NetNeanderthal wrote:
On 8/24/06, Anton Karpov <[EMAIL PROTECTED]> wrote:
Removing compiler doesn't bring much more security to your system, but it
can make it a little bit safer. Very little bit, but safer. I mean, if
your
system has local root hole, for example, in this case cracker should
compile his sploit somethere outside your box, and transfer binary
file onto
it, thus, it takes more time than "cat > /tmp/.slp01t.c && gcc
/tmp/.spl01t.c && ./a.out". And usually, crackers limited in time
resources.
This patently futile measure contributes zero security to the system
and it does not make the system even 'a little bit safer'. Please
substantiate your claim based on the security record of a large
Redmond-based OS that is distributed sans compiler.
Disclaimer - I manage only a few, non-critical machines, and am at best
a journeyman OpenBSD user.
I like the point that Bruce Schneier often makes: security is about risk
versus cost (or benefit versus cost). For different companies and
different admins, these two choices have a different benefit and cost:
having a compiler on a production machine or having to maintain another
machine for performing make release (or whatever other method you prefer
to use to upgrade - copy binaries, etc).
If you don't have a second machine upon which to make release, then
having the compiler on the production machine is acceptable because
being able to patch the machine outweighs not having the compiler in
terms of security benefit. As Nick said, if not having the compiler
means you don't upgrade, then that's a pretty heavy risk for whatever
benefit you do realize.
I realize that this is a simplified way of looking at it, and there are
other considerations (physical access to upgrade versus remote access,
downtime needed, etc) but in the end any good business decision is
risk/benefit versus cost. I don't think any of the methods that have
been discussed are wrong or right, each is correct according the
decisions that the admins have made for their own machines.
Personally, I like to use make release, as I was pointed towards that
method here once and it's worked for me. To each their own.
