Bug#793766: tasksel: standard system utilities pulls packages that listen on ports without firewall

[Ansgar Burchardt <ansgar@debian.org>]

Hi,

Michael Rose <mdrose@zoho.com> writes:
> During installation, tasksel gives you the option of including "standard system
> utilities". This group includes nfs-common and rpcbind, which, post
> installation, automatically launch daemons that listen on ports. Debian's
> default iptables configuration after installation is to allow all connections.
> This is a security concern.
>
> There's no indication to the user that selecting standard system utilities will
> do this. Having a permissive firewall policy by default is fine, provided that
> no open ports are running by default as well, but this is not the current
> situation.
>
> Possible solutions:
> 1. Do not include these packages in the task

That is the current plan for Debian 9, see [1] and [2].

Ansgar

  [1] <https://lists.debian.org/debian-devel/2015/05/msg00089.html>
  [2] <https://bugs.debian.org/788702>