From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZ3uf-0003ta-Ly for garchives@archives.gentoo.org; Mon, 16 Feb 2009 13:53:33 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A55E5E03D8; Mon, 16 Feb 2009 13:53:32 +0000 (UTC) Received: from mail.fraggod.net (unknown [91.191.238.58]) by pigeon.gentoo.org (Postfix) with ESMTP id 5C853E03D8 for ; Mon, 16 Feb 2009 13:53:32 +0000 (UTC) Received: from coercion (coercion.core [IPv6:2001:470:1f0b:11de::13]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.fraggod.net (Postfix) with ESMTPSA id 2A5E7101FDD for ; Mon, 16 Feb 2009 18:55:09 +0500 (YEKT) Date: Mon, 16 Feb 2009 18:50:16 +0500 From: Mike Kazantsev To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Gentoo as a production server - insecure? Message-ID: <20090216185016.6e5dbfa7@coercion> In-Reply-To: References: <6b16fb4c0902160405t6a2fcd3alb069d8e1a869e509@mail.gmail.com> <200902161326.07025.shrdlu@unlimitedmail.org> X-Mailer: Claws Mail 3.7.0 (GTK+ 2.14.7; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/KGuf.=/zIYm=aO/tXdIxJ4V"; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: abcb99df-b45e-4f7d-9439-9610a0e82b0c X-Archives-Hash: 448f24eb95af5ed05285e7a31878b31f --Sig_/KGuf.=/zIYm=aO/tXdIxJ4V Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Mon, 16 Feb 2009 13:48:04 +0100 Johannes Frandsen wrote: > I got in to a discussion about which server to recommend for running =20 > the php5 symfony framework, and I recommended Gentoo as I had been =20 > using it my self for a couple of years and have been very satisfied =20 > with it. > Somebody pointed out that having a productions server with a gcc =20 > installed was a big no no security wise, so I did a bit of goggling on =20 > that topic and found a couple of articles supporting that view. I suppose it makes sense only in much broader context: "remove everything that isn't necessary, even gcc". It might certainly give attacker a harder time, but if it's x86/64 linux machine, I think that hardly matters - static binaries won't be a problem, so, if you're seriously considering that step to be necessary - get rid of coreutils (especially that 'rm' utility) and all the interpreters (even awk!) first. --=20 Mike Kazantsev // fraggod.net --Sig_/KGuf.=/zIYm=aO/tXdIxJ4V Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkmZbxwACgkQASbOZpzyXnFZ+wCg6EariBKwZKC4TsIaIGS7avhi bEUAn0k6F69pAzzJsQ5rMh47Q8TqGmRP =6cG+ -----END PGP SIGNATURE----- --Sig_/KGuf.=/zIYm=aO/tXdIxJ4V--