We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Reindl Harald h.reindl at thelounge.net
Tue Apr 29 18:56:56 UTC 2014

Am 29.04.2014 20:51, schrieb Chris Adams:
> Once upon a time, Marcelo Ricardo Leitner <marcelo.leitner at gmail.com> said:
>> You're considering only the escalation way to do it, but there are
>> other ways to exploit code laying around, like when some web pages
>> don't sanitize the URL enough and end up allowing executing
>> something in the system, much like sql injection. In those cases,
>> one could craft URLs to run wget or any other tool that may help the
>> intruder get even more inside.
> Down that path lies madness.  Are you going to remove /bin/sh?  If not,
> virtually anything else is possible

wrong question - is /bin/sh used?
if the answer is yes then the anser to your question is no

the point is remove anything *unneeded* from production systems
that are best practices for many years and for good reasons

anything which is not present can't make troubles

* security
* things get enabeld by bugs
* wasted space (keep backups in mind, especially off-site backups)
* possible dependecy problems

on cloud-systems (to play bullshit-bingo) or simply virtualized
infrastructure you pay multiple times for any overhead and if
the case happens that you pay for a security problem this is
also multiplied

that's why on hardened systems mostly customized packages are
installed and the most interesting outputs of ./configure --help
are the ones starting with "--without" and "--disable"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140429/87bedd65/attachment.sig>

More information about the devel mailing list