Container GID overlap with host docker GID

[formulahunter]

I'm new to dev containers and trying to set up some simple test projects to get familiar with the details. I'm running Pop OS and installed Docker Engine following instructions for Ubuntu via apt (https://docs.docker.com/engine/install/ubuntu/).

After a clean Docker Engine install, the Docker host has a user group named docker that is auto-assigned GID 999 and implicitly grants root-level privileges to its members. Separately, the javascript-node dev container image in this repository includes a user group named npm that is also auto-assigned GID 999. My understanding is that this overlap could potentially lead to some flavor of privilege escalation for container users in the npm group (though I admit I'm not clear on specifics of how this could play out).

How much of a concern is this, and what would be a good solution/workaround? I'd much prefer the option to adjust the GID in the container image rather than try to reconfigure the existing docker group (and dependent files/users) in the workstation(s) the container is meant to run on. Is there a way to accomplish this while still using the pre-built image? Could it be made a build-time option/argument?

From what I can tell, this overlap is likely a result of both environments relying on automatically-assign GIDs when creating the respective groups. Specifically, groupadd -r <group name> uses SYSTEM_GID_MIN and SYSTEM_GID_MAX from /etc/login.defs and determines the first unused value from that range in descending order. This command is run in the javascript-node Dockerfile here:

https://github.com/devcontainers/images/blob/6d3564aea1d875f9d175cfa5e63a85effb1f73e7/src/javascript-node/.devcontainer/Dockerfile#L12

I believe it's worth noting that this also applies to other Node-based dev containers in this repository, as well as any others that include custom system groups in pre-built images.