Installing a compiler by default
Cefiar
cef at optus.net
Sat Jun 10 05:41:52 BST 2006
On Friday 09 June 2006 02:44, Matt Zimmerman wrote:
> I would like to propose that, beginning in Edgy, Ubuntu desktop systems
> (both live and installed) should, by default, include the set of packages
> necessary to compile simple C programs and Linux kernel modules.
I think that if we do this, we need to provide some way of restricting access
to GCC. This removes most of the concern that people have, IMO.
Ideas on this:
Restrict it to all users in the group adm (or some other admin group) or give
it it's own group, by default. This allows easy additions (just add the user
to the group and they can compile), and means that anyone NOT in that group
cannot actually execute it (eg: an exploited service). Applications that need
to run gcc as a specific user (such as distcc) could simply add themselves
into this group on install. Yes, if someone can get root on the box, they can
change this. If they can get root on the box though, you've got bigger
problems.
Allow the user to CHANGE this default so they can also allow any user who is
in the standard user ID range (as well as the group idea - a logical OR - we
don't want to break services that require it or that have been set up in
advance), or any user at all (comes with a big fat security warning). This
could be implemented in the package itself via debconf with a priority of
LOW, so it's not seen on the average package install, but is available
through a dpkg-reconfigure gcc, or some other tool (eg: update-alternatives).
Of course we would need to document the fact everywhere. Possibly if the user
is running a GUI, pop a notification icon up with a simple dialog stating the
facts on the "first run" of gcc (using a wrapper - possibly via
update-alternatives?). If the user isn't running a GUI (eg: server install),
then log it in the logs perhaps (eg: first run per login till some
notification value is changed, so as not to fill them up), or have a message
displayed to the first user on their next login?
This is all somewhat rough, but I'm sure most of you will get the idea.
--
Stuart Young - aka Cefiar - cef at optus.net
More information about the sounder
mailing list