We want to stop systemd from being added to docker images, because of rpm requiring systemctl.
h.reindl at thelounge.net
Tue Apr 29 18:56:56 UTC 2014
Am 29.04.2014 20:51, schrieb Chris Adams:
> Once upon a time, Marcelo Ricardo Leitner <marcelo.leitner at gmail.com> said:
>> You're considering only the escalation way to do it, but there are
>> other ways to exploit code laying around, like when some web pages
>> don't sanitize the URL enough and end up allowing executing
>> something in the system, much like sql injection. In those cases,
>> one could craft URLs to run wget or any other tool that may help the
>> intruder get even more inside.
> Down that path lies madness. Are you going to remove /bin/sh? If not,
> virtually anything else is possible
wrong question - is /bin/sh used?
if the answer is yes then the anser to your question is no
the point is remove anything *unneeded* from production systems
that are best practices for many years and for good reasons
anything which is not present can't make troubles
* things get enabeld by bugs
* wasted space (keep backups in mind, especially off-site backups)
* possible dependecy problems
on cloud-systems (to play bullshit-bingo) or simply virtualized
infrastructure you pay multiple times for any overhead and if
the case happens that you pay for a security problem this is
that's why on hardened systems mostly customized packages are
installed and the most interesting outputs of ./configure --help
are the ones starting with "--without" and "--disable"
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 246 bytes
Desc: OpenPGP digital signature
More information about the devel