Running invocation images as a specific user #428
Description
As part of securing a container, one thing that a person may do is to run the container as a nonroot user (by default containers run as root). The CNAB spec doesn't really cover the idea of what user the container is running under.
When I tried out running a bundle that specified a different user, I ran into a bunch of file permission mismatches. For example, when credential files are injected into the container with cnab-go, they are owned by root, and aren't readable by the container.
I was wondering if this is something that tools should just informally figure out by inspecting the invocation image or if there's value to providing guidance around this (even non-normative) in the spec?