Bug#793766: tasksel: standard system utilities pulls packages that listen on ports without firewall
Package: tasksel
Version: 3.31+deb8u1
Severity: normal
Tags: d-i
During installation, tasksel gives you the option of including "standard system
utilities". This group includes nfs-common and rpcbind, which, post
installation, automatically launch daemons that listen on ports. Debian's
default iptables configuration after installation is to allow all connections.
This is a security concern.
There's no indication to the user that selecting standard system utilities will
do this. Having a permissive firewall policy by default is fine, provided that
no open ports are running by default as well, but this is not the current
situation.
Possible solutions:
1. Do not include these packages in the task
2. More restrictive default firewall policy that will protect these ports until
the user decides to make them available
3. Keep as is, but notify the user that the included packages will listen for
connections upon selection
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tasksel depends on:
ii apt 1.0.9.8
ii debconf [debconf-2.0] 1.5.56
ii liblocale-gettext-perl 1.05-8+b1
ii perl-base 5.20.2-3+deb8u1
ii tasksel-data 3.31+deb8u1
tasksel recommends no packages.
tasksel suggests no packages.
-- debconf information excluded
Reply to: