So after more testing, this bug can't be exploited on regular hosts (physical machines, VMs) as the kernel group list is empty on those, so there's no "root" group to inherit.
On those, the bug is only that you don't inherit the groups of the setuid user, which is problematic but not a security issue. However for users of containers, the initial group list does contain root, so for those, it's a potential security issue. But the number of users of containers being far lower than those of regular systems, this somewhat lowers the priority of this fix. -- https://code.launchpad.net/~stgraber/upstart/upstart-initgroups/+merge/136794 Your team Upstart Reviewers is requested to review the proposed merge of lp:~stgraber/upstart/upstart-initgroups into lp:upstart. -- upstart-devel mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/upstart-devel
