Re: openssh-server's default config is dangerous

To: debian-user@lists.debian.org
Subject: Re: openssh-server's default config is dangerous
From: Stefan Monnier <monnier@iro.umontreal.ca>
Date: Wed, 13 Jul 2016 12:52:09 -0400
Message-id: <[🔎] jwvy455qyc7.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] 20160712130633.GA4054640@phare.normalesup.org> <[🔎] 12072016143713.ab9150842167@desktop.copernicus.demon.co.uk> <[🔎] 20160712143549.GA4087782@phare.normalesup.org> <[🔎] 20160712150845.GG20714@geta> <[🔎] 20160712182236.GA3293@phare.normalesup.org> <[🔎] 20160712190431.GO20714@geta> <[🔎] 20160712191246.GA22642@phare.normalesup.org> <[🔎] jwv4m7u37it.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] 20160712220754.GU20714@geta> <[🔎] jwvmvlm1og0.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] 20160713161230.GW20714@geta>

> You could potentially just use the policyrcd-script-zg2 package, and
> then your boolean setting would be:
>
>   echo -e "#!/bin/sh\nexit101;" > /etc/policy-rc.d.
>
> Or something similar. [Or if you really just want a boolean, you could
> potentially write your own package which plugged into policy-rc.d which
> just checked if /etc/no_daemons or something existed to determine
> whether it should exit 101 or not; you could possibly even figure out if
> you were running under dpkg, and just block starting/restarting daemons
> during package install/remove time.]

Yes, I could hand-code it myself.  But the question is why isn't such
a boolean pre-defined by default in Debian?

Am I really the only one who sometimes (like once a year or so, maybe)
takes a disk (aka µSD card) out of a machine, mounts it on another, and
then chroots into it to perform some administration tasks "offline" (tho
sometimes it's really more online: one of the cases where I did it was
because the main machine didn't have access to the Internet, so
I performed the updates by mounting the rootfs on another machine and
used aptitude there)?


        Stefan

Reply to:

References:
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Brian <ad44@cityscape.co.uk>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>
- Re: openssh-server's default config is dangerous
  - From: Nicolas George <george@nsup.org>
- Re: openssh-server's default config is dangerous
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>
- Re: openssh-server's default config is dangerous
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: openssh-server's default config is dangerous
  - From: Don Armstrong <don@debian.org>

Prev by Date: Re: epson L210 scan
Next by Date: Re: epson L210 scan
Previous by thread: Re: openssh-server's default config is dangerous
Next by thread: Containers and chroot (was: openssh-server's default config is dangerous)
Index(es):
- Date
- Thread