3.6. 安装最少数量的需求软件

Debian comes with a lot of software, for example the Debian 3.0 woody release includes 6 or 7 (depending on architecture) CD-ROMs of software and thousands of packages, and the Debian 3.1 sarge release ships with around 13 CD-ROMs of software. With so much software, and even if the base system installation is quite reduced [6] you might get carried away and install more than is really needed for your system.

您已经知道了系统的用途(不是吗?), 因此应该只安装真正需要的软件. 安装的任何多余的工具都可能被试图破坏系统的用户或外部入侵者所利用(或通过可利用服务执行远端代码).

例如, 开发工具( C 编译器)或解释型语言(譬如 perl, python, tcl…, 其中 perl 在后面还会讲到) 可以帮助攻击者破坏系统做很多事情:

  • 允许他提升权限. 这非常容易, 例如,如果装有调试器和编译器,就可以在本地系统运行 exploits, 并进行调试 !

  • providing tools that could help the attacker to use the compromised system as a base of attack against other systems. [7]

当然, 一个入侵者通过本地 shell 下载他们的工具并运行, 即使是 shell 本身也能做出复杂的程序. 删除不必要的软件并不能 避免 问题的发生, 但是可以增加入侵者入侵的难度(并且有可能放弃它转而寻找更容易的目标). 因此, 如果在生产系统中安装了用于远程攻击的工具(参阅 第 8.1 节 “远程风险评估工具”), 就不要期望入侵者不会利用它.

Please notice that a default installation of Debian sarge (i.e. an installation where no individual packages are selected) will install a number of development packages that are not usually needed. This is because some development packages are of Standard priority. If you are not going to do any development you can safely remove the following packages from your system, which will also help free up some space:

  1. Package Size
  2. ------------------------+--------
  3. gdb 2,766,822
  4. gcc-3.3 1,570,284
  5. dpkg-dev 166,800
  6. libc6-dev 2,531,564
  7. cpp-3.3 1,391,346
  8. manpages-dev 1,081,408
  9. flex 257,678
  10. g++ 1,384 (Note: virtual package)
  11. linux-kernel-headers 1,377,022
  12. bin86 82,090
  13. cpp 29,446
  14. gcc 4,896 (Note: virtual package)
  15. g++-3.3 1,778,880
  16. bison 702,830
  17. make 366,138
  18. libstdc++5-3.3-dev 774,982

This is something that is fixed in releases post-sarge, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301273 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301138. Due to a bug in the installation system this did not happen when installing with the installation system of the Debian 3.0 woody release.

3.6.1. 删除 Perl

You must take into account that removing perl might not be too easy (as a matter of fact it can be quite difficult) in a Debian system since it is used by many system utilities. Also, the perl-base is Priority: required (that about says it all). It’s still doable, but you will not be able to run any perl application in the system; you will also have to fool the package management system to think that the perl-base is installed even if it’s not. [8]

哪些程序使用 perl? 运行下边的命令您自己可以看到:

  1. $ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && {
  2. type=`file $i | grep -il perl`; [ -n "$type" ] && echo $i; }; done

输出的程序是的优先级是 requiredimportant:

  • /usr/bin/chkdupexe of package util-linux.

  • /usr/bin/replay of package bsdutils.

  • /usr/sbin/cleanup-info of package dpkg.

  • /usr/sbin/dpkg-divert of package dpkg.

  • /usr/sbin/dpkg-statoverride of package dpkg.

  • /usr/sbin/install-info of package dpkg.

  • /usr/sbin/update-alternatives of package dpkg.

  • /usr/sbin/update-rc.d of package sysvinit.

  • /usr/bin/grog of package groff-base.

  • /usr/sbin/adduser of package adduser.

  • /usr/sbin/debconf-show of package debconf.

  • /usr/sbin/deluser of package adduser.

  • /usr/sbin/dpkg-preconfigure of package debconf.

  • /usr/sbin/dpkg-reconfigure of package debconf.

  • /usr/sbin/exigrep of package exim.

  • /usr/sbin/eximconfig of package exim.

  • /usr/sbin/eximstats of package exim.

  • /usr/sbin/exim-upgrade-to-r3 of package exim.

  • /usr/sbin/exiqsumm of package exim.

  • /usr/sbin/keytab-lilo of package lilo.

  • /usr/sbin/liloconfig of package lilo.

  • /usr/sbin/lilo_find_mbr of package lilo.

  • /usr/sbin/syslogd-listfiles of package sysklogd.

  • /usr/sbin/syslog-facility of package sysklogd.

  • /usr/sbin/update-inetd of package netbase.

因此, 没有Perl, 除非你在 shell 脚本里重新编制这些程序, 否则您将不能处理任何软件包 (因此您将不能升级系统, 这不是一件好事情).

如果您确定从 Debian 基本系统中删除 Perl, 并且您有比较宽松的时间, 递交错误报告, 以及 shell 脚本程序作为以前的软件包(作为补丁)的替代.

If you wish to check out which Debian packages depend on Perl you can use

  1. $ grep-available -s Package,Priority -F Depends perl

or

  1. $ apt-cache rdepends perl

[6] For example, in Debian woody it is around 400-500 Mbs, try this:

  1. $ size=0
  2. $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available |
  3. grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2
  4. `; do size=$(($size+$i)); done
  5. $ echo $size
  6. 47762

[7] Many intrusions are made just to get access to resources to do illegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution…) rather than to obtain confidential data from the compromised system.

[8] You can make (on another system) a dummy package with equivs.