Explaining the need for a C compiler - to a security group
Poul-Henning Kamp
phk at phk.freebsd.dk
Fri Oct 26 19:44:16 CEST 2007
In message <3ECD7F7DDE95BA4FA598E8DDE71F1A5104AFD024 at nwpsrv08.edj.ad.edwardjone
s.com>, "Cryer,Phil" writes:
>Can anyone provide a more business sensitive response to "Isn't having a
>C compiler on a prod box a security problem"? While I am in complete
>agreement with the listed response:
>
>"The days when you could prevent people from running non-approved
>programs by removing the C compiler from your system ended roughly with
>the VAX 11/780 computer."
>
>[...]
>
>My reply is, if an attacker is on the box and can compile code, you
>already have more problems to worry about. What other arguments could I
>use?
Isn't that the reply you need ? If the attacker can move a source
file onto the box, he could just as well have moved the compiled
binary onto the box.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
More information about the varnish-misc
mailing list