Yeah, if setuid is possible on a path that’s visible to an unprivileged user on the host, root in the container could say copy /bin/sh to that path, chown 0:0 and chmod u+s it, making it setuid root for anyone on the host who’s allowed to run it.
Yeah, if setuid is possible on a path that’s visible to an unprivileged user on the host, root in the container could say copy /bin/sh to that path, chown 0:0 and chmod u+s it, making it setuid root for anyone on the host who’s allowed to run it.