Date: Wed, 16 Jun 2004 16:57:41 -0400 (EDT) From: Jerry McAllister <jerrymc@clunix.cl.msu.edu> To: j.e.drews@att.net Cc: freebsd-questions@freebsd.org Subject: Re: Should gcc be accessable by others? Message-ID: <200406162057.i5GKvgm17026@clunix.cl.msu.edu> In-Reply-To: <061620041608.19913.40D0707D000648FA00004DC921587667559C990A9D0BD20AD206@att.net> from "j.e.drews@att.net" at Jun 16, 2004 04:08:29 PM
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hi: > > I see that gcc, g++, and other tools are usable by world (others). > I was wondering if that is a bad idea as I read here: > http://www.itworld.com/nl/lnx_sec/09242002/pf_index.html > > that the slapper worm used gcc to compile it's exploit. > Excerpt: > The worm requires gcc to compile the .bugtraq.c file. .... > > Is it a good idea to change the permisions on the gcc tools to 750 ? I > looked through the FreeBSD Handbook and could find no advice on this > matter. Also are there other tools that should not be available like > strace? How can I find out which ones are potentially exploitable? > I am a newcomer to FreeBSD and have been using it for less than a year > so don't be cross if these questions are naive. Well, gcc is just a compiler. It is no more or less likely to be used to create a worm or virus than any other development tool - and that includes text editors. If your users are to be allowed to do much of anything on the machine, they can find ways of creating programs. If they are of bad will, then they might create bad programs and try to attack something. A person doesn't need a compiler to create a worm, though it might make the work easier. If a person is determined enough, they can do it by hand cranking their own binary code. Not many people do it now, but we used to have to work in binary machine code way back in a previous century. It can still be done if someone is of a mind to. Anyway, a compiler doesn't give a way for someone to break in to your system or any others. Not counting the possibility that the compiler developer did something stupid, which I suppose is possible, the compiler is not a hole in the system that can be exploited. It just converts someone's program code from one for to another. Probably also, most of those exploits that kiddies can download from the net are already compiled anyway and don't even need it to be spread around further. There are some things like creating accounts and configuring system devices that definitely should be limited to root, but unless you are providing an Email only service or something like that, you kind of have to let your users do real work or there is no reason to have the account on the system. So, I think worrying about a compiler being available to users on your system is a red herring. Fixing that Linux Slapper worm by getting rid of the compiler is about like trying to prevent auto theft by getting rid of automobile assembly lines. The article mentions other more useful precautions to take as well. Again, almost any piece of code could be poorly written and might be a security hole, but that hole just needs to be fixed and then it becomes just some more usable utility. ////jerry > > Kind regards, > Jonathan > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200406162057.i5GKvgm17026>