Product SiteDocumentation Site

3.6. Install the minimum amount of software required

Debian comes with a lot of software, for example the Debian 3.0 woody release includes 6 or 7 (depending on architecture) CD-ROMs of software and thousands of packages, and the Debian 3.1 sarge release ships with around 13 CD-ROMs of software. With so much software, and even if the base system installation is quite reduced [6] you might get carried away and install more than is really needed for your system.
Since you already know what the system is for (don't you?) you should only install software that is really needed for it to work. Any unnecessary tool that is installed might be used by a user that wants to compromise the system or by an external intruder that has gotten shell access (or remote code execution through an exploitable service).
The presence, for example, of development utilities (a C compiler) or interpreted languages (such as perl - but see below -, python, tcl...) may help an attacker compromise the system even further:
Of course, an intruder with local shell access can download his own set of tools and execute them, and even the shell itself can be used to make complex programs. Removing unnecessary software will not help prevent the problem but will make it slightly more difficult for an attacker to proceed (and some might give up in this situation looking for easier targets). So, if you leave tools in a production system that could be used to remotely attack systems (see Section 8.1, “Remote vulnerability assessment tools”) you can expect an intruder to use them too if available.
Please notice that a default installation of Debian sarge (i.e. an installation where no individual packages are selected) will install a number of development packages that are not usually needed. This is because some development packages are of Standard priority. If you are not going to do any development you can safely remove the following packages from your system, which will also help free up some space:
Package                    Size
------------------------+--------
gdb                     2,766,822
gcc-3.3                 1,570,284
dpkg-dev                  166,800
libc6-dev               2,531,564
cpp-3.3                 1,391,346
manpages-dev            1,081,408
flex                      257,678
g++                         1,384 (Note: virtual package)
linux-kernel-headers    1,377,022
bin86                      82,090
cpp                        29,446
gcc                         4,896 (Note: virtual package)
g++-3.3                 1,778,880
bison                     702,830
make                      366,138
libstdc++5-3.3-dev        774,982
This is something that is fixed in releases post-sarge, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301273 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301138. Due to a bug in the installation system this did not happen when installing with the installation system of the Debian 3.0 woody release.

3.6.1. Removing Perl

You must take into account that removing perl might not be too easy (as a matter of fact it can be quite difficult) in a Debian system since it is used by many system utilities. Also, the perl-base is Priority: required (that about says it all). It's still doable, but you will not be able to run any perl application in the system; you will also have to fool the package management system to think that the perl-base is installed even if it's not. [8]
Which utilities use perl? You can see for yourself:
  $ for i in /bin/* /sbin/* /usr/bin/* /usr/sbin/*; do [ -f $i ] && {
  type=`file $i | grep -il perl`; [ -n "$type" ] && echo $i; }; done
These include the following utilities in packages with priority required or important:
  • /usr/bin/chkdupexe of package util-linux.
  • /usr/bin/replay of package bsdutils.
  • /usr/sbin/cleanup-info of package dpkg.
  • /usr/sbin/dpkg-divert of package dpkg.
  • /usr/sbin/dpkg-statoverride of package dpkg.
  • /usr/sbin/install-info of package dpkg.
  • /usr/sbin/update-alternatives of package dpkg.
  • /usr/sbin/update-rc.d of package sysvinit.
  • /usr/bin/grog of package groff-base.
  • /usr/sbin/adduser of package adduser.
  • /usr/sbin/debconf-show of package debconf.
  • /usr/sbin/deluser of package adduser.
  • /usr/sbin/dpkg-preconfigure of package debconf.
  • /usr/sbin/dpkg-reconfigure of package debconf.
  • /usr/sbin/exigrep of package exim.
  • /usr/sbin/eximconfig of package exim.
  • /usr/sbin/eximstats of package exim.
  • /usr/sbin/exim-upgrade-to-r3 of package exim.
  • /usr/sbin/exiqsumm of package exim.
  • /usr/sbin/keytab-lilo of package lilo.
  • /usr/sbin/liloconfig of package lilo.
  • /usr/sbin/lilo_find_mbr of package lilo.
  • /usr/sbin/syslogd-listfiles of package sysklogd.
  • /usr/sbin/syslog-facility of package sysklogd.
  • /usr/sbin/update-inetd of package netbase.
So, without Perl and, unless you remake these utilities in shell script, you will probably not be able to manage any packages (so you will not be able to upgrade the system, which is not a Good Thing).
If you are determined to remove Perl from the Debian base system, and you have spare time, submit bug reports to the previous packages including (as a patch) replacements for the utilities above written in shell script.
If you wish to check out which Debian packages depend on Perl you can use
$ grep-available -s Package,Priority -F Depends perl
or
$ apt-cache rdepends perl


[6] For example, in Debian woody it is around 400-500 Mbs, try this:
  $ size=0
  $ for i in `grep -A 1 -B 1 "^Section: base" /var/lib/dpkg/available |
  grep -A 2 "^Priority: required" |grep "^Installed-Size" |cut -d : -f 2
  `; do size=$(($size+$i)); done
  $ echo $size
  47762
[7] Many intrusions are made just to get access to resources to do illegitimate activity (denial of service attacks, spam, rogue ftp servers, dns pollution...) rather than to obtain confidential data from the compromised system.
[8] You can make (on another system) a dummy package with equivs.