I understand that for the purpose what it is supposed to be doing it has to has quite some capabilities. But essentially it is an externally controlled data (that you mount to a known place) that is then executed as-is.
I see that you have set the dependency to a "Requires" already which is good to only do that once the mount has worked. But I wonder if we should try to make this a bit more secure. Also you chmod the path - all helpful to avoid people shoving other content there that is then executed. But I was wondering if you happen to have a defined set of "things this agent will do". If so it would be great if it could use other users, private-directories and reduced capabilities limited to just the amount it needs. That would further restrict the potential mis-use. I've seen you had a security pre-review already and Mike was fine, never the less I'd appreciate if you could consider further confinement for this in the long run. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868572 Title: [MIR] lxd-agent-loader To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd-agent-loader/+bug/1868572/+subscriptions -- ubuntu-bugs mailing list email@example.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs