About Archive Tags RSS Feed

 

Today I mostly removed python

25 September 2014 21:50

Much has already been written about the recent bash security problem, allocated the CVE identifier CVE-2014-6271, so I'm not even going to touch it.

It did remind me to double-check my systems to make sure that I didn't have any packages installed that I didn't need though, because obviously having fewer packages installed and fewer services running reduces the potential attack surface.

I had noticed in the past I had python installed and just though "Oh, yeah, I must have python utilities running". It turns out though that on 16 out of 19 servers I control I had python installed solely for the lsb_release script!

So I hacked up a horrible replacement for `lsb_release in pure shell, and then became cruel:

~ # dpkg --purge python python-minimal python2.7 python2.7-minimal lsb-release

That horrible replacement is horrible because it defers detection of all the names/numbers to the /etc/os-release which wasn't present in earlier versions of Debian. Happily all my Debian GNU/Linux hosts run Wheezy or later, so it all works out.

So that left three hosts that had a legitimate use for Python:

  • My mail-host runs offlineimap
    • So I purged it.
    • I replaced it with isync.
  • My host-machine runs KVM guests, via qemu-kvm.
    • qemu-kvm depends on Python solely for the script /usr/bin/kvm_stat.
    • I'm not pleased about that but will tolerate it for now.
  • The final host was my ex-mercurial host.
    • Since I've switched to git I just removed tha package.

So now 1/19 hosts has Python installed. I'm not averse to the language, but given that I don't personally develop in it very often (read "once or twice in the past year") and by accident I had no python-scripts installed I see no reason to keep it on the off-chance.

My biggest surprise of the day was that now that we can use dash as our default shell we still can't purge bash. Since it is marked as Essential. Perhaps in the future.

Tags: kvm, offlineimap, python | 11 comments

 

Comments on this entry

icon Cameron Norman at 19:47 on 25 September 2014

One of my first thoughts was to remove bash, but I realized I really did not know if there were any bash scripts on my system.

If we want to hasten the demotion of bash, maybe a lintian warning can be added when a package ships a bash script but does not depend on bash.

icon Steve Kemp at 19:51 on 25 September 2014
http://steve.org.uk/.

That's probably a good way to go.

Right now packages don't need to declare dependencies on bash - because it is in the base-section. So there are many scripts which depend upon it, but don't declare that dependency. (For example /bin/zless, /bin/uncompress, etc.)


icon Stuart at 00:45 on 26 September 2014

"Default shell" isn't as simple as a lot believe. dash isn't really the default shell, it's the default /bin/sh. If you use "shell" to mean "the thing that executes shell scripts" then you'd be right... but most people think of "default shell" as meaning "the shell I type in" and in that case, /bin/bash is the default shell -- create a new user and they will get /bin/bash by default.

(And that's apart from other undeclared dependencies on bash for scripts -- removing packages from Essential is pretty much impossible and is probably not really worth the effort either)

icon Seegras at 08:19 on 26 September 2014
http://seegras.discordia.ch/

Nice one. I didn't realize this was possible. I just did the same on one of my hosts.

icon Emmanuel Kasper at 11:54 on 26 September 2014
http://meta.libera.cc

why do you say an "horrible" replacement ? your script is rather nice to read !

icon Steve Kemp at 11:59 on 26 September 2014
http://steve.org.uk/.

Because it fails utterly if there is no /etc/os-release file - with no attempt to parse the details from any other local source.

I don't have any lenny/squeeze systems still in the wild, but I'm pretty sure it would just fail there.

icon cstamas at 09:43 on 27 September 2014
http://cstamas.hu

Oh, thanks. Never heard of isync I will give it a try. (Currently on offlineimap)

icon John Hughes at 21:40 on 27 September 2014
http://perso.calvaedi.com/~john

$ head -1 /var/lib/dpkg/info/dash.preinst

!/bin/bash


icon Jonathan at 18:14 on 28 September 2014
http://jmtd.net

Interesting experiment. With regards theoretically getting rid of bash, you may be interested in https://wiki.debian.org/Proposals/RemoveBashFromEssential - one of the main issues to resolve, I think, would be safely managing changing user's shells, in particularly the root user, if you remove bash. I guess you'd need a cast-iron guarantee that root had a working shell at all points in the removal process, including failure modes and rollbacks.

icon Arno at 11:03 on 29 September 2014

Since "patches are welcome", can you add a >&2 on line 91 of your lsb_release script? There's plenty of scripts that parse stdout without checking the return code. I would probably use test -r over test -e as well, but I'm unsure if both are posix.

icon Steve Kemp at 08:03 on 3 October 2014
http://steve.org.uk/.

Arno - I've added that now.

 

Created by ephemeris.

© Steve Kemp