On Wed, May 26, 2004 at 10:31:21AM -0700, Bill Moseley wrote:
> On Wed, May 26, 2004 at 09:36:52AM -0600, s. keeling wrote:
> > Usenix' ;login: had an article recently discussing this sort of
> > vulnerability.  If you're letting just anyone at your C compiler, you
> > MAY be facilitating exploits.
> 
> I suppose any access is more of a security risk.  But if someone can
> gain access via a network then it seems like they could also probably
> compile a program elsewhere and bring it in also.

If the binary is +r; it could be copied and +x added; or the entire
thing just interpreted through ld

$ /lib/ld-2.3.2.so `which gcc` test.c

> > Personally, I'd tend to think that once they're in, all bets are off
> > and locking down the C compiler is the least of your problems.
> 
> Exactly.

Indeed - attempting to lock down binaries like that serves only to
instill a false sense of security.

-- 
Jon Dowland


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to