Bug#793766: tasksel: standard system utilities pulls packages that listen on ports without firewall
Quoting Michael Rose (mdr...@zoho.com): Package: tasksel Version: 3.31+deb8u1 Severity: normal Tags: d-i During installation, tasksel gives you the option of including standard system utilities. This group includes nfs-common and rpcbind, which, post installation, automatically launch daemons that listen on ports. Debian's default iptables configuration after installation is to allow all connections. This is a security concern. There's no indication to the user that selecting standard system utilities will do this. Having a permissive firewall policy by default is fine, provided that no open ports are running by default as well, but this is not the current situation. Possible solutions: 1. Do not include these packages in the task 2. More restrictive default firewall policy that will protect these ports until the user decides to make them available 3. Keep as is, but notify the user that the included packages will listen for connections upon selection This is not tasksel's job, indeed. If these packages are Priority: standard, they're included in the standard task. Tasksel is not really in position to raise a judgment about the behaviour of installed packages. This bug report should eventually be reassigned against nfs-common. signature.asc Description: Digital signature
Bug#793766: tasksel: standard system utilities pulls packages that listen on ports without firewall
Package: tasksel Version: 3.31+deb8u1 Severity: normal Tags: d-i During installation, tasksel gives you the option of including standard system utilities. This group includes nfs-common and rpcbind, which, post installation, automatically launch daemons that listen on ports. Debian's default iptables configuration after installation is to allow all connections. This is a security concern. There's no indication to the user that selecting standard system utilities will do this. Having a permissive firewall policy by default is fine, provided that no open ports are running by default as well, but this is not the current situation. Possible solutions: 1. Do not include these packages in the task 2. More restrictive default firewall policy that will protect these ports until the user decides to make them available 3. Keep as is, but notify the user that the included packages will listen for connections upon selection -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tasksel depends on: ii apt 1.0.9.8 ii debconf [debconf-2.0] 1.5.56 ii liblocale-gettext-perl 1.05-8+b1 ii perl-base 5.20.2-3+deb8u1 ii tasksel-data3.31+deb8u1 tasksel recommends no packages. tasksel suggests no packages. -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#793766: tasksel: standard system utilities pulls packages that listen on ports without firewall
Hi, Michael Rose mdr...@zoho.com writes: During installation, tasksel gives you the option of including standard system utilities. This group includes nfs-common and rpcbind, which, post installation, automatically launch daemons that listen on ports. Debian's default iptables configuration after installation is to allow all connections. This is a security concern. There's no indication to the user that selecting standard system utilities will do this. Having a permissive firewall policy by default is fine, provided that no open ports are running by default as well, but this is not the current situation. Possible solutions: 1. Do not include these packages in the task That is the current plan for Debian 9, see [1] and [2]. Ansgar [1] https://lists.debian.org/debian-devel/2015/05/msg00089.html [2] https://bugs.debian.org/788702 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
