Add patch to global.pp
David JM Emmett
me at davidjmemmett.co.uk
Fri Jul 17 12:45:08 UTC 2009
Maybe I'm missing something here but if an attacker has access don't
you have bigger problems?
--
Cheers,
David JM Emmett
Sent from my iPhone
On 17 Jul 2009, at 03:59, Toshio Kuratomi <a.badger at gmail.com> wrote:
> ricky and I were considering adding patch to global.pp and dennis
> brought up that it might be a command used to do malicious stuff. So
> what do you guys think?
>
> Pros:
> patch makes some things much easier to do. Want to cherrypick a
> change
> as a hotfix? Many times patch is needed to apply the diff. Want to
> replicate some changes from server1 to servers 2, 3, and 4? diff on
> server1, patch on the others. Need to review a change that someone
> else
> has done and then apply it? Read the diff they give you and apply it
> rather than grabbing the whole file, doing the diff yourself, and then
> applying it.
>
> Cons:
> patch is a commonly used utility that is often used to edit files. So
> the principle of not installing things that aren't needed makes it one
> more tool that an attacker won't have if they get remote execution
> on a
> box they shouldn't. However, there's many other things that an
> attacker
> can do if they gain remote execution. Rather than retrieving a diff
> and
> applying that to a file, the attacker can just retrieve a file and
> then
> replace the existing one; we have wget, curl, and scp installed. ed,
> sed, perl, python, and other text processing tools are available. I'm
> thinking if the attacker can gain the ability to execute a remote
> command and they have permission to touch files that are going to
> cause
> us harm, lack of patch isn't going to save us.
>
> Other:
> * patch doesn't have any deps that aren't already installed on one of
> our boxes.
>
> What's the consensus here?
>
> -Toshio
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
More information about the infrastructure
mailing list