Find the answer to your Linux question:
Results 1 to 5 of 5
so I need gcc installed on my server to build a few things that arent packaged in Debian. I'm concerned with user security though, since its really easy to compile ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46

    securing compilers (gcc)


    so I need gcc installed on my server to build a few things that arent packaged in Debian. I'm concerned with user security though, since its really easy to compile shellcode (or other things I dont want running). I figure that 'noexec' on the /home and /tmp directories should cover me, but I'd feel better knowing that the compilers were just not accessible to shell users. is there a good way to do this? I imagine SELinux with RBAC would do it, but I don't really feel like taking the plunge into SELinux yet (or doing so on Debian.)

    any other thoughts?

  2. #2
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    This isn't very professional, but perhaps you could temporarily install gcc for long enough to compile what you need and then remove it.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  3. #3
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    Quote Originally Posted by smolloy View Post
    This isn't very professional, but perhaps you could temporarily install gcc for long enough to compile what you need and then remove it.
    yeah... and that doesn't account for situations in which I might want a subset of users to have access to the compiler, although that's really just a luxury. if it's root only, sudo could do that, as long as I explicitly define which commands they can use in the sudoers file.

  4. #4
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    Posts
    935
    I asked that question to myself when I set up my first server. After having though a bit over it, I concluded it would not have improved the security if I had denied users access to the compiler. After all, they were capable to compile stuff on their own machine and upload it if they wanted to.
    Debian GNU/Linux -- You know you want it.

  5. #5
    Just Joined!
    Join Date
    Aug 2008
    Location
    Seattle, WA
    Posts
    46
    AH! I remember having that thought as I fell asleep yesterday...

    that's what noexec is for though

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •