Installing a compiler by default

Lee Revell rlrevell at joe-job.com
Thu Jun 15 16:40:27 BST 2006


On Thu, 2006-06-15 at 08:22 +0200, Florian Diesch wrote:
> Lee Revell <rlrevell at joe-job.com> wrote:
> 
> > On Tue, 2006-06-13 at 02:56 +0200, Florian Diesch wrote:
> >> Scott Dier <dieman at ringworld.org> wrote:
> >> 
> >> > Anders Karlsson wrote:
> >> >> You misunderstand. A C compiler in itself does not compromise security,
> >> >> and if you phrased the question like that, I'd tell you it was BS as
> >> >> well. On a system that run services it is bad security practise to
> >> >> install a compiler, for reasons already explained, and the book Shawn
> >> >> points you at will reaffirm this.
> >> >
> >> > Isn't having a interpreter of any sort just about the same problem?
> >> 
> >> With an interpreter you can execute code but with a C compiler you can
> >> much more easily replace libs or kernel modules which is what most
> >> root kits are doing.
> >> 
> > Um, the attacker would have to be root already to replace libs or kernel
> > modules.  You've already lost at that point.  Game over, man.
> 
> Most automatic attacks fail if they  don't find the environment they
> expect. Got shot but didn't die.

But if your target is Ubuntu it will be trivial to work around the lack
of a compiler.  You're root - you can just upload one or even apt-get
install it.  All this does is give a false sense of security.  It's the
computer security equivalent of the Maginot Line.

Lee




More information about the sounder mailing list