Installing a compiler by default
Cefiar
cef at optus.net
Fri Jun 16 04:13:45 BST 2006
On Friday 16 June 2006 13:00, Michael T. Richter wrote:
> On Fri, 2006-16-06 at 12:49 +1000, Cefiar wrote:
> > On Friday 16 June 2006 09:38, Michael T. Richter wrote:
> > > On Thu, 2006-15-06 at 13:27 -0400, Shawn McMahon wrote:
> > > > > But if your target is Ubuntu it will be trivial to work around the
> > > > > lack of a compiler. You're root - you can just upload one or even
> > > > > apt-get
> > > >
> > > > Your target is usually "several million Linux boxes", not "this
> > > > particular Ubuntu box". You're right that lack of a compiler is very
> > > > little defense against some guy trying to break into your box; but
> > > > it's of more use against some guy trying to break into all of them.
> > >
> > > How difficult is it to write a script that tries the three major
> > > package downloading schemes? Something along the lines of:
> > >
> > > apt-get gcc
> > > if that didn't work:
> > >
> > > whatever-redhat-uses gcc
> > > if that didn't work:
> > >
> > > whatever-gentoo-uses gcc
> >
> > All 3 require root on the machine to install in the usual places.
>
> I call attention to the beginning of the section you quoted:
> > > > > But if your target is Ubuntu it will be trivial to work around the
> > > > > lack of a compiler. You're root - you can just upload one or even
> > > > > apt-get
>
> Note the words "you're root" in the establishing conditions?
Fair enough then. If they're root anyway, you're probably stuffed. I was
pointing out elsewhere (another thread) about using gcc to bootstrap the
process of getting root after getting access to the machine as a non-root
user (eg: exploiting something that does not run as root first to get a
toe-hold on the machine, something that I've seen in the wild), specifically
the advantage of avoiding it's usage in such a case. Seems I've got my
threads mixed here.
--
Stuart Young - aka Cefiar - cef at optus.net
More information about the sounder
mailing list