 
            On Feb 4, 2015, at 7:23 PM, Les Mikesell lesmikesell@gmail.com wrote:
On Wed, Feb 4, 2015 at 6:32 PM, Warren Young wyml@etr-usa.com wrote:
An LPE can only be used against your system by logged-in users.
Or any running program - like a web server.
That’s not what LPE means. “L” = “local”, meaning you are logged-in interactively to the server, or have the ability to execute arbitrary commands remotely, which comes to the same thing.
The only way Apache can be used in conjunction with an LPE to provide root access is via something like Shellshock.
I’m not saying LPEs, remote shell attacks, and arbitrary command execution vulnerabilities do not exist. I’m pointing out that each of these classes of vulnerabilities are rare on their own, and rare times rare equals scarce.
There’s no such thing as absolute security. There is only better and worse; somewhere along that continuum is a point labeled “sufficient.” Policies like the one we’re arguing over merely attempt to set a sane minimum level.