app_containers: Use UID instead of username for $run_as

Note that we still assume the user name inside the container is `user`.

app_containers/.local/bin/run_app_container

@@ -8,8 +8,8 @@ die() {
 exit() {
   rm -rf "$container_xdg_runtime"
   if [ "$CONTAINER_USE_USERNS" = true ]; then
-    setfacl -x u:$((private_users + 1000)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
-    xhost -si:localuser:\#$((private_users + 1000))
+    setfacl -x u:$((private_users + run_as)) $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
+    xhost -si:localuser:\#$((private_users + run_as))
   fi
 }
 
@@ -45,11 +45,13 @@ fi
 
 [ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
 
-# Default username (assume `user` always has the same uid as the host user)
-run_as=user
+# Default user
+run_as=$UID
+# We assume the user named `user` inside the container always has the same UID as
+# the user with uid $run_as on the host; this is currently not yet configurable
 homedir=/home/user
 if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
-  run_as=root
+  run_as=0
   homedir=/root
 fi
 
@@ -61,8 +63,8 @@ if [ "$CONTAINER_USE_USERNS" = true ]; then
   private_users=$(shuf -i 65536-$((2147483647 - 65536)) -n1) # Pick a random starting offset
   bind_opts="idmap" # Note: custom mounts specified by the user are expected to incldue the idmap option as well
   # Grant the user inside the namespace access to the Wayland / Xorg display
-  setfacl -m u:$((private_users + 1000)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
-  xhost +si:localuser:\#$((private_users + 1000))
+  setfacl -m u:$((private_users + run_as)):rwx $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY
+  xhost +si:localuser:\#$((private_users + run_as))
 fi
 
 SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \