[Merge] lp:~stgraber/upstart/upstart-initgroups into lp:upstart
Stéphane Graber
stgraber at stgraber.org
Thu Nov 29 21:00:30 UTC 2012
So after more testing, this bug can't be exploited on regular hosts (physical machines, VMs) as the kernel group list is empty on those, so there's no "root" group to inherit.
On those, the bug is only that you don't inherit the groups of the setuid user, which is problematic but not a security issue.
However for users of containers, the initial group list does contain root, so for those, it's a potential security issue. But the number of users of containers being far lower than those of regular systems, this somewhat lowers the priority of this fix.
--
https://code.launchpad.net/~stgraber/upstart/upstart-initgroups/+merge/136794
Your team Upstart Reviewers is requested to review the proposed merge of lp:~stgraber/upstart/upstart-initgroups into lp:upstart.
More information about the upstart-devel
mailing list