# Is there A Reliable Way to Restrict the Use of the Compiler?

## biergaizi

Gentoo works well on webservers, especially it provides PaX/grsecurity protection against more attacks.

But I wonder if there is a way to restrict the use of compilers, I'm not going to remove the compiler from the system (a.k.a destroy Portage), but I just want users from a trusted group to use it. On a multi-user shared public server, it's best to disallow untrusted users to use the compiler. I know, I can set the group of the compilers to to "compilers", and set the permissions to 660. But since Gentoo use a general way (gcc-config), it generated a lot of wrappers and modifying $PATH, is it difficult for me to figure out we exactly should I do.

Does anyone have some tricks and tips for me?

----------

## Apheus

Can you use noexec /home mount and Trusted Path Execution instead? This does not restrict the compiler, but users will not be able to run their compiled programs. TPE is a section in the hardened kernel's setup.

----------

## biergaizi

 *Apheus wrote:*   

> Can you use noexec /home mount and Trusted Path Execution instead? This does not restrict the compiler, but users will not be able to run their compiled programs. TPE is a section in the hardened kernel's setup.

 

This system is used as a platform to do some light development for some users, NoExec the whole /home is too aggressive...

But thanks for the idea, a carefully configured TPE may be a solution.

----------

## szatox

 *Quote:*   

> This system is used as a platform to do some light development for some users, NoExec the whole /home is too aggressive...
> 
> But thanks for the idea, a carefully configured TPE may be a solution.

 You could use e.g. /opt/bin as a location for user-developed binaries.

You would often see a directory like /home/user/bin/ anyway, so it can be a symlink to that /opt/bin restricted to only be usable by developers.

Or you could do that in more enterprisy way: build a farm of single-purpose VMs. Isolate not related things from each other. Keep developers out of web servers, give them one for their exclusive use instead.

----------

## Hu

Bind mounts have their own value for exec/noexec and for ro/rw.  You could run the untrusted software in a mount namespace where every mount is at least one of ro or noexec.  Place the users in a mount namespace where they have a writable exec directory for their test work.  You could even arrange for the untrusted namespace to have unnecessary directories shadowed out with empty ones.  For example, bind mount /var/empty onto /usr/x86_64-pc-linux-gnu/gcc-bin.

----------

