3.6. Install the minimum amount of software required
Debian comes with
a lot of software, for example the Debian 3.0
woody release includes 6 or 7 (depending on architecture) CD-ROMs of software and thousands of packages, and the Debian 3.1
sarge release ships with around 13 CD-ROMs of software. With so much software, and even if the base system installation is quite reduced
you might get carried away and install more than is really needed for your system.
Since you already know what the system is for (don't you?) you should only install software that is really needed for it to work. Any unnecessary tool that is installed might be used by a user that wants to compromise the system or by an external intruder that has gotten shell access (or remote code execution through an exploitable service).
The presence, for example, of development utilities (a C compiler) or interpreted languages (such as perl
- but see below -, python
, tcl
...) may help an attacker compromise the system even further:
Of course, an intruder with local shell access can download his own set of tools and execute them, and even the shell itself can be used to make complex programs. Removing unnecessary software will not help
prevent the problem but will make it slightly more difficult for an attacker to proceed (and some might give up in this situation looking for easier targets). So, if you leave tools in a production system that could be used to remotely attack systems (see
Section 8.1, “Remote vulnerability assessment tools”) you can expect an intruder to use them too if available.
Please notice that a default installation of Debian
sarge (i.e. an installation where no individual packages are selected) will install a number of development packages that are not usually needed. This is because some development packages are of
Standard priority. If you are not going to do any development you can safely remove the following packages from your system, which will also help free up some space:
Package Size
------------------------+--------
gdb 2,766,822
gcc-3.3 1,570,284
dpkg-dev 166,800
libc6-dev 2,531,564
cpp-3.3 1,391,346
manpages-dev 1,081,408
flex 257,678
g++ 1,384 (Note: virtual package)
linux-kernel-headers 1,377,022
bin86 82,090
cpp 29,446
gcc 4,896 (Note: virtual package)
g++-3.3 1,778,880
bison 702,830
make 366,138
libstdc++5-3.3-dev 774,982
You must take into account that removing
perl
might not be too easy (as a matter of fact it can be quite difficult) in a Debian system since it is used by many system utilities. Also, the
perl-base is
Priority: required (that about says it all). It's still doable, but you will not be able to run any
perl
application in the system; you will also have to fool the package management system to think that the
perl-base is installed even if it's not.
Which utilities use
perl
? You can see for yourself:
$ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && {
type=`file $i | grep -il perl`; [ -n "$type" ] && echo $i; }; done
These include the following utilities in packages with priority required or important:
/usr/bin/chkdupexe
of package util-linux.
/usr/bin/replay
of package bsdutils.
/usr/sbin/cleanup-info
of package dpkg.
/usr/sbin/dpkg-divert
of package dpkg.
/usr/sbin/dpkg-statoverride
of package dpkg.
/usr/sbin/install-info
of package dpkg.
/usr/sbin/update-alternatives
of package dpkg.
/usr/sbin/update-rc.d
of package sysvinit.
/usr/bin/grog
of package groff-base.
/usr/sbin/adduser
of package adduser.
/usr/sbin/debconf-show
of package debconf.
/usr/sbin/deluser
of package adduser.
/usr/sbin/dpkg-preconfigure
of package debconf.
/usr/sbin/dpkg-reconfigure
of package debconf.
/usr/sbin/exigrep
of package exim.
/usr/sbin/eximconfig
of package exim.
/usr/sbin/eximstats
of package exim.
/usr/sbin/exim-upgrade-to-r3
of package exim.
/usr/sbin/exiqsumm
of package exim.
/usr/sbin/keytab-lilo
of package lilo.
/usr/sbin/liloconfig
of package lilo.
/usr/sbin/lilo_find_mbr
of package lilo.
/usr/sbin/syslogd-listfiles
of package sysklogd.
/usr/sbin/syslog-facility
of package sysklogd.
/usr/sbin/update-inetd
of package netbase.
So, without Perl and, unless you remake these utilities in shell script, you will probably not be able to manage any packages (so you will not be able to upgrade the system, which is not a Good Thing).
If you are determined to remove Perl from the Debian base system, and you have spare time, submit bug reports to the previous packages including (as a patch) replacements for the utilities above written in shell script.
If you wish to check out which Debian packages depend on Perl you can use
$ grep-available -s Package,Priority -F Depends perl
or
$ apt-cache rdepends perl