[fulafel]

> If you can ssh into a machine and port forward a socket, you already have permission to do all the other things.

Only technically. There are lots of situations where people (or robotic alarm bells) will be miffed if you instal your custom sw stacks, remote shells, "i don't know what these binaries are" etc on some servers you're supposedly just editing config files on.

[spudlyo]

There are lots of situations where people will not notice at all. At my last gig, I wrote pretty extensive Ansible manifests that built and configured all my favorite tools on on bog-standard company provided development hosts so I found them cozy for remote work. I took severe liberties with these hosts and nobody batted an eye.

[fulafel]

Yeah, this is just being sensible. There at most you might lack some approval for your solid engineering decision. But when the described kind of worming in happens without your knowledge and there's just some random reverse shell stuff appearing out of nowhere, nobody has looked the sw through it to see if it's secure, what's the supply chain, etc, it's different.