FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 03-06-2010, 10:02 PM
Dave Stevens
 
Default compilers a security risk?

I manage a web hosting server that we've recently upgraded, in part so
we could accommodate a domain that will enable community mapping. In a
recent exchange of mails one developer said:


"I could build the package directly on the server machine you have,
provided that the potential security risk posed by having compilers
installed is not an issue."

and another said:

"What sort of security risk is there in having compilers installed on a
working server?

"Obviously we can remove the compilers, however when Mapserver or postgis
get updated, we will need to build new packages somewhere. One option:
create a second VM for mapchat. We'll put the build environment on it,
and only turn it on to make new packages."

I don't have enough experience to assess the security issues. Does
anyone have an opinion on this? It would be simple and feasible to
allocate another domain as suggested above.

Dave


--
"It is no measure of health to be well adjusted to a profoundly sick society."
Krishnamurti

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-06-2010, 10:04 PM
"nate"
 
Default compilers a security risk?

Dave Stevens wrote:

> I don't have enough experience to assess the security issues. Does
> anyone have an opinion on this? It would be simple and feasible to
> allocate another domain as suggested above.

Unless your running an obscure platform having a compiler on the
system shouldn't be a big deal, if you can upload source code,
you can upload a precompiled binary

nate


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 02:37 AM
Jim Perrin
 
Default compilers a security risk?

On Sat, Mar 6, 2010 at 6:02 PM, Dave Stevens <geek@uniserve.com> wrote:

> I don't have enough experience to assess the security issues. Does
> anyone have an opinion on this? It would be simple and feasible to
> allocate another domain as suggested above.

The compilers themselves aren't really a security risk, but IF someone
gets into your system, there's no need to provide them with tools they
can use to do their dastardly deeds. I'm a minimalist when it comes to
my production systems. Not having extraneous packages on the system
means (ostensibly) less patching, less applications with potential
holes which in turn means less surface area to attack, etc.


--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 12:49 PM
Drew
 
Default compilers a security risk?

>> I don't have enough experience to assess the security issues. Does
>> anyone have an opinion on this? It would be simple and feasible to
>> allocate another domain as suggested above.

As was stated by others the compiler itself isn't any more of a
security risk then any other tool. If a hacker can get root he can
just as easily upload binary packages as he can compile source.

That said, I'd still recommend running a second VM as a build
environment. That way if for some reason an update to those custom
packages somehow horribly breaks the entire OS (don't laugh, I've seen
it happen) it's only the build environment you've trashed and not the
production environment.


--
Drew

"Nothing in life is to be feared. It is only to be understood."
--Marie Curie
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 01:53 PM
Kwan Lowe
 
Default compilers a security risk?

On Sat, Mar 6, 2010 at 6:02 PM, Dave Stevens <geek@uniserve.com> wrote:
> I manage a web hosting server that we've recently upgraded, in part so
> we could accommodate a domain that will enable community mapping. In a
> recent exchange of mails one developer said:
>
>
> "I could build the package directly on the server machine you have,
> provided that the potential security risk posed by having compilers
> installed is not an issue."
>
> and another said:
>
> "What sort of security risk is there in having compilers installed on a
> working server?
>
> "Obviously we can remove the compilers, however when Mapserver or postgis
> get updated, we will need to build new packages somewhere. One option:
> create a second VM for mapchat. We'll put the build environment on it,
> and only turn it on to make new packages."
>
> I don't have enough experience to assess the security issues. Does
> anyone have an opinion on this? It would be simple and feasible to
> allocate another domain as suggested above.

Just playing Devil's advocate htere...

It's conceivable to be kernel specific code that would need to be
compiled specifically for a particular system. For example, an exploit
in a kernel module loader may need to be compiled. If someone had to
deliver this exploit to many systems they could rely upon the ability
to compile the code rather than pushing a binary module. The former
could very well be hidden in some other vector, but the latter would
likely trip off signature or other scanners.

I'd generally agree with the others though that in itself installing
the compilers is not a great security risk, provided it's sufficiently
locked down (e.g., maybe use selinux in addition to basic Unix
permissions to prevent running from the web accounts, etc.).
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 02:19 PM
"Geoff Galitz"
 
Default compilers a security risk?

> As was stated by others the compiler itself isn't any more of a
> security risk then any other tool. If a hacker can get root he can
> just as easily upload binary packages as he can compile source.

It is still a wise decision to not have the compiler installed if it can be
avoided. Any hacker that is not at a senior/high end intermediate level of
expertise will not have all the different versions of his rootkit and other
tools easily available for all the different OS distros and kernels that
he'll find on the Internet.. so I'd say that most hackers cannot just as
easily upload binary packages because of the wide array of support that he'd
need. Admittedly since Centos/RHEL is such a big presence there is a higher
degree of likelihood that he'd have the right tools in a binary package at
hand, but he'll still have to expend more time and effort, not to mention
that the uploads are more likely to be noticed.


