[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: red worm amusement

On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:


> No, I'm simply saying not to start services immediately.


Well, I'm going to wade into this growing flamewar to point out what I think
is a sound idea.  The trouble with the current system is that installed
daemons automatically start running with a default configuration.  This is
not always bad, but does not allow a paranoid sysadmin to protect themselves
(short of ugly workarounds like taking down the network interface until the
server is shut off).

I think that there should be a way to install a debian server packages
without having the installation scripts start the server.  This need not be
default, but it should be possible.

I'm sure there are many ways this could work.  Perhaps:

root@foobar:/etc# apt-get install --no-run apache

would download, install and configure apache, but not run it.  When the
sysadmin was satisfied with the configureation files, etc, then update-rc.d
and such could be run by hand (or by another call to apt-get/dpkg with
another flag).

This would have to be both a policy change and a technical change in apt
and/or dpkg.  I think it would be a good compromise between security and the
simplicity of apt-get install foo.

Steven Barker                                      scbarker@uiuc.edu
  Perhaps, after all, America never has been discovered.  I myself would
  say that it had merely been detected.
  		-- Oscar Wilde
PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4  60BF E928 9E28 958F 2058

Reply to: