1 |
2010/2/1 <schism@×××××××××.org> |
2 |
|
3 |
> |
4 |
> Removing the toolchain is an old, common misconception whose originator |
5 |
> I would love to meet and slap some sense into. |
6 |
> |
7 |
> What exactly are you defending against? If the server is compromised, |
8 |
> it's game over - they'll run whatever code they want, be that [highly |
9 |
> unlikely] compiling a binary to attack further or [highly likely] use a |
10 |
> pre-compiled static binary of their own. If you don't have a toolchain |
11 |
> and they must have one, they'll download a static one and bootstrap it. |
12 |
> |
13 |
> Better to learn the use of a good access control system like the |
14 |
> grsecurity RBAC that is integrated into hardened-gentoo to prevent |
15 |
> misuse of the toolchain than to go through fragile and unsupportable |
16 |
> gyrations trying to prevent a phantom threat. |
17 |
> |
18 |
> |
19 |
I would agree on that. |
20 |
But sometimes you have to answer some needs which are expressed by a |
21 |
hierarchy level you can't slap some sense into. |
22 |
Unless you want to start writing a new résumé. |
23 |
|
24 |
If you have choice, then let base Gentoo tools and just control access. |
25 |
|
26 |
-- |
27 |
Pierre. |
28 |
"Sometimes when I'm talking, my words can't keep up with my thoughts. I |
29 |
wonder why we think faster than we speak. Probably so we can think twice." - |
30 |
Bill Watterson |