1 |
I happened to browse through a FreeBSD and a CentOS based virtual |
2 |
server and was amazed on both occasions as to how slim these machines |
3 |
were. I've seen embedded Linux running more processes on hardware |
4 |
servers than what these machines were running. In that sense, gcc and |
5 |
toolchain will be easily perceived as bloat and potential for |
6 |
vulnerabilities and exploitation. In my humble opinion, it is all |
7 |
relevant. If you understand SELinux you may want to have a look at |
8 |
it. One of these days I promised myself to have a good read of it |
9 |
without falling asleep or developing a migraine! :p |
10 |
|
11 |
The beauty of Gentoo is that you can build it as you want it. |
12 |
|
13 |
2009/2/16 Mike Kazantsev <mike_kazantsev@×××××××.net>: |
14 |
> On Mon, 16 Feb 2009 13:48:04 +0100 |
15 |
> Johannes Frandsen <jsf@××××××.dk> wrote: |
16 |
> |
17 |
>> I got in to a discussion about which server to recommend for running |
18 |
>> the php5 symfony framework, and I recommended Gentoo as I had been |
19 |
>> using it my self for a couple of years and have been very satisfied |
20 |
>> with it. |
21 |
>> Somebody pointed out that having a productions server with a gcc |
22 |
>> installed was a big no no security wise, so I did a bit of goggling on |
23 |
>> that topic and found a couple of articles supporting that view. |
24 |
> |
25 |
> I suppose it makes sense only in much broader context: "remove |
26 |
> everything that isn't necessary, even gcc". |
27 |
> |
28 |
> It might certainly give attacker a harder time, but if it's x86/64 linux |
29 |
> machine, I think that hardly matters - static binaries won't be a |
30 |
> problem, so, if you're seriously considering that step to be necessary |
31 |
> - get rid of coreutils (especially that 'rm' utility) and all the |
32 |
> interpreters (even awk!) first. |
33 |
> |
34 |
> -- |
35 |
> Mike Kazantsev // fraggod.net |
36 |
> |
37 |
|
38 |
|
39 |
|
40 |
-- |
41 |
Regards, |
42 |
Mick |