Installing a compiler by default

Florian Diesch diesch at spamfence.net
Thu Jun 15 07:22:59 BST 2006


Lee Revell <rlrevell at joe-job.com> wrote:

> On Tue, 2006-06-13 at 02:56 +0200, Florian Diesch wrote:
>> Scott Dier <dieman at ringworld.org> wrote:
>> 
>> > Anders Karlsson wrote:
>> >> You misunderstand. A C compiler in itself does not compromise security,
>> >> and if you phrased the question like that, I'd tell you it was BS as
>> >> well. On a system that run services it is bad security practise to
>> >> install a compiler, for reasons already explained, and the book Shawn
>> >> points you at will reaffirm this.
>> >
>> > Isn't having a interpreter of any sort just about the same problem?
>> 
>> With an interpreter you can execute code but with a C compiler you can
>> much more easily replace libs or kernel modules which is what most
>> root kits are doing.
>> 
> Um, the attacker would have to be root already to replace libs or kernel
> modules.  You've already lost at that point.  Game over, man.

Most automatic attacks fail if they  don't find the environment they
expect. Got shot but didn't die.


   Florian
-- 
<http://www.florian-diesch.de/>



More information about the sounder mailing list