Re: Why no compiler on prod system [Was: Re: How to update httpd without a compiller]

Thu, 24 Aug 2006 14:50:48 -0700 

Scott Plumlee wrote:

NetNeanderthal wrote:

On 8/24/06, Anton Karpov <[EMAIL PROTECTED]> wrote:
Removing compiler doesn't bring much more security to your system, but it can make it a little bit safer. Very little bit, but safer. I mean, if your 
system has local root hole, for example, in this case cracker  should
compile his sploit somethere outside your box, and transfer binary file onto 
it, thus, it takes more time than "cat > /tmp/.slp01t.c && gcc
/tmp/.spl01t.c && ./a.out". And usually, crackers limited in time resources. 

This patently futile measure contributes zero security to the system
and it does not make the system even 'a little bit safer'.  Please
substantiate your claim based on the security record of a large
Redmond-based OS that is distributed sans compiler.




Disclaimer - I manage only a few, non-critical machines, and am at 
best a journeyman OpenBSD user.



I like the point that Bruce Schneier often makes: security is about 
risk versus cost (or benefit versus cost). For different companies and 
different admins, these two choices have a different benefit and cost: 
having a compiler on a production machine or having to maintain 
another machine for performing make release (or whatever other method 
you prefer to use to upgrade - copy binaries, etc).



If you don't have a second machine upon which to make release, then 
having the compiler on the production machine is acceptable because 
being able to patch the machine outweighs not having the compiler in 
terms of security benefit. As Nick said, if not having the compiler 
means you don't upgrade, then that's a pretty heavy risk for whatever 
benefit you do realize.



I realize that this is a simplified way of looking at it, and there 
are other considerations (physical access to upgrade versus remote 
access, downtime needed, etc) but in the end any good business 
decision is risk/benefit versus cost. I don't think any of the methods 
that have been discussed are wrong or right, each is correct according 
the decisions that the admins have made for their own machines.



Personally, I like to use make release, as I was pointed towards that 
method here once and it's worked for me.  To each their own.



Through all of this, and maybe I've just missed it, what happens when a 
user tries to make spl01t.c?

Nick























					Reply via email to