* [gentoo-user] GCC only for priviliged users? @ 2005-12-09 17:21 Jesús García Crespo 2005-12-09 17:29 ` Spider (D.m.D. Lj.) 2005-12-09 17:38 ` Harald Arnesen 0 siblings, 2 replies; 8+ messages in thread From: Jesús García Crespo @ 2005-12-09 17:21 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 472 bytes --] Hi! I thought that GCC could means a risk if all of the users of my system are able to run it! I talked this with a friend and he propossed to create a new group, "compiler", for example, where all the users who will be able to run gcc must belong to it! Wouldn't be interesting to implement this into Gentoo gcc ebuild as an USE? -- Jesús García Crespo (aka Sevein) http://www.sevein.com correo@sevein.com GnuPG key ID: E2DB17E8 (pgp.escomposlinux.org) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] GCC only for priviliged users? 2005-12-09 17:21 [gentoo-user] GCC only for priviliged users? Jesús García Crespo @ 2005-12-09 17:29 ` Spider (D.m.D. Lj.) 2005-12-10 11:06 ` Jesús García Crespo 2005-12-10 22:16 ` Chris Boot 2005-12-09 17:38 ` Harald Arnesen 1 sibling, 2 replies; 8+ messages in thread From: Spider (D.m.D. Lj.) @ 2005-12-09 17:29 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1385 bytes --] On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote: > Hi! I thought that GCC could means a risk if all of the users of my > system are able to run it! I talked this with a friend and he propossed > to create a new group, "compiler", for example, where all the users > who will be able to run gcc must belong to it! > > Wouldn't be interesting to implement this into Gentoo gcc ebuild as an > USE? Exactly what risk is there from an end-user running a compiler? A compiler doesn't access any kind of restricted environment, doesn't auytomatically create binaries with other rights than its own and is about as "safe" a product as there can be. And if you think that users running their own programs is a risk, simply mount /home as noexec, ( make sure to impose the same limitations on /tmp and /var/tmp as well, since users have write-access there) And.. really. python, perl, awk, bash ... All of those are fully capable of creating and running programs. And no, I do not think you can limit the use thereof from user accounts.: ) If you're really paranoid about execution and so on, start reading the SELinux FAQ and create a ruleset.. The default one is probably more lenient than you want it ;) //Spider -- begin .signature Tortured users / Laughing in pain See Microsoft KB Article Q265230 for more information. end [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] GCC only for priviliged users? 2005-12-09 17:29 ` Spider (D.m.D. Lj.) @ 2005-12-10 11:06 ` Jesús García Crespo 2005-12-10 11:45 ` Michael Kjorling 2005-12-10 18:05 ` Richard Fish 2005-12-10 22:16 ` Chris Boot 1 sibling, 2 replies; 8+ messages in thread From: Jesús García Crespo @ 2005-12-10 11:06 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 1213 bytes --] On Fri, 09 Dec 2005 18:29:22 +0100 "Spider (D.m.D. Lj.)" <spider@gentoo.org> wrote: > On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote: > > Hi! I thought that GCC could means a risk if all of the users of my > > system are able to run it! I talked this with a friend and he > > propossed to create a new group, "compiler", for example, where all > > the users who will be able to run gcc must belong to it! > > > > Wouldn't be interesting to implement this into Gentoo gcc ebuild as > > an USE? > > > Exactly what risk is there from an end-user running a compiler? A > compiler doesn't access any kind of restricted environment, doesn't > auytomatically create binaries with other rights than its own and is > about as "safe" a product as there can be. I meant something like: for (;;) malloc(1000); > If you're really paranoid about execution and so on, start reading the > SELinux FAQ and create a ruleset.. The default one is probably more > lenient than you want it ;) Yes, I understand. I will read about it. Thanks a lot! -- Jesús García Crespo (aka Sevein) http://www.sevein.com correo@sevein.com GnuPG key ID: E2DB17E8 (pgp.escomposlinux.org) [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] GCC only for priviliged users? 2005-12-10 11:06 ` Jesús García Crespo @ 2005-12-10 11:45 ` Michael Kjorling 2005-12-10 18:05 ` Richard Fish 1 sibling, 0 replies; 8+ messages in thread From: Michael Kjorling @ 2005-12-10 11:45 UTC (permalink / raw To: gentoo-user [-- Attachment #1: Type: text/plain, Size: 760 bytes --] On 2005-12-10 12:06 +0100, correo@sevein.com wrote: > I meant something like: > for (;;) malloc(1000); If this is what you are worried about, it sounds like you would be a lot better off setting up some sort of resource limits than simply limiting access to the compiler. I know for a fact that PAM has resource limiting (see for example [1], [2]) and it may be possible to do without PAM as well. [1] http://www.google.com/search?q=linux+pam+memory+limiting [2] http://www.rfxnetworks.com/lprl.php (old but should be usable) -- Michael Kjörling, michael@kjorling.com - http://michael.kjorling.com/ * ASCII Ribbon Campaign: Against HTML Mail, Proprietary Attachments * * ..... No bird soars too high if he soars with his own wings ..... * [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] GCC only for priviliged users? 2005-12-10 11:06 ` Jesús García Crespo 2005-12-10 11:45 ` Michael Kjorling @ 2005-12-10 18:05 ` Richard Fish 1 sibling, 0 replies; 8+ messages in thread From: Richard Fish @ 2005-12-10 18:05 UTC (permalink / raw To: gentoo-user On 12/10/05, aka Sevein Jesús García Crespo <correo@sevein.com> wrote: > I meant something like: > for (;;) malloc(1000); Not any worse than: x=abcdefghijklmnopqrstuvwxyz; while true; do x="$x$x"; done -Richard -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] GCC only for priviliged users? 2005-12-09 17:29 ` Spider (D.m.D. Lj.) 2005-12-10 11:06 ` Jesús García Crespo @ 2005-12-10 22:16 ` Chris Boot 1 sibling, 0 replies; 8+ messages in thread From: Chris Boot @ 2005-12-10 22:16 UTC (permalink / raw To: gentoo-user On 9 Dec 2005, at 17:29, Spider (D.m.D. Lj.) wrote: > On Fri, 2005-12-09 at 18:21 +0100, Jesús García Crespo wrote: >> Hi! I thought that GCC could means a risk if all of the users of my >> system are able to run it! I talked this with a friend and he >> propossed >> to create a new group, "compiler", for example, where all the users >> who will be able to run gcc must belong to it! >> >> Wouldn't be interesting to implement this into Gentoo gcc ebuild >> as an >> USE? > > > Exactly what risk is there from an end-user running a compiler? A > compiler doesn't access any kind of restricted environment, doesn't > auytomatically create binaries with other rights than its own and is > about as "safe" a product as there can be. > > And if you think that users running their own programs is a risk, > simply > mount /home as noexec, ( make sure to impose the same limitations > on /tmp and /var/tmp as well, since users have write-access there) > > > And.. really. python, perl, awk, bash ... All of those are fully > capable > of creating and running programs. And no, I do not think you can limit > the use thereof from user accounts.: ) > Don't forget you can run a normal executable with noexec as well: /lib/ld-linux.so some_executable Which basically makes noexec on a mount completely useless. Try it: mount some partition with noexec, copy bash to it, and run it with the above. > > If you're really paranoid about execution and so on, start reading the > SELinux FAQ and create a ruleset.. The default one is probably more > lenient than you want it ;) > > //Spider > -- > begin .signature > Tortured users / Laughing in pain > See Microsoft KB Article Q265230 for more information. > end > Chris -- Chris Boot bootc@bootc.net http://www.bootc.net/ -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] GCC only for priviliged users? 2005-12-09 17:21 [gentoo-user] GCC only for priviliged users? Jesús García Crespo 2005-12-09 17:29 ` Spider (D.m.D. Lj.) @ 2005-12-09 17:38 ` Harald Arnesen 2005-12-09 17:45 ` Harald Arnesen 1 sibling, 1 reply; 8+ messages in thread From: Harald Arnesen @ 2005-12-09 17:38 UTC (permalink / raw To: gentoo-user Jesús García Crespo (aka Sevein) <correo@sevein.com> writes: > Hi! I thought that GCC could means a risk if all of the users of my > system are able to run it! I talked this with a friend and he propossed > to create a new group, "compiler", for example, where all the users > who will be able to run gcc must belong to it! > > Wouldn't be interesting to implement this into Gentoo gcc ebuild as an > USE? What stops the user from downloading the gcc source and install it on her home partition? -- Hilsen Harald. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-user] GCC only for priviliged users? 2005-12-09 17:38 ` Harald Arnesen @ 2005-12-09 17:45 ` Harald Arnesen 0 siblings, 0 replies; 8+ messages in thread From: Harald Arnesen @ 2005-12-09 17:45 UTC (permalink / raw To: gentoo-user Harald Arnesen <harald@skogtun.org> writes: > Jesús García Crespo (aka Sevein) <correo@sevein.com> writes: > >> Hi! I thought that GCC could means a risk if all of the users of my >> system are able to run it! I talked this with a friend and he propossed >> to create a new group, "compiler", for example, where all the users >> who will be able to run gcc must belong to it! >> >> Wouldn't be interesting to implement this into Gentoo gcc ebuild as an >> USE? > > What stops the user from downloading the gcc source and install it on > her home partition? I was a bit fast there. What i meant was: What stops the user from downloading the gcc source to another machine, compiling it there and installing the binary on her home partition on your machine? -- Hilsen Harald. -- gentoo-user@gentoo.org mailing list ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-12-10 22:21 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-12-09 17:21 [gentoo-user] GCC only for priviliged users? Jesús García Crespo 2005-12-09 17:29 ` Spider (D.m.D. Lj.) 2005-12-10 11:06 ` Jesús García Crespo 2005-12-10 11:45 ` Michael Kjorling 2005-12-10 18:05 ` Richard Fish 2005-12-10 22:16 ` Chris Boot 2005-12-09 17:38 ` Harald Arnesen 2005-12-09 17:45 ` Harald Arnesen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox