapped to root in the container (0:0) by default. You may restrict privileges further with the `--userns keep-id` option, which will instead map the container user to the same uid/gid as the host (e.g. 1000:1000).
+
+    podman run --userns keep-id [other args] vaultwarden/server:latest
+
 The default user in many Linux distros has uid/gid 1000 (run the `id` command to verify), so this is a good value to use if you prefer to be able to easily access your Vaultwarden data without changing to another user, but you can adjust the uid/gid as needed. Note that you'll most likely need to specify a numeric uid/gid, because the Vaultwarden container doesn't share the same mapping of user/group names to uid/gid (e.g., compare the `/etc/passwd` and `/etc/group` files in the container to the ones on the Docker host).
 
 The Vaultwarden Docker images are set up such that the `vaultwarden` executable binds to port 80, which works fine since it runs as root by default.   However, a non-root process is normally unable to bind to a [privileged port](https://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html) (i.e., a port below 1024). As of version 20.10.0 (see [moby/moby#41030](https://github.com/moby/moby/pull/41030)), Docker specially configures its containers so that non-root processes are allowed to bind to privileged ports by default. For earlier versions of Docker, or other container runtimes without this special behavior, the Vaultwarden Docker images also sets the [`cap_net_bind_service`](https://man7.org/linux/man-pages/man7/capabilities.7.html) capability on the `vaultwarden` executable, which is another way to allow an executable to bind to privileged ports when running as a non-root user.