« Back to Software

Why remove compilers from your system?

This article has last been updated at .

The risks of having a compiler installed

A compiler is a toolkit to turn source code into executable code, for Linux often ELF . The compiler might be used by malicious software to create a binary, backdoor, or even a Linux kernel module. Sometimes the attacker needs to compile the code to match the system and the right kernel. By removing the compiler, you make it harder to abuse the compiler to build a malicious piece of binary code.

While a determined person might have alternative ways to get a compiler onto the system, it will take additional time and effort. Another possibility is that the attacker can only write to parts of the file system that is not executable, making it even harder. For that reason, it is also a good idea to shield the basic binary paths where possible. For example, do not allow PHP software to execute system commands if that is not needed for basic functionality.

Does my system get really much more secure when removing compilers?

Just removing the compiler does not make the system a magnitude more secure. When combined with other security measures, it can be seen as a layered approach to security. Each layer adding a bit more security, making the chance of compromise smaller.

Benefits of removing compilers

Attack surface

One of the security measures one can take is limiting installed software and active services. Everything that is not installed or running, can’t be misused. In security terms this is called reducing the attack surface of a system. By removing any compilers that are not needed for the functioning of the system, the attack surface of the system is reduced.

Less overhead

Another benefit of removing any unneeded software application, including compilers, is a lower footprint of the system. A smaller number of packages on the system means also less space used on the disk. Any backup of the disk will be smaller and therefore quicker to search or restore when needed. A package that is not installed, does also not require any updating, saving in time and bandwidth.

What can be done if you still need a compiler?

Sometimes you simply need a compiler available, as it is required for things like virtual machine guest tools. If that is the case, then one thing to consider is limiting the access to the root user or admin group. Remove the world readable bit from the binary.

chmod 700 /usr/bin/gcc

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.