From owner-freebsd-security Thu May 11 21: 6:26 2000 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 52D6037BCC8 for ; Thu, 11 May 2000 21:06:22 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id VAA22420; Thu, 11 May 2000 21:05:45 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda22418; Thu May 11 21:05:36 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id VAA55812; Thu, 11 May 2000 21:05:36 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdi55801; Thu May 11 21:05:28 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.10.1/8.9.1) id e4C45S938145; Thu, 11 May 2000 21:05:28 -0700 (PDT) Message-Id: <200005120405.e4C45S938145@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdH38132; Thu May 11 21:04:46 2000 X-Mailer: exmh version 2.1.1 10/15/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.0-STABLE X-Sender: cy To: matt@csis.gvsu.edu Cc: Derek Werthmuller , freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler In-reply-to: Your message of "Thu, 11 May 2000 15:15:44 EDT." <20000511151544.A6826@contempt.badmofo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 May 2000 21:04:46 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20000511151544.A6826@contempt.badmofo.net>, matt@csis.gvsu.edu writ es: > It took Derek Werthmuller 17 lines to say: > > I'm interested in applying standard "Release" versions of FreeBSD with out > > using a compiler in the system. I generaly don't advise leaving a working > > compiler in say a firewall or a hardened system. I know that I can have a > > seperate system that I can use to connect via CVS and use that to update th > e > > hardened systems. But doesn't that just keep my sources up to date and I > > still need to build/build world every so often? Is there another way to > > apply the security related patches ? > > How about 'chmod 500 /usr/bin/{cc,ld}' and do your 'make world's as root? > If an attacker has root, using the compiler is the least of your worrys. All an attacker would need to do is ftp a C compiler from another system or better yet ftp the binaries required to compromise your system from another system. A better approach would be to make key (or all system) files immutable and your logs append only and run your system at securelevel 2 or 3. This wouldn't necessarily stop anyone from breaking root but it would limit the damage. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message