We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Reindl Harald h.reindl at thelounge.net
Tue Apr 29 20:16:22 UTC 2014


Am 29.04.2014 21:59, schrieb Chris Adams:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> simple example:
>>
>> * binary XYZ is vulerable for privilege escalation
> 
> A local, non-privileged binary cannot be "vulerable for privilege
> escalation".  If I can run a non-privileged binary to escalate, then
> there is a problem with some other part of the system, not the binary.
> I can (unless severely locked down, which is difficult-to-impossible to
> do in practice) download another non-privileged binary and achieve the
> same privilege escalation

don't get me wrong but you are talking bullshit

you can't download whatever you like to do in any random situation
and excutue it like in a sehll - if you have only *one command* through
a web application you need to achieve that this single command triggers
the whole attack surface down to the critical component giving you
root access

you simply ignore the history of nearly any package coming with
security updates and CVE's where it's often even hard to believe
"how can this small piece have any security problem at all"
________________________________________

Am 29.04.2014 22:04, schrieb Andrew Lutomirski:
> Can you give an actual concrete example of wtf you're talking about?
> Because I suspect that you're completely wrong, but maybe you're right
> and no one on this thread understands what you're trying to say.

no i can't give you and example which replaces bother for more than
a decade in case of security in a single mailing-list thread

frankly feel free to ignore what people are telling you
these people continue also to feel free remove anything un-needed from systems

at the end of the day we will se who was right - the people tyring to make
things as secure as possible or the ones which would even not realize a
root-exploit on their machines after it has happened because in doubt you
have no chance to face it (given that the first thing a rootkit is doing
is to manipulate system-commands to hide itself)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140429/46058187/attachment.sig>


More information about the devel mailing list