Date: Wed, 16 Jun 2004 13:42:14 -0400 From: Chuck Swiger <cswiger@mac.com> To: j.e.drews@att.net Cc: freebsd-questions@freebsd.org Subject: Re: Should gcc be accessable by others? Message-ID: <40D08676.3080501@mac.com> In-Reply-To: <061620041608.19913.40D0707D000648FA00004DC921587667559C990A9D0BD20AD206@att.net> References: <061620041608.19913.40D0707D000648FA00004DC921587667559C990A9D0BD20AD206@att.net>
next in thread | previous in thread | raw e-mail | index | archive | help
j.e.drews@att.net wrote: > Is it a good idea to change the permisions on the gcc tools to 750 ? I > looked through the FreeBSD Handbook and could find no advice on this matter. Changing gcc to 750 might provide a small benefit to security, but if someone has enough access to be able to try to run gcc in the first place, they can probably upload their own compiler if they really wanted to (or more likely, a precompiled version of whatever tool they wanted to use), or else exploit some other local vulnerability. > Also are there other tools that should not be available like strace? How can I > find out which ones are potentially exploitable? The ports system provides a mechanism for analysing which programs use socket() and other system calls and thus may be potentially remotely exploitable. Anyway, the notion you are looking for is known as "hardening a system", and a search on that term will probably give you more insight. Basicly, just changing perms on gcc isn't really enough, but if you take draconian measures to remove all programs that aren't needed, you can get a minimal system that is much harder to exploit. Such a system wouldn't be very useable to normal humans, however, so this is generally done only for firewalls and the like. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40D08676.3080501>