ricky and I were considering adding patch to global.pp and dennis brought up that it might be a command used to do malicious stuff. So what do you guys think?
Pros: patch makes some things much easier to do. Want to cherrypick a change as a hotfix? Many times patch is needed to apply the diff. Want to replicate some changes from server1 to servers 2, 3, and 4? diff on server1, patch on the others. Need to review a change that someone else has done and then apply it? Read the diff they give you and apply it rather than grabbing the whole file, doing the diff yourself, and then applying it.
Cons: patch is a commonly used utility that is often used to edit files. So the principle of not installing things that aren't needed makes it one more tool that an attacker won't have if they get remote execution on a box they shouldn't. However, there's many other things that an attacker can do if they gain remote execution. Rather than retrieving a diff and applying that to a file, the attacker can just retrieve a file and then replace the existing one; we have wget, curl, and scp installed. ed, sed, perl, python, and other text processing tools are available. I'm thinking if the attacker can gain the ability to execute a remote command and they have permission to touch files that are going to cause us harm, lack of patch isn't going to save us.
Other: * patch doesn't have any deps that aren't already installed on one of our boxes.
What's the consensus here?
-Toshio
On Thu, 2009-07-16 at 19:59 -0700, Toshio Kuratomi wrote:
What's the consensus here?
If we install patch, will git come next, since people will want to git am stuff? Not that I'm against having patch, it would make things easier.
On 07/16/2009 08:50 PM, Jesse Keating wrote:
On Thu, 2009-07-16 at 19:59 -0700, Toshio Kuratomi wrote:
What's the consensus here?
If we install patch, will git come next, since people will want to git am stuff? Not that I'm against having patch, it would make things easier.
Well I won't be adding that one :-)
Thinking about this more seriously, patch can be useful on text files on any system. git is only useful on systems where we're making git checkouts. git-am, if I'm reading the man page right would only be useful where we have git checkouts and are receiving patches via mail?
-Toshio
On Jul 16, 2009, at 21:24, Toshio Kuratomi a.badger@gmail.com wrote:
On 07/16/2009 08:50 PM, Jesse Keating wrote:
On Thu, 2009-07-16 at 19:59 -0700, Toshio Kuratomi wrote:
What's the consensus here?
If we install patch, will git come next, since people will want to git am stuff? Not that I'm against having patch, it would make things easier.
Well I won't be adding that one :-)
Thinking about this more seriously, patch can be useful on text files on any system. git is only useful on systems where we're making git checkouts. git-am, if I'm reading the man page right would only be useful where we have git checkouts and are receiving patches via mail?
Git am works on any file generated with git format-patch. That is most often used with email but it does encapsulate the author and the commit message and has a checksum itself that can be verified against the upstream repo. Probably not something we need in global.
-- Jes
On Thu, 16 Jul 2009, Toshio Kuratomi wrote:
ricky and I were considering adding patch to global.pp and dennis brought up that it might be a command used to do malicious stuff. So what do you guys think?
Pros: patch makes some things much easier to do. Want to cherrypick a change as a hotfix? Many times patch is needed to apply the diff. Want to replicate some changes from server1 to servers 2, 3, and 4? diff on server1, patch on the others. Need to review a change that someone else has done and then apply it? Read the diff they give you and apply it rather than grabbing the whole file, doing the diff yourself, and then applying it.
Cons: patch is a commonly used utility that is often used to edit files. So the principle of not installing things that aren't needed makes it one more tool that an attacker won't have if they get remote execution on a box they shouldn't. However, there's many other things that an attacker can do if they gain remote execution. Rather than retrieving a diff and applying that to a file, the attacker can just retrieve a file and then replace the existing one; we have wget, curl, and scp installed. ed, sed, perl, python, and other text processing tools are available. I'm thinking if the attacker can gain the ability to execute a remote command and they have permission to touch files that are going to cause us harm, lack of patch isn't going to save us.
Other:
- patch doesn't have any deps that aren't already installed on one of
our boxes.
What's the consensus here?
+0 no opinion if it would be of some use. I've generally scp'd files where needed and copied from there. Same number of commands and files copied as if you were to patch
scp blah.py app1: ; ssh app1 ; sudo cp blah.py /usr/blah
scp blah.patch app1: ; ssh app1; sudo patch -p1 < blah.patch
-Mike
On 07/16/2009 08:59 PM, Mike McGrath wrote:
+0 no opinion if it would be of some use. I've generally scp'd files where needed and copied from there. Same number of commands and files copied as if you were to patch
scp blah.py app1: ; ssh app1 ; sudo cp blah.py /usr/blah
scp blah.patch app1: ; ssh app1; sudo patch -p1 < blah.patch
Good point.
Of more use when you're showing someone else your changes/receiving changes from someone else.
-Toshio
Maybe I'm missing something here but if an attacker has access don't you have bigger problems? -- Cheers, David JM Emmett
Sent from my iPhone
On 17 Jul 2009, at 03:59, Toshio Kuratomi a.badger@gmail.com wrote:
ricky and I were considering adding patch to global.pp and dennis brought up that it might be a command used to do malicious stuff. So what do you guys think?
Pros: patch makes some things much easier to do. Want to cherrypick a change as a hotfix? Many times patch is needed to apply the diff. Want to replicate some changes from server1 to servers 2, 3, and 4? diff on server1, patch on the others. Need to review a change that someone else has done and then apply it? Read the diff they give you and apply it rather than grabbing the whole file, doing the diff yourself, and then applying it.
Cons: patch is a commonly used utility that is often used to edit files. So the principle of not installing things that aren't needed makes it one more tool that an attacker won't have if they get remote execution on a box they shouldn't. However, there's many other things that an attacker can do if they gain remote execution. Rather than retrieving a diff and applying that to a file, the attacker can just retrieve a file and then replace the existing one; we have wget, curl, and scp installed. ed, sed, perl, python, and other text processing tools are available. I'm thinking if the attacker can gain the ability to execute a remote command and they have permission to touch files that are going to cause us harm, lack of patch isn't going to save us.
Other:
- patch doesn't have any deps that aren't already installed on one of
our boxes.
What's the consensus here?
-Toshio
Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
infrastructure@lists.fedoraproject.org
-
David JM Emmett -
Jesse Keating -
Jesse Keating -
Mike McGrath -
Toshio Kuratomi