Comment 0 for bug 1961458

./internal/policies/scripts/scripts.go ApplyPolicy() unsafe owner changes:

Changing the scripts directory owner allows any user processes to create
symbolic links within, and then they can take ownership of any file on
writable mounts.

If the files must be owned by the user, the best way is to switch to the
user's uid before creating the files. fchown(2) of the file descriptor
before closing it should also work.

I lose track of what's happening around the "Running machine startup
scripts" -- it looks to me like adsys is also *executing* the scripts that
were moments ago given to the user to modify. It is not safe for root to run
user-owned files.

Does the user *have* to own the directory and scripts?

Thanks