Comment 5 for bug 1814596

> Without really the need of another process to help the
> service, as long as there is a writable path (with no
> nosuid flag) somewhere accessible by both the local
> attacker and the service

https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser= actually says:

| In order to allow the service to write to certain
| directories, they have to be whitelisted using
| ReadWritePaths=, but care must be taken so that
| UID/GID recycling doesn't create security issues
| involving files created by the service.

So my understanding was that it is expected of the authors of unit files to make sure that ReadWritePaths contains no persistent mountpoints without the nosuid flag. It would probably be useful if systemd actually enforced that, though, instead of just documenting it.

> > > 2) a service can create a setuid/setgid executable file
> > > that can be used to get the temporary service UID even
> > > after the service is terminated (thus with all the
> > > problems of the UID recycling and accessing resources
> > > that may be owned by a completely different service in
> > > the future).
> >
> > Yes. (But note that I pointed out that setgid files can
> > also be created by processes that don't belong to the
> > service if the service has set up a namespace's GID map
> > appropriately.)
>
> I was finally able to look at the sgid PoC you provided,
> and we could say it is a separate flaw, do you agree?
> It seems to me it's related to a separate issue and it's
> a separate fix.

I suppose that works.