Installing a compiler by default

Anders Karlsson trudheim at gmail.com
Fri Jun 16 06:50:55 BST 2006 

On Fri, 2006-06-16 at 07:38 +0800, Michael T. Richter wrote:
[snip: breaking in to a box]
> How difficult is it to write a script that tries the three major
> package downloading schemes?  Something along the lines of:
>         apt-get gcc
>         if that didn't work:
>                 whatever-redhat-uses gcc
>                 if that didn't work:
>                         whatever-gentoo-uses gcc
> 

Because when you break in via automated means you are probably not root,
so using the system tools to download a compiler is unlikely to be the
approach by the intruder. This is all theoretical and hypothetical
anyway, as no user should be running any services on a Ubuntu Desktop
install. I mean, who'd install apache to get a web-server for the Gnome
"user set up a public share directory" or install samba and swat to
enable file and printer sharing... Remote access via ssh or similar it
useless as well, no user would install that as soon as the install
proper had finished, would they?

I *know* the default install does not listen to any ports on a non-local
interface, *but* within minutes of an install it is _likely_ it will be.
I *know* there is Perl and Python in the install by default, but neither
of them allow you to rapidly (read automatically or through automated
means) create a kernel module that patches system calls to totally
disguise your hacking activities. Perl and Python may be adequate to
escalate privileges with, but most script-kiddie exploits relies on C
(what I have seen anyway, if there is contradictory information I'd be
interested to read that).

There is a book, ISBN 0672316706, "Maximum Linux Security: A Hacker's
Guide to Protecting Your Linux Server and Network", published by Sams,
that is a really good read.

*IF* the decision has been made to have a C compiler installed by
default, then it would be foolish not to have a proper firewall
installed and active by default. In answer to 'why?' - why not? If the
question and answer works in favour of a compiler and tool-chain, if
works in favour of security. It takes up less space than the compiler, I
shouldn't take to long to create or just install smoothwall by default
with a sufficiently secure default setting. 

The reason I am using Ubuntu is because it is easy to use. If I had more
time on my hands, I'd probably use Gentoo instead - but I got fed up
with spending time compiling things. I am all for making life easier for
the users as I am one of them. Sure, I have compilers (couple of
versions of gcc actually) installed, I run services, I tinker with lots
of things, but I am not a representative average Joe User. Joe User is
not interested in compiling drivers to get on the net, if it don't work,
Joe User will install another OS that *does* work - out of the box. Joe
User does not care to much about the command line, Joe User wants pretty
point-and-drool interface. Installing a C compiler by default will not
make Joe User happy as Joe User will not notice it, he *will* notice
that synchronising his PDA via bluetooth is a pain in the butt, and that
setting up a dual-head config between internal TFT and external VGA on
his laptop is far to hard to do off the bat.

I'll shut up now.. 

[snip]

-- 
Anders Karlsson <trudheim at gmail.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3838 bytes
Desc: not available
Url : https://lists.ubuntu.com/archives/sounder/attachments/20060616/5dcc8b52/smime-0001.bin

More information about the sounder mailing list