On Fri, 27 Aug 2004 10:10:03 -0700, Daniel Kegel <[EMAIL PROTECTED]> wrote:
> > I wouldn't analyze the whole command line, since it can differ significantly > > from comiler to compiler (except for the comment trick as noted above). But a > > built-in, command-line-overwritable list of known compilers would make things > > way safer. Among other things, it would prevent an entire local network from > > being compromised just because one machine was compromised. And again, log > > before rejecting (both for attacker-tracking and debugging purposes). > > Already implemented, for non-security reasons. See the patch at > > http://kegel.com/crosstool/crosstool-0.28-rc34/patches/distcc-2.16/distcc-stringmap.patch I should probably merge this, but it would be trivial for an attacker to bypass it: just something like this.... gcc -MF /home/victim/.ssh/authorized_keys ........ It might be interesting for someone to try a distcc SELinux profile sometime. I think that would give you really strong assurance that it can run only a particular compiler and nothing else. I suppose chrooting it in conjunction with bsd jails or grsecurity to restrict other system calls might also help. -- Martin __ distcc mailing list http://distcc.samba.org/ To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/distcc