Installing a compiler by default
mdz at ubuntu.com
Thu Jun 8 22:21:30 BST 2006
On Thu, Jun 08, 2006 at 05:12:48PM -0400, Lee Revell wrote:
> On Thu, 2006-06-08 at 13:25 -0700, Matt Zimmerman wrote:
> > On Thu, Jun 08, 2006 at 04:19:30PM -0400, Lee Revell wrote:
> > > If someone cracks a system don't you think they could just compile on
> > > their local machine and upload binaries? I really don't understand the
> > > argument that having a compiler installed is a security issue.
> > The concern is about automated attacks, which take advantage of assumptions
> > about which tools and facilities are available.
> But if the attacker can execute shell commands wouldn't it be trivial to
> just change the assumption by modifying the script to upload the
> required binaries?
I don't want to argue the merits of this approach, but there are examples of
worms which work this way (and are foiled by the lack of a compiler).
More information about the sounder