[CentOS] Another Fedora decision

Thu Feb 5 02:43:41 UTC 2015
Warren Young <wyml at etr-usa.com>

> On Feb 4, 2015, at 7:23 PM, Les Mikesell <lesmikesell at gmail.com> wrote:
> 
> On Wed, Feb 4, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote:
>> 
>> An LPE can only be used against your system by logged-in users.
> 
> Or any running program - like a web server.

That’s not what LPE means.  “L” = “local”, meaning you are logged-in interactively to the server, or have the ability to execute arbitrary commands remotely, which comes to the same thing.

The only way Apache can be used in conjunction with an LPE to provide root access is via something like Shellshock.

I’m not saying LPEs, remote shell attacks, and arbitrary command execution vulnerabilities do not exist.  I’m pointing out that each of these classes of vulnerabilities are rare on their own, and rare times rare equals scarce.

There’s no such thing as absolute security.  There is only better and worse; somewhere along that continuum is a point labeled “sufficient.”  Policies like the one we’re arguing over merely attempt to set a sane minimum level.