Thank you for the review.
I've updated the package to ship the Go build dependencies by
vendorizing them in 20200617.00-0ubuntu4. As far as I know the Security
Team approved that, but please take a new look at the package.
Google-shutdown-scripts.service and google-startup-scripts.service run
user provided arbitrary scripts thus they can't be confined.
Google-guest-agent.service adds login entries, rewrites sshd config and
restarts ssh server, thus those operations can't be prevented. It
interfaces only with the cloud's metadata service, thus the attack
surface is fairly narrow and the service is written is Go which is
considered safe. I think successful attacks against it are unlikely, but
I can ask upstream to consider securing this service.
** Changed in: google-guest-agent (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1891929
Title:
[MIR] google-guest-agent
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/google-guest-agent/+bug/1891929/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
