Installing a compiler by default

Cefiar cef at optus.net
Sat Jun 10 05:41:52 BST 2006 

On Friday 09 June 2006 02:44, Matt Zimmerman wrote:
> I would like to propose that, beginning in Edgy, Ubuntu desktop systems
> (both live and installed) should, by default, include the set of packages
> necessary to compile simple C programs and Linux kernel modules.

I think that if we do this, we need to provide some way of restricting access 
to GCC. This removes most of the concern that people have, IMO.

Ideas on this:

Restrict it to all users in the group adm (or some other admin group) or give 
it it's own group, by default. This allows easy additions (just add the user 
to the group and they can compile), and means that anyone NOT in that group 
cannot actually execute it (eg: an exploited service). Applications that need 
to run gcc as a specific user (such as distcc) could simply add themselves 
into this group on install. Yes, if someone can get root on the box, they can 
change this. If they can get root on the box though, you've got bigger 
problems.

Allow the user to CHANGE this default so they can also allow any user who is 
in the standard user ID range (as well as the group idea - a logical OR - we 
don't want to break services that require it or that have been set up in 
advance), or any user at all (comes with a big fat security warning). This 
could be implemented in the package itself via debconf with a priority of 
LOW, so it's not seen on the average package install, but is available 
through a dpkg-reconfigure gcc, or some other tool (eg: update-alternatives).

Of course we would need to document the fact everywhere. Possibly if the user 
is running a GUI, pop a notification icon up with a simple dialog stating the 
facts on the "first run" of gcc (using a wrapper - possibly via 
update-alternatives?). If the user isn't running a GUI (eg: server install), 
then log it in the logs perhaps (eg: first run per login till some 
notification value is changed, so as not to fill them up), or have a message 
displayed to the first user on their next login?

This is all somewhat rough, but I'm sure most of you will get the idea.

-- 
 Stuart Young - aka Cefiar - cef at optus.net

More information about the sounder mailing list