Date: Wed, 09 Jul 2003 12:29:21 +1000 From: Gregory Bond <gnb@itga.com.au> To: Paul Smith <paul@cnt.org> Cc: freebsd-stable@freebsd.org Subject: Re: Hardening production servers Message-ID: <200307090229.MAA09700@lightning.itga.com.au> In-Reply-To: Your message of Tue, 08 Jul 2003 20:29:43 -0500.
next in thread | raw e-mail | index | archive | help
paul@cnt.org said: > Say a system like this were put into place to support existing > production servers. What's the cleanest/most elegant/least > destablizing way to remove the compiler tools on those machines? It's not supported out of the box as far as I can see. One approach is like this: - Add new variable NO_COMPILERS to /etc/make.conf on all the client machines - Go through the Makefiles and add code to drop the compiler tools if this variable is defined. Look for example at how NO_CVS is implemented in src/gnu/ usr.bin/Makefile and work from that. - You'll have to manually rm the tools from the existing client machines as this change won't delete old ones, it'll just not install new ones. - You might like to also define NOINSTALLLIB and NOPROFILE on the client make.conf to not install all the .a and _p.a libraries (see /usr/share/mk/ bsd.lib.mk). Even easier might be to maintain a list of files you don't want on the client machines and then rm them after every installworld (you could automate this in the /usr/src/Makefile).
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307090229.MAA09700>