[geeks] Compilers - safe on servers?

Jonathan C. Patschke jp at celestrion.net
Mon Mar 2 23:53:14 CST 2009


On Mon, 2 Mar 2009, Mark Benson wrote:

> The problem with *that* is I was always lead to believe this was a bad
> idea on production servers because in the even of a security breach the
> gcc compiler could be used to compile malicious code.

Unless there's an opcode-specific or timing-specific attack for your
platform (ie: UltraSPARC-I, Pentium IV + HT), a compiler isn't all that
much more dangerous than an interpreter such as Ruby, Perl, etc.  The
danger isn't so much in that there's magic in the compiler but that
compilers and interpreters provide a vector for your machine to execute
arbitrary code, if there's a way for someone to get a shell on (or inject
shellcode into) your system.

As a personal anecdote, the majority of the nasty tools I've seen while
cleaning up people's Unix disasters have been Perl scripts.

-- 
Jonathan Patschke ( "They don't have the right to read a book out loud."
Elgin, TX         (                  --Paul Aiken
USA               (                    Executive Director, Authors Guild



More information about the geeks mailing list