Installing a compiler by default
diesch at spamfence.net
Thu Jun 15 07:22:59 BST 2006
Lee Revell <rlrevell at joe-job.com> wrote:
> On Tue, 2006-06-13 at 02:56 +0200, Florian Diesch wrote:
>> Scott Dier <dieman at ringworld.org> wrote:
>> > Anders Karlsson wrote:
>> >> You misunderstand. A C compiler in itself does not compromise security,
>> >> and if you phrased the question like that, I'd tell you it was BS as
>> >> well. On a system that run services it is bad security practise to
>> >> install a compiler, for reasons already explained, and the book Shawn
>> >> points you at will reaffirm this.
>> > Isn't having a interpreter of any sort just about the same problem?
>> With an interpreter you can execute code but with a C compiler you can
>> much more easily replace libs or kernel modules which is what most
>> root kits are doing.
> Um, the attacker would have to be root already to replace libs or kernel
> modules. You've already lost at that point. Game over, man.
Most automatic attacks fail if they don't find the environment they
expect. Got shot but didn't die.
More information about the sounder