Wednesday, December 5, 2012

Restrictions: Compilers

Compilers and other developmental tools are both valuable and convenient to have on your system, and for some people they are a necessity. Most people suggest removing these compilers and specific "Language Development" tools simply because once an attacker has access to these things it only makes it easier for him to escalate privileges, write tools directly on your box, and then use your own compiler to compile them (there have been a good number of rootkits requiring the attacker compile them on your system). Removing them is a great idea in a lot of circumstances, and sometimes not. I personally have never removed my compilers and certain development tools, but rather I restricted access to them by using "permissions".

First things first, you need to query each individual package to see the binaries which they contain. And please don't assume that you know where they all are, or what binaries are used by different tools and packages, just take that extra time to query these, then restrict access and permission to those specific binaries:

codecult# rpm -q --filesbypkg gcc | grep 'bin'   
  gcc                                     /usr/bin/cc
  gcc                                    /usr/bin/gcc
  gcc                                   /usr/bin/gcov

..and so on. Using your package manager (rpm in this instance) I looked up files provided by gcc as well as using grep to report back only those files which are contained in binaries directory such as /bin, /usr/bin, etc. Now that you know where these are located you will want to create a special group that has been granted access to these compiler binaries by using the groupadd command. In my case...

codecult# groupadd gccgroup
After this step is finished it is time to go about changing ownership of those binary files you want to restrict. In my example I am changing them to group I just create, gccgroup by doing the following:

codecult# chown root:gccgroup /usr/bin/gcc

Lastly you must change its permissions to be executable by the root user members of that "compiler group", if anyone outside of the permitted users attempt access to the gcc-compiler they will be be denied permission. In order to change those permissions to be executable only by the root user of this gccgroup group I used the following:

  codecult# chmod 0750 /usr/bin/gcc


No comments:

Post a Comment