Date: Thu, 11 May 2000 21:04:46 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: matt@csis.gvsu.edu Cc: Derek Werthmuller <dwerthmu@ctg.albany.edu>, freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler Message-ID: <200005120405.e4C45S938145@cwsys.cwsent.com> In-Reply-To: Your message of "Thu, 11 May 2000 15:15:44 EDT." <20000511151544.A6826@contempt.badmofo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20000511151544.A6826@contempt.badmofo.net>, matt@csis.gvsu.edu writ es: > It took Derek Werthmuller 17 lines to say: > > I'm interested in applying standard "Release" versions of FreeBSD with out > > using a compiler in the system. I generaly don't advise leaving a working > > compiler in say a firewall or a hardened system. I know that I can have a > > seperate system that I can use to connect via CVS and use that to update th > e > > hardened systems. But doesn't that just keep my sources up to date and I > > still need to build/build world every so often? Is there another way to > > apply the security related patches ? > > How about 'chmod 500 /usr/bin/{cc,ld}' and do your 'make world's as root? > If an attacker has root, using the compiler is the least of your worrys. All an attacker would need to do is ftp a C compiler from another system or better yet ftp the binaries required to compromise your system from another system. A better approach would be to make key (or all system) files immutable and your logs append only and run your system at securelevel 2 or 3. This wouldn't necessarily stop anyone from breaking root but it would limit the damage. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005120405.e4C45S938145>