Re: snapd and systemd
In fairness to systemd (and that's not something you'll hear from me very often), AFAICT this bug is solely in snapd's code and would have been exploitable even if using an old-school System V style init script to start it. The root cause of the bug was in the way snapd determined the privileges of the process calling the service it exposed on the socket which it did by parsing various bits of information passed to it. As Daniel J. Bernstein (§3.3) has pointed out, one needs to be very careful when parsing anything.
Biting the hand that feeds IT
