1 |
On Tuesday 10 February 2004 14:15, Daniel Brandt wrote: |
2 |
> Having a compiler on the system _does NOT matter_! |
3 |
I think it does - as all other unnecessary software does. |
4 |
|
5 |
> What? You think it's bad if an attacker can compile stuff on your server? |
6 |
Yes. |
7 |
|
8 |
> If you know you won't find an attacker _before_ he's playing with your |
9 |
> compiler you should be more worried about your perimeter. |
10 |
I do not know that - but do you know that you'll find him before? |
11 |
|
12 |
> If I put myself in the attackers perspective, I would never compile |
13 |
> exploit source code on a cracked server. I would use obfuscated binaries, |
14 |
> nothing else, as this would further lessen the odds of discovery. |
15 |
Hmm, let's say the attacker gains access to the machine, the firewall blocks |
16 |
all binary transfer (I know uuencode/decode, but lets think the attacker is |
17 |
not in the position to transfer executables onto the compromised system, |
18 |
perhaps he can't transfer any files) and the attacker only needs 10 lines |
19 |
of c-code to exploit the kernel or whatever - don't worry about if he can |
20 |
compile the 10 lines or not? |
21 |
Perhaps also the system runs on alpha hardware but the attacker only has x86 |
22 |
binaries etc.. |
23 |
|
24 |
> Doesn't OpenBSD ship with a compiler? It does. Applying patches to source |
25 |
> code and compiling it is even the recommended way of keeping your system |
26 |
> up to date. |
27 |
If you really need a stable system you never compile and install any updates |
28 |
on this system directly, you compile it on another system to verify it's |
29 |
stablility etc. and than you can install it on the production system - |
30 |
never said that bsd is better/inferior btw... |
31 |
|
32 |
|
33 |
Overall I know that it's not the essential point to not have any compiler |
34 |
installed, but if you want to install a secure and stable system I think it |
35 |
is one point. |
36 |
Also the compiler was only used as example for unnecessary software which |
37 |
_can_ help the attacker, like a lot of other software which is normally |
38 |
installed. |
39 |
|
40 |
I don't want to discuss this further on this list as it's not a gentoo |
41 |
specific problem and I still think that for production systems there are |
42 |
some alternatives available... |
43 |
|
44 |
Regards |
45 |
Daniel |
46 |
|
47 |
-- |
48 |
"Those who would give up essential liberty, to purchase a little temporary |
49 |
safety, deserve neither liberty nor safety." - Benjamin Franklin |
50 |
|
51 |
|
52 |
-- |
53 |
gentoo-security@g.o mailing list |