|
|
|
|
|
|
by peterwwillis
5076 days ago
|
|
|
If you've got a backtick operator, you are already running code, thus game over. And if puppet is mis-configuring your system, well that's got implications that go beyond just what software is installed. Advocating a smaller surface area in your example is the same thing as telling someone to buy a bigger/better lock to protect their door. Sure, it makes your door more secure by reducing the "surface area" of a lesser-designed lock. But if you had done the basic auditing of the outside of the building, you'd see the huge glass window fitted next to the door - which may not be "exploited" yet, but all someone needs is the right size rock. Tuning your services and filesystem perms is equivalent to putting bars on the window. It doesn't make penetration impossible, but it does a lot more general good than a bigger lock. |
|
|