Maybe I'm missing something here but if an attacker has access don't
you have bigger problems?
--
Cheers,
David JM Emmett
Sent from my iPhone
On 17 Jul 2009, at 03:59, Toshio Kuratomi <a.badger@xxxxxxxxx> wrote:
ricky and I were considering adding patch to global.pp and dennis
brought up that it might be a command used to do malicious stuff. So
what do you guys think?
Pros:
patch makes some things much easier to do. Want to cherrypick a
change
as a hotfix? Many times patch is needed to apply the diff. Want to
replicate some changes from server1 to servers 2, 3, and 4? diff on
server1, patch on the others. Need to review a change that someone
else
has done and then apply it? Read the diff they give you and apply it
rather than grabbing the whole file, doing the diff yourself, and then
applying it.
Cons:
patch is a commonly used utility that is often used to edit files. So
the principle of not installing things that aren't needed makes it one
more tool that an attacker won't have if they get remote execution
on a
box they shouldn't. However, there's many other things that an
attacker
can do if they gain remote execution. Rather than retrieving a diff
and
applying that to a file, the attacker can just retrieve a file and
then
replace the existing one; we have wget, curl, and scp installed. ed,
sed, perl, python, and other text processing tools are available. I'm
thinking if the attacker can gain the ability to execute a remote
command and they have permission to touch files that are going to
cause
us harm, lack of patch isn't going to save us.
Other:
* patch doesn't have any deps that aren't already installed on one of
our boxes.
What's the consensus here?
-Toshio
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
