Simon Hobson <linux@???> writes:
> Arnt Gulbrandsen <arnt@???> wrote:
>
>> By now, the concept of unprivileged local users is a little obsolete anyway.
>>
>> Today, hosts generally serve only one unix user, there generally is
>> only one local user of one host, and that local user is the user that
>> owns everything valuable. So is the a real point to
>> local-user-to-root exploits? I suppose there is, but it is much
>> smaller than it was ten or twenty years ago.
>
> It depends on what you are doing.
> It's a fairly quick and easy way to separate users on (eg) web hosting
> - by having Apache execute each site as a specific user.

[...]

> And regardless of how you separate users, having an exploitable
> privilege escalation flaw means that someone compromising one of your
> customer's sites is then able to escalate their privileges to do more
> damage than they could from an unprivileged account.

Hmm ... and how many 'millions of Android devices and Linux PCs' are
affected by that? This is a trivial bug with a one or two lines fix and
the people who found it could have spend their time in a more useful way
by contributing a fix then by creating and exploit and trying to draw as
much attention to that as possible.