Kwan Lowe wrote:
On Sat, Mar 6, 2010 at 6:02 PM, Dave Stevens geek@uniserve.com wrote:
I manage a web hosting server that we've recently upgraded, in part so we could accommodate a domain that will enable community mapping. In a recent exchange of mails one developer said:
"I could build the package directly on the server machine you have, provided that the potential security risk posed by having compilers installed is not an issue."
and another said:
"What sort of security risk is there in having compilers installed on a working server?
"Obviously we can remove the compilers, however when Mapserver or postgis get updated, we will need to build new packages somewhere. One option: create a second VM for mapchat. We'll put the build environment on it, and only turn it on to make new packages."
I don't have enough experience to assess the security issues. Does anyone have an opinion on this? It would be simple and feasible to allocate another domain as suggested above.
Just playing Devil's advocate htere...
It's conceivable to be kernel specific code that would need to be compiled specifically for a particular system. For example, an exploit in a kernel module loader may need to be compiled. If someone had to deliver this exploit to many systems they could rely upon the ability to compile the code rather than pushing a binary module. The former could very well be hidden in some other vector, but the latter would likely trip off signature or other scanners.
I'd generally agree with the others though that in itself installing the compilers is not a great security risk, provided it's sufficiently locked down (e.g., maybe use selinux in addition to basic Unix permissions to prevent running from the web accounts, etc.).
While I typically do have the compilers and kernel headers installed on general purpose servers where I might want to run VMware server or rebuild a source rpm, I would not be very comfortable if I did not have a matching test machine where I could build and test before trying it in production - and then it would be possible to just copy the binary anyway.