[CentOS] compilers a security risk?

Les Mikesell lesmikesell at gmail.com
Sun Mar 7 17:54:23 UTC 2010


Kwan Lowe wrote:
> On Sat, Mar 6, 2010 at 6:02 PM, Dave Stevens <geek at uniserve.com> wrote:
>> I manage a web hosting server that we've recently upgraded, in part so
>> we could accommodate a domain that will enable community mapping. In a
>> recent exchange of mails one developer said:
>>
>>
>> "I could build the package directly on the server machine you have,
>> provided that the potential security risk posed by having compilers
>> installed is not an issue."
>>
>> and another said:
>>
>> "What sort of security risk is there in having compilers installed on a
>> working server?
>>
>> "Obviously we can remove the compilers, however when Mapserver or postgis
>> get updated, we will need to build new packages somewhere. One option:
>> create a second VM for mapchat. We'll put the build environment on it,
>> and only turn it on to make new packages."
>>
>> I don't have enough experience to assess the security issues. Does
>> anyone have an opinion on this? It would be simple and feasible to
>> allocate another domain as suggested above.
> 
> Just playing Devil's advocate htere...
> 
> It's conceivable to be kernel specific code that would need to be
> compiled specifically for a particular system. For example, an exploit
> in a kernel module loader may need to be compiled. If someone had to
> deliver this exploit to many systems they could rely upon the ability
> to compile the code rather than pushing a binary module. The former
> could very well be hidden in some other vector, but the latter would
> likely trip off signature or other scanners.
> 
> I'd generally agree with the others though that in itself installing
> the compilers is not a great security risk, provided it's sufficiently
> locked down (e.g., maybe use selinux in addition to basic Unix
> permissions to prevent running from the web accounts, etc.).

While I typically do have the compilers and kernel headers installed on general 
purpose servers where I might want to run VMware server or rebuild a source rpm, 
I would not be very comfortable if I did not have a matching test machine where 
I could build and test before trying it in production - and then it would be 
possible to just copy the binary anyway.

-- 
   Les Mikesell
    lesmikesell at gmail.com


More information about the CentOS mailing list