I happened to browse through a FreeBSD and a CentOS based virtual server and was amazed on both occasions as to how slim these machines were. I've seen embedded Linux running more processes on hardware servers than what these machines were running. In that sense, gcc and toolchain will be easily perceived as bloat and potential for vulnerabilities and exploitation. In my humble opinion, it is all relevant. If you understand SELinux you may want to have a look at it. One of these days I promised myself to have a good read of it without falling asleep or developing a migraine! :p
The beauty of Gentoo is that you can build it as you want it. 2009/2/16 Mike Kazantsev <[email protected]>: > On Mon, 16 Feb 2009 13:48:04 +0100 > Johannes Frandsen <[email protected]> wrote: > >> I got in to a discussion about which server to recommend for running >> the php5 symfony framework, and I recommended Gentoo as I had been >> using it my self for a couple of years and have been very satisfied >> with it. >> Somebody pointed out that having a productions server with a gcc >> installed was a big no no security wise, so I did a bit of goggling on >> that topic and found a couple of articles supporting that view. > > I suppose it makes sense only in much broader context: "remove > everything that isn't necessary, even gcc". > > It might certainly give attacker a harder time, but if it's x86/64 linux > machine, I think that hardly matters - static binaries won't be a > problem, so, if you're seriously considering that step to be necessary > - get rid of coreutils (especially that 'rm' utility) and all the > interpreters (even awk!) first. > > -- > Mike Kazantsev // fraggod.net > -- Regards, Mick
