Re: Building amd64 kernels on i386
On Wed, 2005-11-30 at 16:57 +0100, Goswin von Brederlow wrote:
> Brice Figureau <email@example.com> writes:
> > I own an amd64 server on which no gcc environment has been installed for
> > security reasons.
> Point out to the server admin that not having a gcc is just stupid and
> not a security measure.
First, that's not the point of my question ;-)
Just to argue a little bit, security is a matter of aligning differents
layers of protection. When one fails, you still can reside on the others
to protect you.
Not having gcc on a machine is imho a quite good layer of protection, as
it will defeat any rootkit script that compiles some custom tools (trust
me there are more than you would have tought first, I just got my eyes
on one a few days ago that wanted to be installed through a mambo
This idea is also suggested in Securing Debian Manual, section 3.7.
Comparing pros and cons of not having a gcc installed, on this
particular server I never had to compile anything (except a new kernel)
in a one year time-frame, since I can almost get everything packaged and
scp'ed to the machine...
Anyway, if I can't cross-compile on i386, I'll end up having a gcc on