[nycbug-talk] removing compilers in obsd

Marc Spitzer mspitze1
Wed Feb 25 19:45:41 EST 2004


On Wed, 25 Feb 2004 18:00:55 -0500
"G. Rosamond" <george at sddi.net> wrote:

> i know that one way to further lockdown an openbsd
> (or any bsd) box is to not install the compilers,
> compxx from the install sets.
> 

I do not think it is worth worrying about too much, its not really
adding anything meaningful to your security. You are much better off
spending the time setting up a root kit detection tripwire/mtree script
that runs every 5 min. on selected binaries, ls and the like, so you get
alerted and/or take the proper action(shutdown -y now for example). Most
exploits are in binary form already.

> they are necessary if you're hacking the kernel,
> using ports, etc.
> 
> but after you've used them, how do you remove
> them?

rm gcc f77 g++ ... 
or
chmod 0000 gcc f77 g++ ...

but I would recommend against removing the full suite because the
compiler comes with a lot of shared libraries that may be used in
different parts of the system. 

marc





More information about the talk mailing list