Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 11 May 2000 21:04:46 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        matt@csis.gvsu.edu
Cc:        Derek Werthmuller <dwerthmu@ctg.albany.edu>, freebsd-security@FreeBSD.ORG
Subject:   Re: Applying patches with out a compiler 
Message-ID:  <200005120405.e4C45S938145@cwsys.cwsent.com>
In-Reply-To: Your message of "Thu, 11 May 2000 15:15:44 EDT." <20000511151544.A6826@contempt.badmofo.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <20000511151544.A6826@contempt.badmofo.net>, 
matt@csis.gvsu.edu writ
es:
> It took Derek Werthmuller 17 lines to say:
> > I'm interested in applying standard "Release" versions of FreeBSD with out
> > using a compiler in the system.  I generaly don't advise leaving a working
> > compiler in say a firewall or a hardened system.  I know that I can have a
> > seperate system that I can use to connect via CVS and use that to update th
> e
> > hardened systems. But doesn't that just keep my sources up to date and I
> > still need to build/build world every so often?   Is there another way to
> > apply the security related patches ?
> 
> How about 'chmod 500 /usr/bin/{cc,ld}' and do your 'make world's as root?
> If an attacker has root, using the compiler is the least of your worrys.

All an attacker would need to do is ftp a C compiler from another 
system or better yet ftp the binaries required to compromise your 
system from another system.

A better approach would be to make key (or all system) files immutable 
and your logs append only and run your system at securelevel 2 or 3.  
This wouldn't necessarily stop anyone from breaking root but it would 
limit the damage.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005120405.e4C45S938145>