Kwan Lowe wrote: > On Sat, Mar 6, 2010 at 6:02 PM, Dave Stevens <geek at uniserve.com> wrote: >> I manage a web hosting server that we've recently upgraded, in part so >> we could accommodate a domain that will enable community mapping. In a >> recent exchange of mails one developer said: >> >> >> "I could build the package directly on the server machine you have, >> provided that the potential security risk posed by having compilers >> installed is not an issue." >> >> and another said: >> >> "What sort of security risk is there in having compilers installed on a >> working server? >> >> "Obviously we can remove the compilers, however when Mapserver or postgis >> get updated, we will need to build new packages somewhere. One option: >> create a second VM for mapchat. We'll put the build environment on it, >> and only turn it on to make new packages." >> >> I don't have enough experience to assess the security issues. Does >> anyone have an opinion on this? It would be simple and feasible to >> allocate another domain as suggested above. > > Just playing Devil's advocate htere... > > It's conceivable to be kernel specific code that would need to be > compiled specifically for a particular system. For example, an exploit > in a kernel module loader may need to be compiled. If someone had to > deliver this exploit to many systems they could rely upon the ability > to compile the code rather than pushing a binary module. The former > could very well be hidden in some other vector, but the latter would > likely trip off signature or other scanners. > > I'd generally agree with the others though that in itself installing > the compilers is not a great security risk, provided it's sufficiently > locked down (e.g., maybe use selinux in addition to basic Unix > permissions to prevent running from the web accounts, etc.). While I typically do have the compilers and kernel headers installed on general purpose servers where I might want to run VMware server or rebuild a source rpm, I would not be very comfortable if I did not have a matching test machine where I could build and test before trying it in production - and then it would be possible to just copy the binary anyway. -- Les Mikesell lesmikesell at gmail.com