securing compilers (gcc)

[NeoIce]

so I need gcc installed on my server to build a few things that arent packaged in Debian. I'm concerned with user security though, since its really easy to compile shellcode (or other things I dont want running). I figure that 'noexec' on the /home and /tmp directories should cover me, but I'd feel better knowing that the compilers were just not accessible to shell users. is there a good way to do this? I imagine SELinux with RBAC would do it, but I don't really feel like taking the plunge into SELinux yet (or doing so on Debian.)

any other thoughts?

[smolloy]

This isn't very professional, but perhaps you could temporarily install gcc for long enough to compile what you need and then remove it.

[NeoIce]

This isn't very professional, but perhaps you could temporarily install gcc for long enough to compile what you need and then remove it.

yeah... and that doesn't account for situations in which I might want a subset of users to have access to the compiler, although that's really just a luxury. if it's root only, sudo could do that, as long as I explicitly define which commands they can use in the sudoers file.

[GNU-Fan]

I asked that question to myself when I set up my first server. After having though a bit over it, I concluded it would not have improved the security if I had denied users access to the compiler. After all, they were capable to compile stuff on their own machine and upload it if they wanted to.

[NeoIce]

AH! I remember having that thought as I fell asleep yesterday...

that's what noexec is for though