ons 2003-01-08 klockan 14.36 skrev Mike Cudmore:
> I understand the need for same os'es and accept that this is necessary
> for the binary that is moved top work properly.
>
> The os'es, architecure are and will be the same.
>
> I also intend to build multiple squids. i dont want to build multiple
> dev boxes then harden them prior to going into production.
>
> Anyone else done this ?
All the time. Our production boxes have a tiny read-only root/system
filesystem (ca 8MB including kernel). Now way a compiling environment
fits in there..
It is not at all difficult as long as you ensure that the needed shared
libraries are compatible.
If you need to support multiple different OS revisions then virtual
minimal OS installations can be used via chroot or similar measurements.
Most package managers allows for manual installation into a virtual root
directory.
But I see no real security issue why not have compilers on production
boxes.. If you are worried about security (I am) then mostly other
measurements are needed. The only major reason why not have compilers on
production boxes is to stop your sysadmin friend from trying to compile
stuff on production boxes which do not belong there, only because it is
easier to try it out on the production system instead of the development
system.. The other major reason (which is my case) is if you have a need
to keep the root/system filesystem small.
If you run on any common platform then hackers (including most
script-kiddies) won't care much if there is a compiler or not once they
hack the box as they most likely already have the needed binaries
compiled for their needs..
If you run a odd platform or variant where "normal" binaries won't run
then not having compilers available may be a reasonable security measure
if hackers is what you worry about.
Regards
Henrik
Received on Wed Jan 08 2003 - 09:37:31 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:35 MST