Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Jun 2004 13:42:14 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        j.e.drews@att.net
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Should gcc be accessable by others?
Message-ID:  <40D08676.3080501@mac.com>
In-Reply-To: <061620041608.19913.40D0707D000648FA00004DC921587667559C990A9D0BD20AD206@att.net>
References:  <061620041608.19913.40D0707D000648FA00004DC921587667559C990A9D0BD20AD206@att.net>

next in thread | previous in thread | raw e-mail | index | archive | help
j.e.drews@att.net wrote:
> Is it a good idea to change the permisions on the gcc tools to 750 ? I
> looked through the FreeBSD Handbook and could find no advice on this matter.

Changing gcc to 750 might provide a small benefit to security, but if someone 
has enough access to be able to try to run gcc in the first place, they can 
probably upload their own compiler if they really wanted to (or more likely, a 
precompiled version of whatever tool they wanted to use), or else exploit some 
other local vulnerability.

> Also are there other tools that should not be available like strace? How can I
> find out which ones are potentially exploitable?

The ports system provides a mechanism for analysing which programs use 
socket() and other system calls and thus may be potentially remotely exploitable.

Anyway, the notion you are looking for is known as "hardening a system", and a 
search on that term will probably give you more insight.  Basicly, just 
changing perms on gcc isn't really enough, but if you take draconian measures 
to remove all programs that aren't needed, you can get a minimal system that 
is much harder to exploit.  Such a system wouldn't be very useable to normal 
humans, however, so this is generally done only for firewalls and the like.

-- 
-Chuck



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40D08676.3080501>