Explaining the need for a C compiler - to a security group

Poul-Henning Kamp phk at phk.freebsd.dk
Fri Oct 26 19:44:16 CEST 2007

In message <3ECD7F7DDE95BA4FA598E8DDE71F1A5104AFD024 at nwpsrv08.edj.ad.edwardjone
s.com>, "Cryer,Phil" writes:

>Can anyone provide a more business sensitive response to "Isn't having a
>C compiler on a prod box a security problem"?  While I am in complete
>agreement with the listed response:
>"The days when you could prevent people from running non-approved
>programs by removing the C compiler from your system ended roughly with
>the VAX 11/780 computer."
>My reply is, if an attacker is on the box and can compile code, you
>already have more problems to worry about.  What other arguments could I

Isn't that the reply you need ?  If the attacker can move a source
file onto the box, he could just as well have moved the compiled
binary onto the box.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

More information about the varnish-misc mailing list