[LRUG] Compiling native extensions during deployment?

David Waller david.a.waller at btinternet.com
Thu Oct 20 23:40:38 PDT 2011


Forgive me if I'm questioning something that is widely accepted by anyone with any knowledge of security, but why does having the compiler toolchain installed create security problems?  


I can see the obvious answer - if some miscreant gains access to your server then they can build themselves sharper sticks to poke at other servers in your network.  But is it true that without build tools the attack would be much less effective?  My probably naive assumption is that they can probably trash that compromised server without build tools, and if they've got through your DMZ you're in real trouble, compilers or not.


So are there good security reasons - theoretical or born out of studies of exploits in the wild for not having a compiler around?

Thanks,

David




>________________________________
>From: Daniel Lucraft <dan.lucraft at gmail.com>
>To: London Ruby Users Group <chat at lists.lrug.org>
>Sent: Thursday, 20 October 2011, 14:38
>Subject: [LRUG] Compiling native extensions during deployment?
>
>
>Hi all, 
>
>
>question about the current Ruby Way. We're moving to Bundler, and it seems the thing to do is to run "bundle install --deployment" when deploying, which will install the gems from vendor/cache into vendor/bundle.
>
>
>Fine. Except what do we do with native extensions? We're not wild about having the compiler toolchain installed on all our appservers, partly for security reasons.
>
>
>Is there something obvious we're missing about how to deploy native extensions with bundler?
>
>
>thanks
>Dan
>
>
>
>
>__________________________
>Daniel Lucraft
>
>
>danlucraft.com/blog
>twitter.com/danlucraft
>
>
>_______________________________________________
>Chat mailing list
>Chat at lists.lrug.org
>http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20111021/7e340b41/attachment.html>


More information about the Chat mailing list