Making the bar higher, even in little increments, is a basic tenant of
systems security. Never dismiss the power of baby steps.

-geoff




---------------------------------
Geoff Galitz
Blankenheim NRW, Germany
http://www.galitz.org/
http://german-way.com/blog/


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 02:35 PM
"nate"
 
Default compilers a security risk?

Geoff Galitz wrote:

> Making the bar higher, even in little increments, is a basic tenant of
> systems security. Never dismiss the power of baby steps.

Keep in mind diminishing returns with those baby steps.. Of the
~500-600 systems I've worked on over the past 10 years the only ones
that were confirmed to be compromised were ones that were placed directly
on the internet(not by me), and wasn't kept up to date with patches.
I think I worked on 3 such systems.

- keep up to date on patches
- if on the internet, lock ssh down to ssh key auth only, try to
run a tight firewall on other ports.
- don't allow untrusted local accounts
- Run only well tested programs(especially when it comes to webapps) with
a good track record wherever possible
- If at all possible do not put any server directly on the internet
(98% of my systems reside behind load balancers, which is a form
of firewall since only ports that are specifically opened are
allowed through)

To-date I haven't needed things like NIDS/HIDS (too many false
positives), or things like SElinux(PITA). After this long, and so
many systems I don't think luck plays a big role at this point. The
servers I manage for my employer receive roughly 2 billion web hits
per day.

If you can manage those things, the chance of being compromised is
practically zero, barring some remote evil organization that has
bad guys specifically out to get you.

nate


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 04:24 PM
Marko Vojinovic
 
Default compilers a security risk?

On Sunday 07 March 2010 03:35:43 pm nate wrote:
> The
> servers I manage for my employer receive roughly 2 billion web hits
> per day.

2 billion per day? That's 20 000 hits per second, on average. How many servers
do you actually have behind load-balancers to deal with this kind of activity?
And also, what are you maintaining? Google?

Best, :-)
Marko

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 04:54 PM
Les Mikesell
 
Default compilers a security risk?

Kwan Lowe wrote:
> On Sat, Mar 6, 2010 at 6:02 PM, Dave Stevens <geek@uniserve.com> wrote:
>> I manage a web hosting server that we've recently upgraded, in part so
>> we could accommodate a domain that will enable community mapping. In a
>> recent exchange of mails one developer said:
>>
>>
>> "I could build the package directly on the server machine you have,
>> provided that the potential security risk posed by having compilers
>> installed is not an issue."
>>
>> and another said:
>>
>> "What sort of security risk is there in having compilers installed on a
>> working server?
>>
>> "Obviously we can remove the compilers, however when Mapserver or postgis
>> get updated, we will need to build new packages somewhere. One option:
>> create a second VM for mapchat. We'll put the build environment on it,
>> and only turn it on to make new packages."
>>
>> I don't have enough experience to assess the security issues. Does
>> anyone have an opinion on this? It would be simple and feasible to
>> allocate another domain as suggested above.
>
> Just playing Devil's advocate htere...
>
> It's conceivable to be kernel specific code that would need to be
> compiled specifically for a particular system. For example, an exploit
> in a kernel module loader may need to be compiled. If someone had to
> deliver this exploit to many systems they could rely upon the ability
> to compile the code rather than pushing a binary module. The former
> could very well be hidden in some other vector, but the latter would
> likely trip off signature or other scanners.
>
> I'd generally agree with the others though that in itself installing
> the compilers is not a great security risk, provided it's sufficiently
> locked down (e.g., maybe use selinux in addition to basic Unix
> permissions to prevent running from the web accounts, etc.).

While I typically do have the compilers and kernel headers installed on general
purpose servers where I might want to run VMware server or rebuild a source rpm,
I would not be very comfortable if I did not have a matching test machine where
I could build and test before trying it in production - and then it would be
possible to just copy the binary anyway.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 03-07-2010, 05:39 PM
JohnS
 
Default compilers a security risk?

On Sun, 2010-03-07 at 17:24 +0000, Marko Vojinovic wrote:
> On Sunday 07 March 2010 03:35:43 pm nate wrote:
> > The
> > servers I manage for my employer receive roughly 2 billion web hits
> > per day.
>
> 2 billion per day? That's 20 000 hits per second, on average. How many servers
> do you actually have behind load-balancers to deal with this kind of activity?
> And also, what are you maintaining? Google?
>
---
And does your ssh machines get hammered? I see that daily on some of my
clients. The longest attack yet I have seen in the log files was 37
hours straight. All use key auth also though. These do not have such
as fail2ban or iptables limiting. I have always seen those types of
schemes to be hindering security. Thus adding in more problems. I will
admit the machine that was attacked for 37 hours was a CentOS 5.2 OS.
So someone at OSCent is doing something right or I was.

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org