Re: red worm amusement

To: debian-security@lists.debian.org
Subject: Re: red worm amusement
From: scbarker@uiuc.edu (Steven Barker)
Date: Sun, 22 Jul 2001 02:50:14 -0400
Message-id: <[🔎] 20010722025014.A30897@arh1812.urh.uiuc.edu>
Mail-followup-to: scbarker@uiuc.edu, debian-security@lists.debian.org
In-reply-to: <[🔎] 20010721205123.A5455@funk.meus0002.clipper.net>
References: <[🔎] uk14rs7hzx5.fsf@nfsd.linpro.no> <[🔎] 4.2.0.58.20010720194556.011a1368@mail.diligence.com> <[🔎] 20010721000907.J31948@plato.local.lan> <[🔎] 20010721140048.A4668@janky.gsky.dom> <[🔎] 20010721163232.K31948@plato.local.lan> <[🔎] 20010721182700.A19667@funk.meus0002.clipper.net> <[🔎] 20010721172935.M31948@plato.local.lan> <[🔎] 20010721195202.B31907@funk.meus0002.clipper.net> <[🔎] 20010722125449.B666@zip.com.au> <[🔎] 20010721205123.A5455@funk.meus0002.clipper.net>

On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote:

<snip>

> No, I'm simply saying not to start services immediately.

<snip>

Well, I'm going to wade into this growing flamewar to point out what I think
is a sound idea.  The trouble with the current system is that installed
daemons automatically start running with a default configuration.  This is
not always bad, but does not allow a paranoid sysadmin to protect themselves
(short of ugly workarounds like taking down the network interface until the
server is shut off).

I think that there should be a way to install a debian server packages
without having the installation scripts start the server.  This need not be
default, but it should be possible.

I'm sure there are many ways this could work.  Perhaps:

root@foobar:/etc# apt-get install --no-run apache

would download, install and configure apache, but not run it.  When the
sysadmin was satisfied with the configureation files, etc, then update-rc.d
and such could be run by hand (or by another call to apt-get/dpkg with
another flag).

This would have to be both a policy change and a technical change in apt
and/or dpkg.  I think it would be a good compromise between security and the
simplicity of apt-get install foo.

-- 
Steven Barker                                      scbarker@uiuc.edu
  Perhaps, after all, America never has been discovered.  I myself would
  say that it had merely been detected.
  		-- Oscar Wilde
PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4  60BF E928 9E28 958F 2058

Reply to:

Follow-Ups:
- Re: red worm amusement
  - From: Mike Fedyk <mfedyk@matchmail.com>
- --no-run option (was: Re: red worm amusement)
  - From: "Bernhard R. Link" <blink@informatik.uni-freiburg.de>
- Re: red worm amusement
  - From: "Colin R. R. Johnson" <cjohnson@candjsolutions.com>

References:
- Re: red worm amusement
  - From: Sigurd Urdahl <sigurdur@linpro.no>
- Re: red worm amusement
  - From: Tim Uckun <tim@diligence.com>
- Re: red worm amusement
  - From: Ethan Benson <erbenson@alaska.net>
- Re: red worm amusement
  - From: Jacob Meuser <jakemsr@clipper.net>
- Re: red worm amusement
  - From: Ethan Benson <erbenson@alaska.net>
- Re: red worm amusement
  - From: Jacob Meuser <jakemsr@clipper.net>
- Re: red worm amusement
  - From: Ethan Benson <erbenson@alaska.net>
- Re: red worm amusement
  - From: Jacob Meuser <jakemsr@clipper.net>
- Re: red worm amusement
  - From: CaT <cat@zip.com.au>
- Re: red worm amusement
  - From: Jacob Meuser <jakemsr@clipper.net>

Prev by Date: Re: red worm amusement
Next by Date: Re: red worm amusement
Previous by thread: Re: red worm amusement
Next by thread: Re: red worm amusement
Index(es):
- Date
- Thread