Much has already been written about the recent bash security problem, allocated the CVE identifier CVE-2014-6271, so I'm not even going to touch it.
It did remind me to double-check my systems to make sure that I didn't have any packages installed that I didn't need though, because obviously having fewer packages installed and fewer services running reduces the potential attack surface.
I had noticed in the past I had python installed and just though "Oh, yeah, I must have python utilities running". It turns out though that on 16 out of 19 servers I control I had python installed solely for the lsb_release
script!
So I hacked up a horrible replacement for `lsb_release in pure shell, and then became cruel:
~ # dpkg --purge python python-minimal python2.7 python2.7-minimal lsb-release
That horrible replacement is horrible because it defers detection of all the names/numbers to the /etc/os-release
which wasn't present in earlier versions of Debian. Happily all my Debian GNU/Linux hosts run Wheezy or later, so it all works out.
So that left three hosts that had a legitimate use for Python:
- My mail-host runs
offlineimap
- So I purged it.
- I replaced it with isync.
- My host-machine runs KVM guests, via
qemu-kvm
.qemu-kvm
depends on Python solely for the script/usr/bin/kvm_stat
.- I'm not pleased about that but will tolerate it for now.
- The final host was my ex-mercurial host.
- Since I've switched to git I just removed tha package.
So now 1/19 hosts has Python installed. I'm not averse to the language, but given that I don't personally develop in it very often (read "once or twice in the past year") and by accident I had no python-scripts installed I see no reason to keep it on the off-chance.
My biggest surprise of the day was that now that we can use dash
as our default shell we still can't purge bash
. Since it is marked as Essential
. Perhaps in the future.
Tags: kvm, offlineimap, python 11 comments