[cookiengineer]

The issue I have with it is that a lot of living off the land techniques are caused by this false sense of how UNIX user and group management is supposed to work.

I mean, the correct approach would be to have groups even for specific network protocols because capabilities are not enough to sandbox a binary correctly, and the network group is pretty much pointless.

And then there's icmp, which brings us to the ping binary which on lazy distributions still has an SUID flag set, as well as glibc which still allows LD_PRELOAD by default because it is intended functionality from the perspective of its developers.

Most of these privilege escalation exploits can be mitigated, if users and groups and capabilities are managed correctly.

In practice I probably would recommend to use the systemd seccomp sandboxes because most of these quirks have been abstracted away there and are configurable in the service files - like file/folder access, user/group randomization, chrooting, capabilities etc.