- Try to vet the command line; allow only particular commands. It's
not enough to just say "only run gcc" because an attacker might try to send output to a file. This couldn't give total protection but it might help.
I wouldn't analyze the whole command line, since it can differ significantly from comiler to compiler (except for the comment trick as noted above). But a built-in, command-line-overwritable list of known compilers would make things way safer. Among other things, it would prevent an entire local network from being compromised just because one machine was compromised. And again, log before rejecting (both for attacker-tracking and debugging purposes).
Already implemented, for non-security reasons. See the patch at
http://kegel.com/crosstool/crosstool-0.28-rc34/patches/distcc-2.16/distcc-stringmap.patch
It only accepts compilers listed in an 'apps' file, and
allows partial matches. Crosstool uses this to implement
hetrogenous build clusters.
- Dan
__ distcc mailing list http://distcc.samba.org/
To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/distcc
