AIX

Thanks for the response guys!

This gonna be in production and this will hit audit, our concern was what is the best way to avoid having a c/c++ compiler in production?

That depends what you need to do in production... If you're asking how to deploy software without compiling it, you could prepare installable packages of executables from your software on the development and deploy them to production instead of compiling them on production.

Yes, our intention is to do that (have them compile on DEV and then deploy on PROD), but application team is emphasizing on having a compiler on prod system saying they are in to critical phase and want to lock down the compiler to a particular user instead of removing it from server.

I'd be tempted to just make them compile on dev, rather than polluting production with extra things from dev.

You could compromise by giving them what I suspect they really need -- the ability to modify production with last-minute changes. NFS-map a few folders from production into dev so it's less of a round-trip to make fixes.

Installing a compiler in the first place adds tons of things which might not clean up well. Customizing it could make that worse.

Very true, that is our fear, what if someone goes and poke his nose around code at the last moment.

And again it seems like there is no way I can limit the c/c++ compiler access to a particular user or lock it down.

Having a compiler does not create that risk. If user1 and user2 can both run cp command, does that mean user2 can copy user1's files? Not necessarily.

So the issue isn't the compiler, it's about having the code on the production server at all.

I see no reason the code has to be on the production server. I don't see why a compiler needs to be either. Get them to give you a good reason they can't just NFS-mount a folder to copy executables for convenient testing.

Agreed.

If the developers claim to NEED a compiler on the production system is true, they're not testing their code enough.

Not only that, compiling code on a production server means the binaries on that server have never been tested. Running "./configure; make; make install" is not how to repeatably deploy reliable, tested software.