Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Varnish>
  3. Misc
Explaining the need for a C compiler - to a security group
Phil.Cryer at edwardjones
Oct 26, 2007, 8:53 AM
Post #1 of 4 (249 views)
Permalink
Can anyone provide a more business sensitive response to "Isn't having a
C compiler on a prod box a security problem"? While I am in complete
agreement with the listed response:

"The days when you could prevent people from running non-approved
programs by removing the C compiler from your system ended roughly with
the VAX 11/780 computer."

I'm looking for a bit more sensitive response, as I know my security
department is going to come back on this as I move into testing Varnish
against Squid in the next environment. (Varnish is so much faster, and
does exactly what we want with far less config than Squid - we're really
pushing it!)

My reply is, if an attacker is on the box and can compile code, you
already have more problems to worry about. What other arguments could I
use?

Thanks

P

If you are not the intended recipient of this message (including attachments), or if you have received this message in error, immediately notify us and delete it and any attachments. If you no longer wish to receive e-mail from Edward Jones, please send this request to messages at edwardjones.com. You must include the e-mail address that you wish not to receive e-mail communications. For important additional information related to this e-mail, visit www.edwardjones.com/US_email_disclosure
Explaining the need for a C compiler - to a security group [ In reply to ]
ivoras at fer
Oct 26, 2007, 9:36 AM
Post #2 of 4 (246 views)
Permalink
Cryer,Phil wrote:

> "The days when you could prevent people from running non-approved
> programs by removing the C compiler from your system ended roughly with
> the VAX 11/780 computer."

> My reply is, if an attacker is on the box and can compile code, you
> already have more problems to worry about. What other arguments could I
> use?

Some of the (trivial, probably) arguments that come to my mind:

- the attacker can bring his own C compiler to the box
- the attacker can use perl, php, ruby, sh and other interpreters for
almost everything he can use C for (the big exception is probably kernel
code).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ivoras.vcf
Type: text/x-vcard
Size: 232 bytes
Desc: not available
Url : http://projects.linpro.no/pipermail/varnish-misc/attachments/20071026/1d944944/attachment.vcf
Explaining the need for a C compiler - to a security group [ In reply to ]
phk at phk
Oct 26, 2007, 10:44 AM
Post #3 of 4 (248 views)
Permalink
In message <3ECD7F7DDE95BA4FA598E8DDE71F1A5104AFD024 at nwpsrv08.edj.ad.edwardjone
s.com>, "Cryer,Phil" writes:

>Can anyone provide a more business sensitive response to "Isn't having a
>C compiler on a prod box a security problem"? While I am in complete
>agreement with the listed response:
>
>"The days when you could prevent people from running non-approved
>programs by removing the C compiler from your system ended roughly with
>the VAX 11/780 computer."
>
>[...]
>
>My reply is, if an attacker is on the box and can compile code, you
>already have more problems to worry about. What other arguments could I
>use?

Isn't that the reply you need ? If the attacker can move a source
file onto the box, he could just as well have moved the compiled
binary onto the box.

--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
phk at FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.
Explaining the need for a C compiler - to a security group [ In reply to ]
mike at dubdubdub
Oct 27, 2007, 2:13 AM
Post #4 of 4 (246 views)
Permalink
The counter argument i've heard is this:

"but they'd need to compile a module for the specific kernel/OS they
were attacking"

But with vmware, it's not exactly a lot of effort to have VMs for each
of the major OSes you're wanting to work with compile remotely and
then copy the compromised kernel module to the new host.

-- mike

On 26 Oct 2007, at 17:36, Ivan Voras wrote:

> Cryer,Phil wrote:
>
>> "The days when you could prevent people from running non-approved
>> programs by removing the C compiler from your system ended roughly
>> with
>> the VAX 11/780 computer."
>
>> My reply is, if an attacker is on the box and can compile code, you
>> already have more problems to worry about. What other arguments
>> could I
>> use?
>
> Some of the (trivial, probably) arguments that come to my mind:
>
> - the attacker can bring his own C compiler to the box
> - the attacker can use perl, php, ruby, sh and other interpreters for
> almost everything he can use C for (the big exception is probably
> kernel
> code).
>
> <ivoras.vcf>_______________________________________________
> varnish-misc mailing list
> varnish-misc at projects.linpro.no
> http://projects.linpro.no/mailman/listinfo/varnish-misc

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal