[EMAIL PROTECTED] (Martin Maney) writes:
> On Mon, Jun 18, 2001 at 08:34:11PM +0100, Tim Haynes wrote:
>
> > Well, it depends. You can never tidy up a rooted box; the same
> > mentality sort of applies all the way down - if you're setting up a
> > box, why worry about installing this and uninstalling that, when your
> > original installation shouldn't have had anything enabled in the first
> > place? (And yes, you can push that back into the distro, too.)
>
> Sure, you can have a distro that doens't install any services. Heck,
> consider local exploits and you may decide that "login considered
> harmful" isn't too great a stretch... :-)
Well, smiley noted, but the list of users who have what kind of access to
the box has to be considered.
> I have to take issue with your attempt to draw a aparallel to a rooted
> box. It *is* possible to cleanup the newly installed box because you can
> reasonably assume that it hasn't been maliciously setup to resist the
> cleanup.
Well, if you can assume that, sure. But the parallel really comes in saying
you half-way don't know what to look for, or might miss something. That's
why I'm in favour of pushing some things into the distro
installation-default area.
> > Surely software you install on production machines has its requirements
> > either satisfied by the wonder that is apt-get, or documented properly?
> > You can, and should, start from blank and add things as you need.
>
> Could I agree with the minimalist sentiment while yet observing that
> apt-get, wonderful as it is, cannot satisfy requirements that come not
> from packages installed on this machine, but from other machines -
> possibly ones that aren't even using Debian?
Sure; that's where `or documented properly' comes in.
> At the same time, I would like to agree with the sentiment that has been
> expressed a few times. "If you don't know what it's for, shut it off." I
> think the unstated part that some may have overlooked is that if you need
> something but don't know it, then you owe it to yourself (and your
> employers, if that's the sort of situation it is) to find out what's
> there.
It's been mentioned very en-passant, as has `but I don't have the time to
investigate everything', which makes my caffeine^Wblood boil.
> This is how sysadmins lose their hair!
Tell me about it.
My take on the whole thing is that you're building a test box internally
first *anyway*, if you don't know exactly how to set up a live machine;
then you investigate, kill off everything your reading of the manuals
allows you to, on the simple grounds that you don't want it to turn around
& bite you later on, and you're on a test box so any breaks won't matter
and you'll learn in the process.
Leaving stuff open because `there aren't any known holes at the moment
doesn't really wash here :( .
~Tim
--
But mountains are holy places, |[EMAIL PROTECTED]
And beauty is free / We can still walk |http://spodzone.org.uk/
Through the garden |
Our earth was once green |
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]