From owner-freebsd-stable@FreeBSD.ORG Tue Jul 8 19:29:31 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1A3F37B401 for ; Tue, 8 Jul 2003 19:29:31 -0700 (PDT) Received: from ns1.itga.com.au (ns1.itga.com.au [202.53.40.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71FAA43FA3 for ; Tue, 8 Jul 2003 19:29:30 -0700 (PDT) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (lightning.itga.com.au [192.168.71.20]) by ns1.itga.com.au (8.12.9/8.12.9) with ESMTP id h692TPUl049027; Wed, 9 Jul 2003 12:29:25 +1000 (EST) (envelope-from gnb@itga.com.au) Received: from lightning.itga.com.au (localhost [127.0.0.1]) by lightning.itga.com.au (8.9.3/8.9.3) with ESMTP id MAA09700; Wed, 9 Jul 2003 12:29:21 +1000 (EST) Message-Id: <200307090229.MAA09700@lightning.itga.com.au> X-Mailer: exmh version 2.4 05/15/2001 with nmh-1.0.4 From: Gregory Bond To: Paul Smith In-reply-to: Your message of Tue, 08 Jul 2003 20:29:43 -0500. Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Jul 2003 12:29:21 +1000 Sender: gnb@itga.com.au cc: freebsd-stable@freebsd.org Subject: Re: Hardening production servers X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2003 02:29:32 -0000 paul@cnt.org said: > Say a system like this were put into place to support existing > production servers. What's the cleanest/most elegant/least > destablizing way to remove the compiler tools on those machines? It's not supported out of the box as far as I can see. One approach is like this: - Add new variable NO_COMPILERS to /etc/make.conf on all the client machines - Go through the Makefiles and add code to drop the compiler tools if this variable is defined. Look for example at how NO_CVS is implemented in src/gnu/ usr.bin/Makefile and work from that. - You'll have to manually rm the tools from the existing client machines as this change won't delete old ones, it'll just not install new ones. - You might like to also define NOINSTALLLIB and NOPROFILE on the client make.conf to not install all the .a and _p.a libraries (see /usr/share/mk/ bsd.lib.mk). Even easier might be to maintain a list of files you don't want on the client machines and then rm them after every installworld (you could automate this in the /usr/src/Makefile).