Installing a compiler by default
rlrevell at joe-job.com
Thu Jun 15 16:40:27 BST 2006
On Thu, 2006-06-15 at 08:22 +0200, Florian Diesch wrote:
> Lee Revell <rlrevell at joe-job.com> wrote:
> > On Tue, 2006-06-13 at 02:56 +0200, Florian Diesch wrote:
> >> Scott Dier <dieman at ringworld.org> wrote:
> >> > Anders Karlsson wrote:
> >> >> You misunderstand. A C compiler in itself does not compromise security,
> >> >> and if you phrased the question like that, I'd tell you it was BS as
> >> >> well. On a system that run services it is bad security practise to
> >> >> install a compiler, for reasons already explained, and the book Shawn
> >> >> points you at will reaffirm this.
> >> >
> >> > Isn't having a interpreter of any sort just about the same problem?
> >> With an interpreter you can execute code but with a C compiler you can
> >> much more easily replace libs or kernel modules which is what most
> >> root kits are doing.
> > Um, the attacker would have to be root already to replace libs or kernel
> > modules. You've already lost at that point. Game over, man.
> Most automatic attacks fail if they don't find the environment they
> expect. Got shot but didn't die.
But if your target is Ubuntu it will be trivial to work around the lack
of a compiler. You're root - you can just upload one or even apt-get
install it. All this does is give a false sense of security. It's the
computer security equivalent of the Maginot Line.
More information about the sounder