A compromised mesos-master node can execute code as root on agents.

mesos-master has a `--[no-]root_submissions` flag that controls whether frameworks with `root` user are admitted to the cluster.

However, if a mesos-master node is compromised, it can attempt to schedule tasks on agent as the `root` user. Since mesos-agent has no check against tasks running on the agent for specific users, tasks can get run with `root` privileges can get run within the container on the agent.