Hi Aaron, On 12-06-01 at 11:22am, Aaron Toponce wrote: > Just because I have installed a service package, doesn't mean I want > the service immediately running after installation. I would like to > spend the necessary time as an administrator to configure and secure > the service to my liking, before starting the service. Debian goal is - as you probably know already - for packages to work out of the box. For daemons this means they are started by default. If a package (service or not) is insecure by default, it is a bug! Severity of such bugs vary - e.g. some may consider it insecure for a web server to publicly display a static page saying "It works!" while most probably won't. You can override the default of daemons using policy.d. What I do for chroots - which you can adapt to your own personal needs, is to install the package policyrcd-script-zg2 and add the attached config file as /usr/local/sbin/policy-rc.d . Hope that helps, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
#!/bin/sh
# $Id: policy-rc.d,v 1.5 2007-01-16 09:59:43 jonas Exp $
#
# Copyright © 2006 Jonas Smedegaard <dr@jones.dk>
# Description: Suppress system V scripts if invoked within a chroot.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
# Policy-rc.d is mentioned in manpage invoke-rc.d(8) and documented at
# http://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
set -e
PRG=`basename $0`
TEMP=`getopt -s sh --long list,quiet -n "$PRG" -- "$@"`
if [ $? != 0 ] ; then echo "Terminating..." >&2 ; exit 1 ; fi
eval set -- "$TEMP"
# Stolen from udev postinst
chrooted() {
if [ "$(stat -c %d/%i /)" = "$(stat -Lc %d/%i /proc/1/root 2>/dev/null)" ];
then
# the devicenumber/inode pair of / is the same as that of /sbin/init's
# root, so we're *not* in a chroot and hence return false.
return 1
fi
return 0
}
quiet=""
list=""
while true ; do
case "$1" in
--quiet) quiet="1" ; shift ;;
--list) list="1" ; shift ;;
--) shift ; break ;;
*) echo "Internal error!" ; exit 1 ;;
esac
done
initscript="$1"
actions="$2"
runlevel="$3"
if [ "$list" ]; then
cat <<EOF
The following policies are known to this policy daemon:
default: All actions are allowed.
chroot: If invoked from within a chroot environment,
no actions are allowed, else all are allowed.
This policy daemon care not about actions, so all standard actions
(start, [force-]stop, restart, [force-]reload and status), and any
additionally implemented ones, are supported.
EOF
exit 0
fi
if chrooted; then
if ! [ "$quiet" ]; then
echo >&2 "Chroot environment detected, suppressing sysV script."
fi
exit 101
fi
exit 0
Attachment:
signature.asc
Description: Digital signature