On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote: > Hi! I thought that GCC could means a risk if all of the users of my > system are able to run it! I talked this with a friend and he propossed > to create a new group, "compiler", for example, where all the users > who will be able to run gcc must belong to it! > > Wouldn't be interesting to implement this into Gentoo gcc ebuild as an > USE?
Exactly what risk is there from an end-user running a compiler? A compiler doesn't access any kind of restricted environment, doesn't auytomatically create binaries with other rights than its own and is about as "safe" a product as there can be. And if you think that users running their own programs is a risk, simply mount /home as noexec, ( make sure to impose the same limitations on /tmp and /var/tmp as well, since users have write-access there) And.. really. python, perl, awk, bash ... All of those are fully capable of creating and running programs. And no, I do not think you can limit the use thereof from user accounts.: ) If you're really paranoid about execution and so on, start reading the SELinux FAQ and create a ruleset.. The default one is probably more lenient than you want it ;) //Spider -- begin .signature Tortured users / Laughing in pain See Microsoft KB Article Q265230 for more information. end
signature.asc
Description: This is a digitally signed message part
