We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

[Chris Adams]

Once upon a time, Marcelo Ricardo Leitner <marcelo.leitner at gmail.com> said:
> You're considering only the escalation way to do it, but there are
> other ways to exploit code laying around, like when some web pages
> don't sanitize the URL enough and end up allowing executing
> something in the system, much like sql injection. In those cases,
> one could craft URLs to run wget or any other tool that may help the
> intruder get even more inside.

Down that path lies madness.  Are you going to remove /bin/sh?  If not,
virtually anything else is possible.

-- 
Chris Adams <linux at cmadams.net>