RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Created attachment 1789322 [details]
Outputs of the tests performed.

Description of problem:
Some user account will be available to run containers. But some should not run containers. Tried commenting the entries for users in /etc/subuid and /etc/subgid files. After doing this, podman is able to pull hello-world and run it as container and other images are unable to pull where ideally it should not pull any image. 

Version-Release number of selected component (if applicable):


How reproducible:
Easy

Steps to Reproduce:
1. Create a local user 
2. Comment entries for the user in /etc/subuid and /etc/subgid
3. Pull hello-world image and launch a container with it

Actual results:
podman should not be able to pull image and launch container

Expected results:
podman is able to pull image and launch container

Additional info:
Attached a file with the tests performed with different cases.

This is a false assumption.  Container images are just tar balls sitting at a container registry.  Any application that can talk to a web server can pull them down.

When they are pulled down, podman uses tar to export them within a user namespace.  If the extra UIDs are not defined in /etc/subuid, then podman will setup a
single User Namespace mapping users UID to 0 within the user namespace and then will attempt to "Untar" the image.  If the Image has files owned by users other then
UID=0, then the tar will fail.

podman run fedora 

Should fail with an error about a missing UID.

Whereas 

podman run hello-world

Will succeed since the only content 

$ podman unshare
# mnt=$(podman image mount hello-world)
# ls -l $mnt
total 16
-rwxrwxr-x. 1 root root 13336 Mar  5 18:25 hello

https://www.redhat.com/sysadmin/controlling-access-rootless-podman-users