Hardening ArchLinux against local exploit compilation

A few weeks back, i've had the pleasure to pentest a CentOS Server (or was it Fedora?). Anyway, some creepy RPM based distro. What really annoyed me was, that i had real troubles compiling certain exploits for this machine, since i was unable to use gcc, autoconf, make and whatna. I mean ok, i've crosscompiled static binaries, but i don't really wanna alert someones IDS that binary shellcode was just transmitted over the ethernet. That is a no-go. Script kiddies won't mind, but on the other hand, will script kiddies be able to compile static exploits?

Anyway, it annoyed the shit out of me, therefore i had two options:
- add another group compiler (gid=15 like $rpm-based-crap)
- use wheel

I've chosen wheel, because all my sudoer users have to be wheel, therefore you'd need an admin account, and guess what, then you've got bigger problems than gcc.

ArchLinux

for i in $( pacman -Q -l autoconf automake fakeroot bison flex m4 make patch pkg-config libtool binutils gcc gcc-libs | awk '{print $2}' ); do
    if [ ! -d "$i" ]; then
        echo $i
        chgrp -R wheel $i
        chmod -R o= $i
    fi
done

ArchLinux (multilib)

for i in $( pacman -Q -l autoconf automake fakeroot bison flex m4 make patch pkg-config libtool-multilib binutils-multilib gcc-multilib gcc-libs-multilib | awk '{print $2}' ); do
    if [ ! -d "$i" ]; then
        echo $i
        chgrp -R wheel $i
        chmod -R o= $i
    fi
done

The packages are a bit different depending on what you've got.

I am NOT responsible if you break your system or if you get erectile dysfunction.

Enjoy.

Flattr me!

Tell your friends!