On Tue, 8 Jul 1997, Alexander Kjeldaas wrote: > On Tue, 8 Jul 1997, Craig Sanders wrote: > > > On Sun, 6 Jul 1997, Alexander Kjeldaas wrote: > > > > > Is it a goal for debian not to require perl? I don't think so - and > > > that is one of the things I don't like with debian. It seems that > > > debian is infested with perlism. There are "smart" perl-scripts doing > > > all sorts of things. > > > > perl is no less secure than sh + sed + awk + cut + (all the other useful > > unix utilities). anything you can do in perl you can do with those tools > > too, but not quite as easily (for some things, a shell script is easier > > than perl). > > You are just plain wrong. Perl has syscall which makes it possible to do > _anything_. You can't to _anything_ with sed. As for awk - I don't use > it.
I said "sh + sed + awk + cut + (all the other useful unix utilities)"...i.e. i was referring to them as a suite of useful & related tools to be used in combination with each other - name one thing that perl can do which these tools can not. to paraphrase you: "sh can execute arbitrary programs, which makes it possible to do _anything_". sed is not usually used in isolation. it is usually used as part of a sh script. if you have a shell then you can do basically anything that perl scan do. > > > I don't want powerful interpreters on my system and definitively not I presume that you are not so excessively paranoid as to remove /bin/sh - please explain to me how bash or sh or csh is NOT a "powerful interpreter". > > > compilers - I regard them as a security risk since I want to set > > > up my systems so that they do not accept the introduction of new > > > executables (mounting noexec, nodev, read-only etc). It doesn't seem > > > to be possible to do that with debian yet. > > > > It's not possible to do that with ANY unix. If you give someone a login > > shell and a text editor, or even just an ftp-only login then they can > > create executables. > > Please tell me how - given the following setup: > > * All filesystems are read-only. then what is your problem? if the filesystems are read-only or noexec then why are you so worried about people creating new executables? BTW, you seem to be changing your story to suit your argument. At first you said that "It doesn't seem to be possible to do that with debian yet.", but the ultra-paranoid setup you describe can be done on any unix. > * (Re)mounting is disabled. > * immutable-append-only are enforced by the kernel (i.e. you can't chmod > them away). > * /var is _not_ read-only, but noexec, nodev. > * all directories in /var are immutable - log-files are append-only. > * No compiler, no advanced scripting languages available, no debugger, no > dynamically linked executables. > * Read-only access to /proc > * No direct access to devices. > > (the above are _some_ of the stuff we do on our linux-distribution) > > even that won't find plain text files which people can invoke like "perl > > myprog.pl" or "sh myprog.sh". > > I don't think you listen to me - I don't want powerful interpreters so > perl doesn't _exist_ - you'll have to introduce it into the system first. i did read what you said. I just think you are worrying about nothing. also, you are not reading what I wrote - the reference to "perl myprog.pl" and "sh myprog.sh" were hypothetical example showing why it is pointless to search for files which have the execute bit set. Whining about debian including perl is not at all productive. If you don't want perl, then don't install it. simple as that. it's your choice. If there are some packages available for debian which use scripts written in perl, then you are at perfect liberty to write your own versions of the offending scripts in any language you choose. Just don't expect to be able to force every volunteer developer to cater exclusively to your bizarre needs. Debian is a general purpose linux distribution, providing a good selection of the tools which are expected on any modern unix - if you need it to be or do something truly weird then it is up to you to make whatever modifications are necessary. If what you produce is good, then feel free to contribute it back to the project for others to benefit from your hard work. *That* is how debian grows. > > in other words, the only way to do it on any unix is to be vigilant, and > > to make sure your users understand what they are and are not allowed to > > do on your system. > > You assume I have users on my systems - that isn't necessarily true. so what are you so worried about? If you don't have users on the system then WHO, apart from you, is going to be installing extra programs? Don't you even trust yourself? > Because if you want others to make "specialized" distributions they might > not be interested in having the run-time system of a dozen languages on > their system. If the distribution is 40MB you don't want that 20MB of that > consists of slang, perl and java run-time support. the base distribution is nowhere near 40mb in size. you exaggerate wildly. if you don't want perl, then don't install it. if you don't want gcc then dont install it. if you dont want java or python then dont install them. etc. this is such a simple and obvious point that I marvel at the need to explain it to you. it is self-evident. craig -- craig sanders networking consultant Available for casual or contract temporary autonomous zone system administration tasks. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
