On Tue, May 02, 2006 at 04:21:41PM +1200, josh wrote: > Hello... > > Some people seem to think that installing a compiler inherently makes > their system less secure... despite never being able to cite any actual > reasons why.
i had a machine get compromised once; now we don't have a compiler on there. was about 7-9 months ago ... there was another host who was compromised and had one of those ssh daemons installed on it where it only lets you do password auth, and if you login successfully, it takes your un/pw and rattles through your local .ssh/known_hosts file to see if it can login successfully to other places in that known_hosts, if so, it tries to see if you have sudo on that other host. if so, it, from what we got post-mortem, d/ls a version of what seemed to me to be openssh portable, compiles/installs that, perhaps after patching it, i don't know for sure, and makes that sshd sit on that remote host waiting to try to propogate. in this case there was a user of machine A who had sudo on B who logged into machine A even tho the hostkey had changed ( liquor... ). i am not asserting that the compromise-pack did not have a precompiled sshd binary for openbsd ( the prior hop up the compromise chain in this case was a debianlinux ), but if it didn't, it may not have rooted machine B. > Personally, I really dont see how a compiler is going to lessen > security, particuarly when they are used to patch the system, But I was > wondering what people here thought? now, for patches, we have a little pentium III/450 sitting beside this host. any time i need to install something, i build it on that host, install it on that host, change DESTDIR to somethin', cd /usr/src/etc make distrib-dirs, cd back to the application who i am patching, make install (into DESTDIR), and then tar up the resulting dir tree. we build packages on there too, if need be, and then when we're done, we shut the power off ( have remote power control ). naturally we've also encouraged any user of machine B to hash their known_hosts file anywhere they can. -- jared [ openbsd 3.9-current GENERIC ( mar 15 ) // i386 ]
