Check Groups
docker Group
Full root access via host filesystem mount.lxd Group
Import image, mount host filesystem, root. See dedicated Docker / LXD Escape page.disk Group
Direct read/write access to block devices. Bypass all filesystem permissions.Read /etc/shadow
Read SSH Keys
Write Files
adm Group
Read log files. Harvest credentials from logs.Search Logs for Passwords
Auth Log — Usernames as Passwords
Users sometimes type password in username field:Audit Logs
video Group
Access framebuffer — screenshot what’s on screen.shadow Group
Direct read access to/etc/shadow.
staff Group
Write to/usr/local/ without root. Hijack binaries.
/usr/local/bin/:
sudo Group
User can run any command via sudo (needs password).root Group
Not same as root user, but may have read access to root-owned files:Quick Reference
| Group | Impact | Technique |
|---|---|---|
docker | Root | Mount host filesystem |
lxd | Root | Privileged container |
disk | Root | debugfs on block device |
adm | Creds | Read log files |
video | Info | Screenshot framebuffer |
shadow | Creds | Read /etc/shadow |
staff | Root | Write to /usr/local/ |
sudo | Root | sudo (needs password) |