Jeff raises a good point here, but just what is "le minimum" that you can put on a public server and still expect it to run. I'm thinking RH here not Deb (and I don't want a war between the two camps)
On Wed, 18 Sep 2002, Jeff Waugh wrote: > I've taken a bit of stick every now and then for refusing to let co-admins > install gcc and other non-server-related software on machines that I admin. > Giving gcc to a worm or human attacker is like arming them with an anti- > aircraft missile in an inner city cafeteria. > > "But what if I have to build a kernel?" -> you can do it on *any* other > machine, even cross-compiling it on a different architecture if you're > feeling lucky > > "But what if I have to rebuild a patched package?" -> do it on your test > system which should be exactly like your production machine anyway > > "But it's convenient!" -> go to the back of the class > > If you can, it's even worth removing perl, bash (/dev/tcp!), and other tools > from machines that you're paranoid about. Don't give a worm or human > attacker *any* rope to hang you on. This worm can be extra sneaky given that > it can compile itself, but don't discount the damage that a perl or python > based worm could do before detection. > > [ Unfortunately, I can't do that with my distribution, but I hope the day > will come when I can. It would be cool if other distributions greyed out > the 'development' tools option once you select 'server' too, though > perhaps that's a bit harsh. :-) ] > > Numero Uno: Don't put any crap, compiler or not, on your server that you > don't need. It can and will be used against you. -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com "Flatter government, not fatter government." - me Get rid of the Australian states. -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug