Re: We want to stop systemd from being added to docker images, because of rpm requiring systemctl.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 29.04.2014 21:17, schrieb Chris Adams:
> Once upon a time, Reindl Harald <h.reindl@xxxxxxxxxxxxx> said:
>> wrong question - is /bin/sh used?
>> if the answer is yes then the anser to your question is no
>>
>> the point is remove anything *unneeded* from production systems
>> that are best practices for many years and for good reasons
> 
> No, the point is that "remove a bunch of stuff to 'secure' the system"
> is not security, and should not be claimed that it is being done for
> 'security'.  If you have bash as /bin/sh (as a 'standard' Fedora system
> does), you don't need wget/curl to download stuff for example.
> 
> Can you lock that down more?  Sure, you can remove network access,
> remove local write access, etc.  However, that is separate from removing
> arbitrary binaries from the system/image.  Removing non-privileged
> binaries from the image does _nothing_ for security (as claimed
> up-thread)

simple example:

* binary XYZ is vulerable for privilege escalation
* we talk about a *local* exploit until now
* a bad configured webserver allows system-commands through a php-script
  and i consider that you google for the /e modifier
* a exploit for the web application triggers that binary
* voila you have a *remote* privilege escalation to get root access

*that* is how attacks can work if things are going wrong
you may now come with how likely that happens

it's not a matter of how likely, it happened in the past and it
will happen in the future and every time such things happened
people came with "i did not imagine that this could be possible"

so learn from the past, realize that things are possible and
reduce the attack surface for the imaginary you don't believe

well, you can ignore that and still pretend "that is not security"
others did that too in many cases learning it the hard way

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux