[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Building amd64 kernels on i386

On Wed, 2005-11-30 at 16:57 +0100, Goswin von Brederlow wrote:
> Brice Figureau <brice+debian@daysofwonder.com> writes:
> > I own an amd64 server on which no gcc environment has been installed for
> > security reasons.
>
> Point out to the server admin that not having a gcc is just stupid and
> not a security measure.

First, that's not the point of my question ;-)

Just to argue a little bit, security is a matter of aligning differents
layers of protection. When one fails, you still can reside on the others
to protect you.

Not having gcc on a machine is imho a quite good layer of protection, as
it will defeat any rootkit script that compiles some custom tools (trust
me there are more than you would have tought first, I just got my eyes
on one a few days ago that wanted to be installed through a mambo
server). 

This idea is also suggested in Securing Debian Manual, section 3.7[1].

Comparing pros and cons of not having a gcc installed, on this
particular server I never had to compile anything (except a new kernel)
in a one year time-frame, since I can almost get everything packaged and
scp'ed to the machine...

Anyway, if I can't cross-compile on i386, I'll end up having a gcc on
the server...

[1]http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.7
-- 
Brice Figureau
Reply to: