Should You Install Development Tools on Production Hosts?

24311688

Every once in a while I get sucked back into the age-old system administrator religious argument: should you install development tools on a production host?

There are basically two schools of thought:

Yes, if you need them. Despite the production nature of the host there are times where you might want to build software, perhaps something like the VMware Tools kernel modules on a Linux server, and having them helps a lot. They don’t take up much space and it’s nice to keep all your hosts identical.

No, absolutely not. “Development” tools should only be on hosts that are for “development.” Build a software lifecycle management system to move everything from development to test to production. The presence of compilers means that malicious users can build software if the machine is compromised. It increases disk space used and increases effort needed to update the OS.

I hate this question and the ensuing argument because neither is right or wrong. There is something to be said for keeping all your hosts the same, but there’s also something to be said for using a tool like Chef to automate & document those sorts of customizations. Sometimes it’s nice to have the option to build software, even in production, and even as part of your software lifecycle (especially Perl modules). Sometimes you don’t need a complex system to move things from development to production. But sometimes you do. And I’ve seen a number of break-ins where a compiler was used to build an executable from a text file deposited in /tmp. Perhaps it’s all more of a function of how big your operation is.

So what’s my answer? In this particular case the person asking the question was keeping compilers off production hosts because developers were making unauthorized changes there. The only comment I had was something a friend told me many years ago: “you can’t fix a people problem with technology.”

Though, now that I think about it tasers probably count as technology… :)

Comments on this entry are closed.

  • Some products, like Oracle database, require gcc and other development tools in order for Oracle to be successfully installed or patched.

    You just leverage mitigating controls like user accounts, groups, ACLs, SElinux, etc to manage access to said tools.

  • you shouldn’t compile anything on your production servers, especially not as root. you should compile on a trusted host, build packages, and deploy via puppet or chef. also, your systems should only accept signed packages. your build environment should have use policies that require verification of source checksums and signatures to make sure you are compiling the code you intend to compile.

    obviously there are caveats for things like oracle, as listed above.