We want to stop systemd from being added to docker images, because of rpm requiring systemctl.
h.reindl at thelounge.net
Tue Apr 29 20:16:22 UTC 2014
Am 29.04.2014 21:59, schrieb Chris Adams:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> simple example:
>> * binary XYZ is vulerable for privilege escalation
> A local, non-privileged binary cannot be "vulerable for privilege
> escalation". If I can run a non-privileged binary to escalate, then
> there is a problem with some other part of the system, not the binary.
> I can (unless severely locked down, which is difficult-to-impossible to
> do in practice) download another non-privileged binary and achieve the
> same privilege escalation
don't get me wrong but you are talking bullshit
you can't download whatever you like to do in any random situation
and excutue it like in a sehll - if you have only *one command* through
a web application you need to achieve that this single command triggers
the whole attack surface down to the critical component giving you
you simply ignore the history of nearly any package coming with
security updates and CVE's where it's often even hard to believe
"how can this small piece have any security problem at all"
Am 29.04.2014 22:04, schrieb Andrew Lutomirski:
> Can you give an actual concrete example of wtf you're talking about?
> Because I suspect that you're completely wrong, but maybe you're right
> and no one on this thread understands what you're trying to say.
no i can't give you and example which replaces bother for more than
a decade in case of security in a single mailing-list thread
frankly feel free to ignore what people are telling you
these people continue also to feel free remove anything un-needed from systems
at the end of the day we will se who was right - the people tyring to make
things as secure as possible or the ones which would even not realize a
root-exploit on their machines after it has happened because in doubt you
have no chance to face it (given that the first thing a rootkit is doing
is to manipulate system-commands to hide itself)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 246 bytes
Desc: OpenPGP digital signature
More information about the devel