upvote

points

by arian_14 hours ago |
comments
upvoteby minimaltom13 hours ago|
next
[-]
This attack class lets you escalate from any user to UID 0. Not running as root won't save you, in fact, this attack is for those processes not running as root.

However, if you are in a user namespace where UID 0 doesn't map to system-wide capabilities, and you dont share page cache for the setuid binaries on the system, this attack doesn't lead to LPE.

reply
upvoteby delamon3 hours ago|
parent|
[-]
setuid binaries are not the only way to get root. E.g. one can change /etc/crontab or /etc/passwd. Or add trojan to /bin/ls and wait until admin type 'ls'
reply
upvoteby quantummagic1 hours ago|
parent|
[-]
It's not always as easy as you imply. All the attack vectors you mentioned, require root on the host, before you can make the change or install the trojan.
reply
upvoteby oncallthrow13 hours ago|
prev|
[-]
> this is why we don't run as root

The entire point is that you can escalate to root

reply