From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LZ4RJ-0007Xf-0S for garchives@archives.gentoo.org; Mon, 16 Feb 2009 14:27:17 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 74AA0E04BC; Mon, 16 Feb 2009 14:27:14 +0000 (UTC) Received: from mail-fx0-f20.google.com (mail-fx0-f20.google.com [209.85.220.20]) by pigeon.gentoo.org (Postfix) with ESMTP id 1E136E04BC for ; Mon, 16 Feb 2009 14:27:14 +0000 (UTC) Received: by fxm13 with SMTP id 13so6107046fxm.10 for ; Mon, 16 Feb 2009 06:27:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=23QCelUBpDIbjXhP/S8TPb0d+o0LNcLNtQqed4mPnYE=; b=GKuprvCVMvB6j7TWa34fc5Xl+SFgRK+yetUSUvyMwmwKL1wCABd/w45YbA7dPpfEL4 ZJrve1wn9mTFPPJ9epZdNcYsqam4aVsrxd03nMdJGitj4b4V31pryL9hhse0oC38vs0k IACC/ZN7Px9z/4A8cvihKFLLL9pe2vpFKCd+Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=NZ08BRhcwID9wTCD4HBqFmBJQAZAboyPvZPdsyOcYYX2A1tRdkwRM7d+kZhVNstx/t /+AWQ5VvY+xA3xUpSZVVEhXa4hSNam7jQ9E/a9XZ7mvShmQrFxwXTIxFy/4uHl2Ysco2 HtlIeAFLKPwrHzJ0fIg7Bkotn9LYXfulD0E7U= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.223.109.148 with SMTP id j20mr161181fap.43.1234794427909; Mon, 16 Feb 2009 06:27:07 -0800 (PST) In-Reply-To: <20090216185016.6e5dbfa7@coercion> References: <6b16fb4c0902160405t6a2fcd3alb069d8e1a869e509@mail.gmail.com> <200902161326.07025.shrdlu@unlimitedmail.org> <20090216185016.6e5dbfa7@coercion> Date: Mon, 16 Feb 2009 14:27:07 +0000 Message-ID: <358eca8f0902160627j3e7e4045y171cea92b040fdbb@mail.gmail.com> Subject: Re: [gentoo-user] Gentoo as a production server - insecure? From: Mick To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 831d0f68-2105-4f2f-bdd5-c4fbfe79aa47 X-Archives-Hash: 2389d8f8748f931aede3a30fe141465c I happened to browse through a FreeBSD and a CentOS based virtual server and was amazed on both occasions as to how slim these machines were. I've seen embedded Linux running more processes on hardware servers than what these machines were running. In that sense, gcc and toolchain will be easily perceived as bloat and potential for vulnerabilities and exploitation. In my humble opinion, it is all relevant. If you understand SELinux you may want to have a look at it. One of these days I promised myself to have a good read of it without falling asleep or developing a migraine! :p The beauty of Gentoo is that you can build it as you want it. 2009/2/16 Mike Kazantsev : > On Mon, 16 Feb 2009 13:48:04 +0100 > Johannes Frandsen wrote: > >> I got in to a discussion about which server to recommend for running >> the php5 symfony framework, and I recommended Gentoo as I had been >> using it my self for a couple of years and have been very satisfied >> with it. >> Somebody pointed out that having a productions server with a gcc >> installed was a big no no security wise, so I did a bit of goggling on >> that topic and found a couple of articles supporting that view. > > I suppose it makes sense only in much broader context: "remove > everything that isn't necessary, even gcc". > > It might certainly give attacker a harder time, but if it's x86/64 linux > machine, I think that hardly matters - static binaries won't be a > problem, so, if you're seriously considering that step to be necessary > - get rid of coreutils (especially that 'rm' utility) and all the > interpreters (even awk!) first. > > -- > Mike Kazantsev // fraggod.net > -- Regards, Mick