[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Compilers make a system less secure?
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Compilers make a system less secure?
- From: jared r r spiegel <jrrs_(_at_)_ice-nine_(_dot_)_org>
- Date: Tue, 2 May 2006 09:33:48 -0400
On Tue, May 02, 2006 at 04:21:41PM +1200, josh wrote:
> Some people seem to think that installing a compiler inherently makes
> their system less secure... despite never being able to cite any actual
> reasons why.
i had a machine get compromised once; now we don't have a compiler
was about 7-9 months ago ... there was another host who was
compromised and had one of those ssh daemons installed on it where
it only lets you do password auth, and if you login successfully,
it takes your un/pw and rattles through your local .ssh/known_hosts
file to see if it can login successfully to other places in that
known_hosts, if so, it tries to see if you have sudo on that other
if so, it, from what we got post-mortem, d/ls a version of what
seemed to me to be openssh portable, compiles/installs that,
perhaps after patching it, i don't know for sure,
and makes that sshd sit on that remote host waiting to try to
in this case there was a user of machine A who had sudo on B
who logged into machine A even tho the hostkey had changed
( liquor... ).
i am not asserting that the compromise-pack did not have
a precompiled sshd binary for openbsd ( the prior hop
up the compromise chain in this case was a debianlinux ),
but if it didn't, it may not have rooted machine B.
> Personally, I really dont see how a compiler is going to lessen
> security, particuarly when they are used to patch the system, But I was
> wondering what people here thought?
now, for patches, we have a little pentium III/450 sitting
beside this host. any time i need to install something, i
build it on that host, install it on that host, change DESTDIR
to somethin', cd /usr/src/etc make distrib-dirs, cd back to the
application who i am patching, make install (into DESTDIR),
and then tar up the resulting dir tree.
we build packages on there too, if need be, and then
when we're done, we shut the power off ( have remote power
naturally we've also encouraged any user of machine B to
hash their known_hosts file anywhere they can.
[ openbsd 3.9-current GENERIC ( mar 15 ) // i386 ]