UID/GID lookup is either incompatible or a trap, your choice

[thockin]

"The user and group values will first be resolved using the image's own /etc/passwd or /etc/group"

I know that this springs from my own suggestsion, but the more I chew on it the less i like it. nsswitch can be arbitrarily complex. What if it is configured for something more complex than passwd - e.g. LDAP or NIS+? Are we planning to process nsswitch and execute it before launching processes? That seems like an attack vector. But if we don't, we're not really compatible.

It may be acceptable to say simply that we support simple passwd and group files and nothing else, but that is not documented well. Even still, I can craft very large files or malformed files in my image that will cause trouble (crash, DoS, etc) for the ACE. A lesson from Borg is that the user's stuff is the user's and we never process it except for transportation. Parsing passwd crosses a line we would be loathe to cross..