[LRUG] Compiling native extensions during deployment?
Daniel Barlow
dan at telent.net
Fri Oct 21 05:11:45 PDT 2011
On Fri, Oct 21, 2011 at 11:47 AM, Paul Battley <pbattley at gmail.com> wrote:
> On 21 October 2011 07:40, David Waller <david.a.waller at btinternet.com> wrote:
>> So are there good security reasons - theoretical or born out of studies of
>> exploits in the wild for not having a compiler around?
>
> I wonder about this too: if you can write to disk, you can get a small
> compiler like TCC (100 kB!) on there, so not having a C compiler isn't
> a huge limitation to a hypothetical miscreant.
Well, if you can write to disk _and the filesystem is not mounted
no-exec_, yes - or you can just upload a binary you created elsewhere
and run that. But, assuming that the host has ruby installed you
already have the full powers of Kernel#syscall at your disposal, so if
you really want to you can do anything that your unix uid has
permissions to do anyway.
That said I can understand why ops people want to avoid installing
compilers anyway, just because it makes life harder for the script
kiddies. Security through obscurity is no real security, but some
additional hoops to make people jump through might just save your
bacon if your proper security measures turn out to be lacking
-dan
More information about the Chat
mailing list