At some point in my career, I picked up the notion that there an infinite number of local exploits laying around on your average Linux box. Any local user could find their way to root unless you took extra steps to lock things down. I'm not saying that there are still bash one-liners that give you a root prompt. Just that the "attack surface" of privileged binaries and kernel APIs is so enormous that there must be something to leverage. I don't mean to pick on anything unfairly but I figured a specially crafted filesystem or FUSE command would do the trick quite easily.

Is that still the case or am I just old?

Not sure about the particular setup you mentioned, but given that there's an LPE published every few months, I wouldn't be surprised.

https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/

https://blog.qualys.com/vulnerabilities-threat-research/2021...

The distinction is moot. A remote exploit that gets you local execution combined with a local to root gets you remote to root, and game over.

Feels like a few years ago, posts about a local privilege escalation would be shouted down with "It doesn't matter, if someone has access to your machine, it's game over man". And remote code execution in a non-privileged context would be shouted down with "so what, it can't run as root". Glad to see people are finally connecting the dots.

Can it be turned into a remote exploit through a web-browser? (Assuming the user knows what they are doing)

Not without a sandbox escape, at which point you often have more juicy targets without even getting to root (e.g., bank account credentials). The attack requires the ability to open a terminal device and do strange ioctls on it. Web browsers don't open terminal devices at all, so you are pretty unlikely to induce the browser to reuse parts of its code to do it; you'd need the ability to run arbitrary code.