[gentoo-user] GCC only for priviliged users?

[gentoo-user] GCC only for priviliged users?

[Jesús García Crespo]

[-- Attachment #1: Type: text/plain, Size: 472 bytes --]

Hi! I thought that GCC could means a risk if all of the users of my
system are able to run it! I talked this with a friend and he propossed
to create a new group, "compiler", for example, where all the users
who will be able to run gcc must belong to it!

Wouldn't be interesting to implement this into Gentoo gcc ebuild as an
USE?

-- 
Jesús García Crespo (aka Sevein)
http://www.sevein.com
correo@sevein.com

GnuPG key ID: E2DB17E8 (pgp.escomposlinux.org)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] GCC only for priviliged users?

[Spider (D.m.D. Lj.)]

[-- Attachment #1: Type: text/plain, Size: 1385 bytes --]

On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote:
> Hi! I thought that GCC could means a risk if all of the users of my
> system are able to run it! I talked this with a friend and he propossed
> to create a new group, "compiler", for example, where all the users
> who will be able to run gcc must belong to it!
> 
> Wouldn't be interesting to implement this into Gentoo gcc ebuild as an
> USE?


Exactly what risk is there from an end-user running a compiler?   A
compiler doesn't access any kind of restricted environment, doesn't
auytomatically create binaries with other rights than its own and is
about as "safe" a product as there can be.

And if you think that users running their own programs is a risk, simply
mount /home as noexec,  ( make sure to impose the same limitations
on /tmp and /var/tmp as well,  since users have write-access there)


And.. really. python, perl, awk, bash ... All of those are fully capable
of creating and running programs. And no, I do not think you can limit
the use thereof from user accounts.: )


If you're really paranoid about execution and so on, start reading the
SELinux FAQ and create a ruleset.. The default one is probably more
lenient than you want it ;)

//Spider
-- 
begin  .signature
Tortured users / Laughing in pain
See Microsoft KB Article Q265230 for more information.
end


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] GCC only for priviliged users?

[Harald Arnesen]

Jesús García Crespo (aka Sevein) <correo@sevein.com> writes:

> Hi! I thought that GCC could means a risk if all of the users of my
> system are able to run it! I talked this with a friend and he propossed
> to create a new group, "compiler", for example, where all the users
> who will be able to run gcc must belong to it!
>
> Wouldn't be interesting to implement this into Gentoo gcc ebuild as an
> USE?

What stops the user from downloading the gcc source and install it on
her home partition?
-- 
Hilsen Harald.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] GCC only for priviliged users?

[Harald Arnesen]

Harald Arnesen <harald@skogtun.org> writes:

> Jesús García Crespo (aka Sevein) <correo@sevein.com> writes:
>
>> Hi! I thought that GCC could means a risk if all of the users of my
>> system are able to run it! I talked this with a friend and he propossed
>> to create a new group, "compiler", for example, where all the users
>> who will be able to run gcc must belong to it!
>>
>> Wouldn't be interesting to implement this into Gentoo gcc ebuild as an
>> USE?
>
> What stops the user from downloading the gcc source and install it on
> her home partition?

I was a bit fast there. What i meant was:

What stops the user from downloading the gcc source to another
machine, compiling it there and installing the binary on her home
partition on your machine?
-- 
Hilsen Harald.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] GCC only for priviliged users?

[Jesús García Crespo]

[-- Attachment #1: Type: text/plain, Size: 1213 bytes --]

On Fri, 09 Dec 2005 18:29:22 +0100
"Spider (D.m.D. Lj.)" <spider@gentoo.org> wrote:

> On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote:
> > Hi! I thought that GCC could means a risk if all of the users of my
> > system are able to run it! I talked this with a friend and he
> > propossed to create a new group, "compiler", for example, where all
> > the users who will be able to run gcc must belong to it!
> > 
> > Wouldn't be interesting to implement this into Gentoo gcc ebuild as
> > an USE?
> 
> 
> Exactly what risk is there from an end-user running a compiler?   A
> compiler doesn't access any kind of restricted environment, doesn't
> auytomatically create binaries with other rights than its own and is
> about as "safe" a product as there can be.

I meant something like:
for (;;) malloc(1000);

> If you're really paranoid about execution and so on, start reading the
> SELinux FAQ and create a ruleset.. The default one is probably more
> lenient than you want it ;)

Yes, I understand. I will read about it.

Thanks a lot!


-- 
Jesús García Crespo (aka Sevein)
http://www.sevein.com
correo@sevein.com

GnuPG key ID: E2DB17E8 (pgp.escomposlinux.org)

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] GCC only for priviliged users?

[Michael Kjorling]

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

On 2005-12-10 12:06 +0100, correo@sevein.com wrote:
> I meant something like:
> for (;;) malloc(1000);

If this is what you are worried about, it sounds like you would be a
lot better off setting up some sort of resource limits than simply
limiting access to the compiler. I know for a fact that PAM has
resource limiting (see for example [1], [2]) and it may be possible to
do without PAM as well.

[1] http://www.google.com/search?q=linux+pam+memory+limiting
[2] http://www.rfxnetworks.com/lprl.php (old but should be usable)

-- 
Michael Kjörling, michael@kjorling.com - http://michael.kjorling.com/
* ASCII Ribbon Campaign: Against HTML Mail, Proprietary Attachments *
* ..... No bird soars too high if he soars with his own wings ..... *

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] GCC only for priviliged users?

[Richard Fish]

On 12/10/05, aka Sevein Jesús García Crespo <correo@sevein.com> wrote:
> I meant something like:
> for (;;) malloc(1000);

Not any worse than:
x=abcdefghijklmnopqrstuvwxyz; while true; do x="$x$x"; done

-Richard

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] GCC only for priviliged users?

[Chris Boot]

On 9 Dec 2005, at 17:29, Spider (D.m.D. Lj.) wrote:

> On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote:
>> Hi! I thought that GCC could means a risk if all of the users of my
>> system are able to run it! I talked this with a friend and he  
>> propossed
>> to create a new group, "compiler", for example, where all the users
>> who will be able to run gcc must belong to it!
>>
>> Wouldn't be interesting to implement this into Gentoo gcc ebuild  
>> as an
>> USE?
>
>
> Exactly what risk is there from an end-user running a compiler?   A
> compiler doesn't access any kind of restricted environment, doesn't
> auytomatically create binaries with other rights than its own and is
> about as "safe" a product as there can be.
>
> And if you think that users running their own programs is a risk,  
> simply
> mount /home as noexec,  ( make sure to impose the same limitations
> on /tmp and /var/tmp as well,  since users have write-access there)
>
>
> And.. really. python, perl, awk, bash ... All of those are fully  
> capable
> of creating and running programs. And no, I do not think you can limit
> the use thereof from user accounts.: )
>

Don't forget you can run a normal executable with noexec as well:

/lib/ld-linux.so some_executable

Which basically makes noexec on a mount completely useless. Try it:  
mount some partition with noexec, copy bash to it, and run it with  
the above.

>
> If you're really paranoid about execution and so on, start reading the
> SELinux FAQ and create a ruleset.. The default one is probably more
> lenient than you want it ;)
>
> //Spider
> -- 
> begin  .signature
> Tortured users / Laughing in pain
> See Microsoft KB Article Q265230 for more information.
> end
>

Chris

-- 
Chris Boot
bootc@bootc.net
http://www.bootc.net/



-- 
gentoo-user@gentoo.org mailing list