[Bug]: `container exec -u` does not enforce file permissions

[ieee0824]

I have done the following

• I have searched the existing issues
• If possible, I've reproduced the issue using the 'main' branch of this project

Steps to reproduce

# 1. Start a plain Alpine container
container run -d --name perm-test alpine:3.23 sleep 300

# 2. Verify /etc/shadow permissions (0640 root:shadow)
container exec perm-test ls -la /etc/shadow
# -rw-r-----    1 root     shadow         260 Jan 27 21:19 /etc/shadow

# 3. Exec as "nobody" and try to read the restricted file
container exec -u nobody perm-test cat /etc/shadow

# 4. Confirm uid/gid is switched correctly
container exec -u nobody perm-test id
# uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

# Cleanup
container stop perm-test && container rm perm-test

Current behavior

container exec -u nobody perm-test cat /etc/shadow prints the full contents of /etc/shadow, even though:

• The file is 0640 root:shadow
• The process runs as nobody (uid=65534, gid=65534)
• nobody is not in the shadow group

Docker correctly denies this with Permission denied for the same image and commands.

Expected behavior

cat: can't open '/etc/shadow': Permission denied

File permission checks should be enforced based on the effective uid/gid set by -u, consistent with standard Unix semantics and Docker behavior.

Environment

- OS: macOS 26.3.1 (25D771280a)
- Xcode: 26.2 (17C52)
- Container: CLI version 0.10.0 (build: release, commit: 6bdb647)

Relevant log output

N/A

Code of Conduct

• I agree to follow this project's Code of Conduct

[dcantah]

We need capabilities support in here. Our library (https://github.com/apple/containerization) has this, but hasn't been exposed in this project yet.