Add patch to global.pp

[Mike McGrath]

On Thu, 16 Jul 2009, Toshio Kuratomi wrote:

> ricky and I were considering adding patch to global.pp and dennis
> brought up that it might be a command used to do malicious stuff.  So
> what do you guys think?
>
> Pros:
> patch makes some things much easier to do.  Want to cherrypick a change
> as a hotfix?  Many times patch is needed to apply the diff.  Want to
> replicate some changes from server1 to servers 2, 3, and 4?  diff on
> server1, patch on the others.  Need to review a change that someone else
> has done and then apply it?  Read the diff they give you and apply it
> rather than grabbing the whole file, doing the diff yourself, and then
> applying it.
>
> Cons:
> patch is a commonly used utility that is often used to edit files.  So
> the principle of not installing things that aren't needed makes it one
> more tool that an attacker won't have if they get remote execution on a
> box they shouldn't.  However, there's many other things that an attacker
> can do if they gain remote execution.  Rather than retrieving a diff and
> applying that to a file, the attacker can just retrieve a file and then
> replace the existing one; we have wget, curl, and scp installed.  ed,
> sed, perl, python, and other text processing tools are available.  I'm
> thinking if the attacker can gain the ability to execute a remote
> command and they have permission to touch files that are going to cause
> us harm, lack of patch isn't going to save us.
>
> Other:
> * patch doesn't have any deps that aren't already installed on one of
> our boxes.
>
> What's the consensus here?
>

+0 no opinion if it would be of some use.  I've generally scp'd files
where needed and copied from there.  Same number of commands and files
copied as if you were to patch

scp blah.py app1: ; ssh app1 ; sudo cp blah.py /usr/blah

scp blah.patch app1: ; ssh app1; sudo patch -p1 < blah.patch

	-Mike