[AstralStorm]

Yes, the program can likely setuid to the original user with su, as the session is the parent session and still active.

This is not a behavior you want of a jail. Use chroot, LXC or your own setuid wrapper that removes the privilege.

[ptx]

Well, os.setuid and os.seteuid in Python give me "PermissionError: [Errno 1] Operation not permitted". Do you have an example of how this could be done?

[kazinator]

Every process in your system either still has an ancestor that is still running and has superuser privileges. Either because that was the real ancestor, or else because that ancestor is PID 1 due to reparenting.

A process cannot use its existing ancestral sessions to gain control of their account.