From release notes for FC5T3 (web)

Bruno Wolff III bruno at wolff.to
Thu Mar 9 04:58:18 UTC 2006 

On Tue, Mar 07, 2006 at 19:08:11 -0600,
  Jeff Vian <jvian10 at charter.net> wrote:
> On Mon, 2006-03-06 at 22:37 -0600, Bruno Wolff III wrote:
> > On Mon, Mar 06, 2006 at 18:59:49 -0500,
> >   "Michael H. Warfield" <mhw at WittsEnd.com> wrote:
> > > 
> > > 	In the security business, we have and expression for people like you.
> > > Those people who use the "install everything" button just because they
> > > "might" want something in the future (and then forget they installed it,
> > > if they even realize they installed it to begin with).
> > > 
> > > 	We dub thee "owned".
> > 
> > There is a big difference between installing everything and running every
> > every service that you have installed.
> > 
> True, but having it installed makes it available to the attacker if the
> first line of defense gets breached. If it is not installed then it
> cannot be used.  That is why the "owned" moniker applies.

Except that the vast majority of these extra packages are worthless for
escalating privileges. You need something setuid or linkable that has some
byte pattern you need. Setuid binaries should be protected by SELinux.

There are some risks from installing extra software, but it is more in the
area of plugins and apache modules.

> Not limited to just the modules.  A recent exploit I became aware of
> results from php code that allowed global variables and URL injection to
> access the system.  A friend's server became a spam bot for the
> attacker.  Even though the mail server did not allow relaying, they were
> able to send it from the local host and got around that restriction..

PHP is covered under apache modules, though it is possible to run it as
a CGI program. The mail server is likely irrelevant. If they can run
arbitrary code in PHP, they can send out mail without using an installed
mail server. However, the config of the installed mail server might be
useful for getting past blocks put in place by the user's ISP.

> Any path is a possible weakness, and one weakness leads to others.  If
> the door is not there (package not installed) it cannot be opened.

Security isn't about absolutes. The chances of most add on packages being
a security concern if they aren't used are very low. It can easily be the
case that for some people the convenience of having packages preinstalled
is worth taking the small extra risk of some package they didn't really
need being used to escalate privilege after a partial break.

More information about the fedora-list mailing list