[CentOS] compilers a security risk?

[Kwan Lowe]

On Sat, Mar 6, 2010 at 6:02 PM, Dave Stevens <geek at uniserve.com> wrote:
> I manage a web hosting server that we've recently upgraded, in part so
> we could accommodate a domain that will enable community mapping. In a
> recent exchange of mails one developer said:
>
>
> "I could build the package directly on the server machine you have,
> provided that the potential security risk posed by having compilers
> installed is not an issue."
>
> and another said:
>
> "What sort of security risk is there in having compilers installed on a
> working server?
>
> "Obviously we can remove the compilers, however when Mapserver or postgis
> get updated, we will need to build new packages somewhere. One option:
> create a second VM for mapchat. We'll put the build environment on it,
> and only turn it on to make new packages."
>
> I don't have enough experience to assess the security issues. Does
> anyone have an opinion on this? It would be simple and feasible to
> allocate another domain as suggested above.

Just playing Devil's advocate htere...

It's conceivable to be kernel specific code that would need to be
compiled specifically for a particular system. For example, an exploit
in a kernel module loader may need to be compiled. If someone had to
deliver this exploit to many systems they could rely upon the ability
to compile the code rather than pushing a binary module. The former
could very well be hidden in some other vector, but the latter would
likely trip off signature or other scanners.

I'd generally agree with the others though that in itself installing
the compilers is not a great security risk, provided it's sufficiently
locked down (e.g., maybe use selinux in addition to basic Unix
permissions to prevent running from the web accounts, etc.).