Should gcc be accessable by others?
cswiger at mac.com
Wed Jun 16 10:42:48 PDT 2004
j.e.drews at att.net wrote:
> Is it a good idea to change the permisions on the gcc tools to 750 ? I
> looked through the FreeBSD Handbook and could find no advice on this matter.
Changing gcc to 750 might provide a small benefit to security, but if someone
has enough access to be able to try to run gcc in the first place, they can
probably upload their own compiler if they really wanted to (or more likely, a
precompiled version of whatever tool they wanted to use), or else exploit some
other local vulnerability.
> Also are there other tools that should not be available like strace? How can I
> find out which ones are potentially exploitable?
The ports system provides a mechanism for analysing which programs use
socket() and other system calls and thus may be potentially remotely exploitable.
Anyway, the notion you are looking for is known as "hardening a system", and a
search on that term will probably give you more insight. Basicly, just
changing perms on gcc isn't really enough, but if you take draconian measures
to remove all programs that aren't needed, you can get a minimal system that
is much harder to exploit. Such a system wouldn't be very useable to normal
humans, however, so this is generally done only for firewalls and the like.
More information about the freebsd-questions