ricky and I were considering adding patch to global.pp and dennis brought up that it might be a command used to do malicious stuff. So what do you guys think? Pros: patch makes some things much easier to do. Want to cherrypick a change as a hotfix? Many times patch is needed to apply the diff. Want to replicate some changes from server1 to servers 2, 3, and 4? diff on server1, patch on the others. Need to review a change that someone else has done and then apply it? Read the diff they give you and apply it rather than grabbing the whole file, doing the diff yourself, and then applying it. Cons: patch is a commonly used utility that is often used to edit files. So the principle of not installing things that aren't needed makes it one more tool that an attacker won't have if they get remote execution on a box they shouldn't. However, there's many other things that an attacker can do if they gain remote execution. Rather than retrieving a diff and applying that to a file, the attacker can just retrieve a file and then replace the existing one; we have wget, curl, and scp installed. ed, sed, perl, python, and other text processing tools are available. I'm thinking if the attacker can gain the ability to execute a remote command and they have permission to touch files that are going to cause us harm, lack of patch isn't going to save us. Other: * patch doesn't have any deps that aren't already installed on one of our boxes. What's the consensus here? -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
