[LRUG] Compiling native extensions during deployment?

gareth rushgrove gareth.rushgrove at gmail.com
Sun Oct 23 01:57:08 PDT 2011 

On 21 October 2011 13:11, Daniel Barlow <dan at telent.net> wrote:
> On Fri, Oct 21, 2011 at 11:47 AM, Paul Battley <pbattley at gmail.com> wrote:
>> On 21 October 2011 07:40, David Waller <david.a.waller at btinternet.com> wrote:
>>> So are there good security reasons - theoretical or born out of studies of
>>> exploits in the wild for not having a compiler around?
>>
>> I wonder about this too: if you can write to disk, you can get a small
>> compiler like TCC (100 kB!) on there, so not having a C compiler isn't
>> a huge limitation to a hypothetical miscreant.
>
> Well, if you can write to disk _and the filesystem is not mounted
> no-exec_, yes -  or you can just upload a binary you created elsewhere
> and run that.  But, assuming that the host has ruby installed you
> already have the full powers of Kernel#syscall at your disposal, so if
> you really want to you can do anything that your unix uid has
> permissions to do anyway.
>

It's one piece in a wider lock down approach too. This post referring
to Python apps (but still relevant) touches on it.

http://www.brunton-spall.co.uk/post/2011/01/26/packaging-and-deploying-python-web-apps/

If the box in question can also not talk out to the internet an
attacker will find it more difficult to get anything (like a binary)
onto the machine in question. Syscall might allow an attacker to
execute code, but without a compiler tool chain they couldn't rebuild
your kernel for instance.

G

> That said I can understand why ops people want to avoid installing
> compilers anyway, just because it makes life harder for the script
> kiddies.  Security through obscurity is no real security, but some
> additional hoops to make people jump through might just save your
> bacon if your proper security measures turn out to be lacking
>
> -dan
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>



-- 
Gareth Rushgrove
Web Geek

morethanseven.net
garethrushgrove.com

More information about the Chat mailing list