| 1 |
On Tuesday 10 February 2004 14:15, Daniel Brandt wrote: |
| 2 |
> Having a compiler on the system _does NOT matter_! |
| 3 |
I think it does - as all other unnecessary software does. |
| 4 |
|
| 5 |
> What? You think it's bad if an attacker can compile stuff on your server? |
| 6 |
Yes. |
| 7 |
|
| 8 |
> If you know you won't find an attacker _before_ he's playing with your |
| 9 |
> compiler you should be more worried about your perimeter. |
| 10 |
I do not know that - but do you know that you'll find him before? |
| 11 |
|
| 12 |
> If I put myself in the attackers perspective, I would never compile |
| 13 |
> exploit source code on a cracked server. I would use obfuscated binaries, |
| 14 |
> nothing else, as this would further lessen the odds of discovery. |
| 15 |
Hmm, let's say the attacker gains access to the machine, the firewall blocks |
| 16 |
all binary transfer (I know uuencode/decode, but lets think the attacker is |
| 17 |
not in the position to transfer executables onto the compromised system, |
| 18 |
perhaps he can't transfer any files) and the attacker only needs 10 lines |
| 19 |
of c-code to exploit the kernel or whatever - don't worry about if he can |
| 20 |
compile the 10 lines or not? |
| 21 |
Perhaps also the system runs on alpha hardware but the attacker only has x86 |
| 22 |
binaries etc.. |
| 23 |
|
| 24 |
> Doesn't OpenBSD ship with a compiler? It does. Applying patches to source |
| 25 |
> code and compiling it is even the recommended way of keeping your system |
| 26 |
> up to date. |
| 27 |
If you really need a stable system you never compile and install any updates |
| 28 |
on this system directly, you compile it on another system to verify it's |
| 29 |
stablility etc. and than you can install it on the production system - |
| 30 |
never said that bsd is better/inferior btw... |
| 31 |
|
| 32 |
|
| 33 |
Overall I know that it's not the essential point to not have any compiler |
| 34 |
installed, but if you want to install a secure and stable system I think it |
| 35 |
is one point. |
| 36 |
Also the compiler was only used as example for unnecessary software which |
| 37 |
_can_ help the attacker, like a lot of other software which is normally |
| 38 |
installed. |
| 39 |
|
| 40 |
I don't want to discuss this further on this list as it's not a gentoo |
| 41 |
specific problem and I still think that for production systems there are |
| 42 |
some alternatives available... |
| 43 |
|
| 44 |
Regards |
| 45 |
Daniel |
| 46 |
|
| 47 |
-- |
| 48 |
"Those who would give up essential liberty, to purchase a little temporary |
| 49 |
safety, deserve neither liberty nor safety." - Benjamin Franklin |
| 50 |
|
| 51 |
|
| 52 |
-- |
| 53 |
gentoo-security@g.o mailing list |
Archives