True, but once you have <foo; $any_command_with_user_privilege> you can start executing any user commands. So you do a </dev/null; mkdir ~/www/nefarious; cp ~/www/AdminSettings.php ~/www/nefarious/settingns.txt;> (without the index file you can just view the file as plain text, which probably contains the database username and password. Then you can go on and download a database dump. The attacker probably does not give a damn about root in this scenario.