Re: rlinetd security

[sami@juvonen.org (Sami J. Juvonen)]

Tim Haynes <debian@stirfried.vegetable.org.uk> writes:

> "Noah L. Meyerhans" <frodo@morgul.net> writes:
> 
> And let's not forget that plenty enough people don't know all 3 obvious
> commands for finding a process responsible for a given listener, or don't
> have `head /etc/services` in short-term memory, or why 53/tcp is a Bad
> Thing, etc...

Just a minor nit: 53/tcp is *not* inherently bad. Blocking it breaks some 
DNS functionality.

> Yes. I've seen the question `should one aim for secure by default?' before
> and never made up my mind; there is a `false complacency' argument to be
> wary of, of course, but I'm now pretty much decided that one should aim for
> as secure as possible if only to stop things spreading through people's
> incompetance. 

I agree with this. Sysadmins should also be vary of legacy services that 
"have always been there" in Unix. A lot of that cruft follows us around
just by tradition. 

What I would really like Debian to do when installing services is to *not*
start them by default. Just install all the files, but make init scripts 
not run unless edited.

-sami.