From fa050e999d3d1466148ff8d3301bb9590ca9b93c Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:52:50 +0200
Subject: [PATCH] changelog: Add entry for sysext file ownership bugfix

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md

diff --git a/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
new file mode 100644
index 0000000000..2c0c292909
--- /dev/null
+++ b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
@@ -0,0 +1 @@
+- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. ([scripts#2266](https://github.com/flatcar/scripts/pull/2266))