That is a perfect example of security FUD around systemd.
The attack vector is what? Someone manages to convince an administrator to write a service that has "User=0foo" in it?
If an attacker has access to write into `/etc/systemd/system` then they already have root on the system.
If an attacker can cause an administrator to write a systemd unit and the administrator isn't checking that it's reasonable, the attacker could just have the `ExecStart` line run a 'sploit and not have a `User` line at all.
Seriously, what is the attack that you imagine where this has a security impact?
As Poettering said on that issue, no one should be running system services as usernames starting with numbers, and that's questionably valid in the first place.
People still have blown it out of proportion because it's systemd.
Note that a similar issue exists in the old sys-v init scripts: they run as root, and if you convince a person writing a sys-v init script to exclude the `start-stop-daemon -u username` flag, then the daemon will run as root. Basically identical, but never assigned a CVE because no one seriously considers "I talked my sysadmin into running something as root" by itself a privilege escalation.
The attack vector is what? Someone manages to convince an administrator to write a service that has "User=0foo" in it?
If an attacker has access to write into `/etc/systemd/system` then they already have root on the system.
If an attacker can cause an administrator to write a systemd unit and the administrator isn't checking that it's reasonable, the attacker could just have the `ExecStart` line run a 'sploit and not have a `User` line at all.
Seriously, what is the attack that you imagine where this has a security impact?
As Poettering said on that issue, no one should be running system services as usernames starting with numbers, and that's questionably valid in the first place.
People still have blown it out of proportion because it's systemd.
Note that a similar issue exists in the old sys-v init scripts: they run as root, and if you convince a person writing a sys-v init script to exclude the `start-stop-daemon -u username` flag, then the daemon will run as root. Basically identical, but never assigned a CVE because no one seriously considers "I talked my sysadmin into running something as root" by itself a privilege escalation.