Re: Building amd64 kernels on i386
Brice Figureau <brice+debian@daysofwonder.com> writes:
> On Wed, 2005-11-30 at 16:57 +0100, Goswin von Brederlow wrote:
>> Brice Figureau <brice+debian@daysofwonder.com> writes:
>> > I own an amd64 server on which no gcc environment has been installed for
>> > security reasons.
>>
>> Point out to the server admin that not having a gcc is just stupid and
>> not a security measure.
>
> First, that's not the point of my question ;-)
>
> Just to argue a little bit, security is a matter of aligning differents
> layers of protection. When one fails, you still can reside on the others
> to protect you.
>
> Not having gcc on a machine is imho a quite good layer of protection, as
> it will defeat any rootkit script that compiles some custom tools (trust
> me there are more than you would have tought first, I just got my eyes
> on one a few days ago that wanted to be installed through a mambo
> server).
>
> This idea is also suggested in Securing Debian Manual, section 3.7[1].
Create a chroot with gcc and only mount it when you need it or install
gcc when needed and remove it after or only give rights for gcc to
group src. There are other ways for it.
> Comparing pros and cons of not having a gcc installed, on this
> particular server I never had to compile anything (except a new kernel)
> in a one year time-frame, since I can almost get everything packaged and
> scp'ed to the machine...
Hehe, unless it is your only amd64 system.
> Anyway, if I can't cross-compile on i386, I'll end up having a gcc on
> the server...
The amd64 kernel-image package had wraper scripts in it to allow cross
compiling using the 32bit gcc. That was a bit of a hack and there
should be a better way to do it. The newer linux kernel package
doesn't contain the hack and nobody has spend much time in finding
something better yet.
You are welcome to try (or use the old hack). But 'apt-get install
gcc, make-kpkg ...; apt-get remove gcc' is way easier.
MfG
Goswin
Reply to: