From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Gentoo as a production server - insecure?
Date: Mon, 16 Feb 2009 14:27:07 +0000 [thread overview]
Message-ID: <358eca8f0902160627j3e7e4045y171cea92b040fdbb@mail.gmail.com> (raw)
In-Reply-To: <20090216185016.6e5dbfa7@coercion>
I happened to browse through a FreeBSD and a CentOS based virtual
server and was amazed on both occasions as to how slim these machines
were. I've seen embedded Linux running more processes on hardware
servers than what these machines were running. In that sense, gcc and
toolchain will be easily perceived as bloat and potential for
vulnerabilities and exploitation. In my humble opinion, it is all
relevant. If you understand SELinux you may want to have a look at
it. One of these days I promised myself to have a good read of it
without falling asleep or developing a migraine! :p
The beauty of Gentoo is that you can build it as you want it.
2009/2/16 Mike Kazantsev <mike_kazantsev@fraggod.net>:
> On Mon, 16 Feb 2009 13:48:04 +0100
> Johannes Frandsen <jsf@imento.dk> wrote:
>
>> I got in to a discussion about which server to recommend for running
>> the php5 symfony framework, and I recommended Gentoo as I had been
>> using it my self for a couple of years and have been very satisfied
>> with it.
>> Somebody pointed out that having a productions server with a gcc
>> installed was a big no no security wise, so I did a bit of goggling on
>> that topic and found a couple of articles supporting that view.
>
> I suppose it makes sense only in much broader context: "remove
> everything that isn't necessary, even gcc".
>
> It might certainly give attacker a harder time, but if it's x86/64 linux
> machine, I think that hardly matters - static binaries won't be a
> problem, so, if you're seriously considering that step to be necessary
> - get rid of coreutils (especially that 'rm' utility) and all the
> interpreters (even awk!) first.
>
> --
> Mike Kazantsev // fraggod.net
>
--
Regards,
Mick
next prev parent reply other threads:[~2009-02-16 14:27 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-16 12:05 [gentoo-user] Mailing Lists Kaushal Shriyan
2009-02-16 12:26 ` Etaoin Shrdlu
2009-02-16 12:48 ` [gentoo-user] Gentoo as a production server - insecure? Johannes Frandsen
2009-02-16 13:50 ` Mike Kazantsev
2009-02-16 14:27 ` Mick [this message]
2009-02-16 15:51 ` [gentoo-user] " James
2009-02-16 22:36 ` Neil Bothwick
2009-02-20 8:36 ` Mick
2009-02-16 17:33 ` [gentoo-user] " Dirk Heinrichs
2009-02-16 20:15 ` [gentoo-user] " james
2009-02-16 20:27 ` Matt Harrison
2009-02-16 20:33 ` Dirk Heinrichs
2009-02-16 21:35 ` James
2009-02-16 15:11 ` [gentoo-user] Mailing Lists Dan Cowsill
2009-02-16 16:35 ` Hilco Wijbenga
2009-02-17 14:06 ` Dan Cowsill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=358eca8f0902160627j3e7e4045y171cea92b040fdbb@mail.gmail.com \
--to=michaelkintzios@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox