We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

Reindl Harald h.reindl at thelounge.net
Tue Apr 29 19:33:19 UTC 2014 


Am 29.04.2014 21:17, schrieb Chris Adams:
> Once upon a time, Reindl Harald <h.reindl at thelounge.net> said:
>> wrong question - is /bin/sh used?
>> if the answer is yes then the anser to your question is no
>>
>> the point is remove anything *unneeded* from production systems
>> that are best practices for many years and for good reasons
> 
> No, the point is that "remove a bunch of stuff to 'secure' the system"
> is not security, and should not be claimed that it is being done for
> 'security'.  If you have bash as /bin/sh (as a 'standard' Fedora system
> does), you don't need wget/curl to download stuff for example.
> 
> Can you lock that down more?  Sure, you can remove network access,
> remove local write access, etc.  However, that is separate from removing
> arbitrary binaries from the system/image.  Removing non-privileged
> binaries from the image does _nothing_ for security (as claimed
> up-thread)

simple example:

* binary XYZ is vulerable for privilege escalation
* we talk about a *local* exploit until now
* a bad configured webserver allows system-commands through a php-script
  and i consider that you google for the /e modifier
* a exploit for the web application triggers that binary
* voila you have a *remote* privilege escalation to get root access

*that* is how attacks can work if things are going wrong
you may now come with how likely that happens

it's not a matter of how likely, it happened in the past and it
will happen in the future and every time such things happened
people came with "i did not imagine that this could be possible"

so learn from the past, realize that things are possible and
reduce the attack surface for the imaginary you don't believe

well, you can ignore that and still pretend "that is not security"
others did that too in many cases learning it the hard way

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140429/baf2666d/attachment.sig>

More information about the devel mailing list