Re: openssh-server's default config is dangerous
On Tue, 12 Jul 2016, Nicolas George wrote:
> Le quintidi 25 messidor, an CCXXIV, Don Armstrong a écrit :
> > If a services default configuration is insecure, it should be fixed.
> > File a bug.
>
> If you think about it slightly more than two seconds,
This is incredibly rude. Considering that I maintain multiple things
which install daemons in Debian, I've thought about this for
significantly more than two seconds.
> you will realize that if the default configuration does ANYTHING, even
> something that is completely harmless in 99.99% of the cases, then
> there will be some cases where this is a serious issue, where the
> administrator really did not want it to happen. Even if it is only
> 0.01% of the cases, that is still too many.
This is the endless security vs utility debate. The most secure system
is a system which is completely useless. Discussing this issue in the
abstract isn't particularly useful. Discussing it in particular cases
(like openssh-server's configuration) is useful, and then it becomes a
question of where to draw the line.
There's a reason why many daemons that do start only listen on
localhost. Or only listen on sockets. Or don't do anything but serve
static files out of very specific directories.
> I am flabbergasted too see how many people oppose the obviously
> correct solution to that kind of issue: have a global option "Start
> services after installing? always / ask / never".
That option already exists. See policy-rc.d. For example:
https://jpetazzo.github.io/2013/10/06/policy-rc-d-do-not-start-services-automatically/
--
Don Armstrong https://www.donarmstrong.com
in Just-
spring when the world is mud-
luscious the little lame baloonman
whistles far and wee
-- e.e. cummings "[in Just-]"
Reply to: