[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question about Debian security policy

On Thu, Jun 30, 2005 at 11:16:18AM +0200, neologix wrote:
> Hi everybody. I hope this question won't be too stupid.
> When I perform a standard installation (i.e minimal), the installer installs
> many servers, and launches them (like portmap, ssh, exim, etc). Why?
> I think that OpenBSD and FreeBSD, for example, don't launch any daemon at all,
> or at least prompt you before doing that. There must be a reason, but I don't
> see it (I'm not a networking/security guru, so please forgive me if the answer
> is obvious).

It's not obvious, but it is docummented, please read:

Short answer:

- exim - (important priority) required for local mail delivery, if you
  don't configure it to act as a MTA it will only be accesible through (i.e it will not be exposed)

- sshd - part of the 'standard' installation. If you don't want standard
  you need to do a minimal install (using the 'expert' mode)

- portmap - standard, needed for some RPC services such as NFS (uncommon) 
  or FAM (common in desktop environments). It can be easily configured to
  listen only for localhost queries to reduce exposure (check 
  /etc/default/portmap, there is a debconf question to enable/disable in etch and sid). You can also
  prevent it from installing if using expert mode (i.e. if you don't   
  install nfs-common either, which is also of 'standard' priority)

That's more or less what you will have in a stock standard installation. If 
you use a minimal installation through expert mode you can end up with 0 
network services, if you install some task you might end up with _more_ 
network services (printer service, FAM, web server, etc.). 

So what you have actually depends on your choices through the installation 



Attachment: signature.asc
Description: Digital signature

Reply to: