[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Installation experience

On Tue, 8 Jul 1997, Alexander Kjeldaas wrote:

> On Tue, 8 Jul 1997, Craig Sanders wrote:
> > On Sun, 6 Jul 1997, Alexander Kjeldaas wrote:
> > 
> > > Is it a goal for debian not to require perl? I don't think so - and
> > > that is one of the things I don't like with debian. It seems that
> > > debian is infested with perlism. There are "smart" perl-scripts doing
> > > all sorts of things.
> > 
> > perl is no less secure than sh + sed + awk + cut + (all the other useful
> > unix utilities). anything you can do in perl you can do with those tools
> > too, but not quite as easily (for some things, a shell script is easier
> > than perl).
> You are just plain wrong. Perl has syscall which makes it possible to do
> _anything_.  You can't to _anything_ with sed. As for awk - I don't use
> it. 

I said "sh + sed + awk + cut + (all the other useful unix
utilities)"...i.e. i was referring to them as a suite of useful &
related tools to be used in combination with each other - name one thing
that perl can do which these tools can not.

to paraphrase you: "sh can execute arbitrary programs, which makes it
possible to do _anything_".

sed is not usually used in isolation. it is usually used as part of a sh
script. if you have a shell then you can do basically anything that perl
scan do.

> > > I don't want powerful interpreters on my system and definitively not

I presume that you are not so excessively paranoid as to remove /bin/sh
- please explain to me how bash or sh or csh is NOT a "powerful

> > > compilers - I regard them as a security risk since I want to set
> > > up my systems so that they do not accept the introduction of new
> > > executables (mounting noexec, nodev, read-only etc). It doesn't seem
> > > to be possible to do that with debian yet.
> > 
> > It's not possible to do that with ANY unix. If you give someone a login
> > shell and a text editor, or even just an ftp-only login then they can
> > create executables.
> Please tell me how - given the following setup:
> * All filesystems are read-only.  

then what is your problem?

if the filesystems are read-only or noexec then why are you so worried
about people creating new executables?  

BTW, you seem to be changing your story to suit your argument. At first
you said that "It doesn't seem to be possible to do that with debian
yet.", but the ultra-paranoid setup you describe can be done on any

> * (Re)mounting is disabled.
> * immutable-append-only are enforced by the kernel (i.e. you can't chmod
>   them away).  
> * /var is _not_ read-only, but noexec, nodev.  
> * all directories in /var are immutable - log-files are append-only. 
> * No compiler, no advanced scripting languages available, no debugger, no
>   dynamically linked executables.  
> * Read-only access to /proc
> * No direct access to devices.
> (the above are _some_ of the stuff we do on our linux-distribution)

> > even that won't find plain text files which people can invoke like "perl
> > myprog.pl" or "sh myprog.sh".
> I don't think you listen to me - I don't want powerful interpreters so
> perl doesn't _exist_ - you'll have to introduce it into the system first. 

i did read what you said.  I just think you are worrying about nothing.

also, you are not reading what I wrote - the reference to "perl
myprog.pl" and "sh myprog.sh" were hypothetical example showing why it
is pointless to search for files which have the execute bit set.

Whining about debian including perl is not at all productive.  If you don't
want perl, then don't install it.  simple as that.  it's your choice.

If there are some packages available for debian which use scripts
written in perl, then you are at perfect liberty to write your own
versions of the offending scripts in any language you choose. 

Just don't expect to be able to force every volunteer developer to cater
exclusively to your bizarre needs.

Debian is a general purpose linux distribution, providing a good
selection of the tools which are expected on any modern unix - if you
need it to be or do something truly weird then it is up to you to make
whatever modifications are necessary. If what you produce is good, then
feel free to contribute it back to the project for others to benefit
from your hard work.  *That* is how debian grows.

> > in other words, the only way to do it on any unix is to be vigilant, and
> > to make sure your users understand what they are and are not allowed to
> > do on your system.
> You assume I have users on my systems - that isn't necessarily true.

so what are you so worried about?  If you don't have users on the system
then WHO, apart from you, is going to be installing extra programs?  Don't
you even trust yourself?

> Because if you want others to make "specialized" distributions they might
> not be interested in having the run-time system of a dozen languages on
> their system. If the distribution is 40MB you don't want that 20MB of that
> consists of slang, perl and java run-time support.

the base distribution is nowhere near 40mb in size.  you exaggerate wildly.

if you don't want perl, then don't install it. if you don't want gcc
then dont install it. if you dont want java or python then dont install
them. etc. this is such a simple and obvious point that I marvel at the
need to explain it to you. it is self-evident.


craig sanders
networking consultant                  Available for casual or contract
temporary autonomous zone              system administration tasks.

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: