Re: [gentoo-user] Hosted server as distcc machine

["Boyd Stephen Smith Jr." <bss03@volumehost.net>]

On Monday 20 March 2006 22:25, Grant <emailgrant@gmail.com> wrote about 
'[gentoo-user] Hosted server as distcc machine':
> Is there anything wrong with
> making a remote machine [a] distcc system?

Not really, but you do need to realize that distcc doesn't guarantee that 
jobs will be sent to the remote machines and will not prevent jobs from 
being run locally.  If there are not enough distcc hosts to support the 
number of jobs being run, or the network is down to 1 or more, or other 
such issues, you might end up having too many compiles being run locally.  
This applies even if you put something like localhost/2 in your distcc 
hosts -- when distcc runs out of hosts it unconditionally uses local 
compilation.

Also, distccd is a wide-open security hole: there's little to no 
restriction on what a client can run on the host, and AFAIK only 
ip/host-based restrictions on who can connect.  A few, well-placed IP 
packets with spoofed sources could theoretically result in a rooted box 
(depending on other security features like firewalls, syn cookies, 
restricted shells, chroot jails, and presence of local privilege 
escalation exploits).

It's probably better to use distcc over ssh, using an ssh-agent and PKI 
authentication.  That does involve giving shell access to an account, but 
you probably already have an account that will work. :)  Unfortunately, 
this removes the host's ability to limit simultaneous distcc jobs AFAIK.  
It also makes it quite a bit harder to distcc from cron, but most of the 
time that shouldn't be an issue.

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh
-- 
gentoo-user@gentoo.org mailing list