Add patch to global.pp

[David JM Emmett]

Maybe I'm missing something here but if an attacker has access don't  
you have bigger problems?
--
Cheers,
David JM Emmett

Sent from my iPhone

On 17 Jul 2009, at 03:59, Toshio Kuratomi <a.badger at gmail.com> wrote:

> ricky and I were considering adding patch to global.pp and dennis
> brought up that it might be a command used to do malicious stuff.  So
> what do you guys think?
>
> Pros:
> patch makes some things much easier to do.  Want to cherrypick a  
> change
> as a hotfix?  Many times patch is needed to apply the diff.  Want to
> replicate some changes from server1 to servers 2, 3, and 4?  diff on
> server1, patch on the others.  Need to review a change that someone  
> else
> has done and then apply it?  Read the diff they give you and apply it
> rather than grabbing the whole file, doing the diff yourself, and then
> applying it.
>
> Cons:
> patch is a commonly used utility that is often used to edit files.  So
> the principle of not installing things that aren't needed makes it one
> more tool that an attacker won't have if they get remote execution  
> on a
> box they shouldn't.  However, there's many other things that an  
> attacker
> can do if they gain remote execution.  Rather than retrieving a diff  
> and
> applying that to a file, the attacker can just retrieve a file and  
> then
> replace the existing one; we have wget, curl, and scp installed.  ed,
> sed, perl, python, and other text processing tools are available.  I'm
> thinking if the attacker can gain the ability to execute a remote
> command and they have permission to touch files that are going to  
> cause
> us harm, lack of patch isn't going to save us.
>
> Other:
> * patch doesn't have any deps that aren't already installed on one of
> our boxes.
>
> What's the consensus here?
>
> -Toshio
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list