Re: Many ports open by default

2001-05-07 Thread Turbo Fredriksson
> "Steve" == Steve Greenland <[EMAIL PROTECTED]> writes:

>> *beep, wrong* :)
>> 
>> update-rc.d -f exim remove
>> 

Steve> *beep*, *wrong* :)

Steve> The problem with "update-rc.d -f exim remove" is that it
Steve> removes *all* the links, not just the S*exim links.

Yes. That's a bug in the tool, not a fault in the solution :)

-- 
 Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just 
 ^/ /(_)_ __  _   ___  __  selective about who its friends are 
 / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   [EMAIL PROTECTED]
  \\\/  \/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

counter-intelligence kibo cracking Peking quiche munitions attack SDI
radar Delta Force tritium toluene president Uzi Iran
[See http://www.aclu.org/echelonwatch/index.html for more about this]




Re: Many ports open by default

2001-05-05 Thread Torsten Landschoff
On Fri, May 04, 2001 at 07:12:07PM -0700, Tom Lear wrote:
 
> BTW, I think this is what ssh should do if you choose not to run the
> daemon on startup (rather than making /etc/init.d/ssh not work at all).
> I have ssh installed on my laptop, and I don't want it running by
> default, but I'd like to be able to start and stop it with the
> /etc/init.d script.  Anyone else agree with this (should I file a bug)?

File a wishlist bug - it is a wish, isn't it? ;)

cu
Torsten


pgpmRDg4OGeON.pgp
Description: PGP signature


Re: Many ports open by default

2001-05-05 Thread Andreas Metzler
Tom Lear <[EMAIL PROTECTED]> wrote:
>> Sure, don't run the daemon at all.  When you install exim, "rm
>> /etc/init.d/rc?.d/S*exim" and it won't start.  Local processes will be

> BTW, I think this is what ssh should do if you choose not to run the
> daemon on startup (rather than making /etc/init.d/ssh not work at all).
> I have ssh installed on my laptop, and I don't want it running by
> default, but I'd like to be able to start and stop it with the
> /etc/init.d script.  Anyone else agree with this (should I file a bug)?

Hello!
I do.
It could use 
update-rc.d ssh stop 20 0 1 2 3 4 5 6 .
instead of
update-rc.d ssh defaults, if I chose not to run the ssh-Daemon.
 cu andreas
-- 
Uptime: 10 seconds  load average: 0.00, 0.00, 0.00
vim:ls=2:stl=***\ Sing\ a\ song.\ ***




Re: Many ports open by default

2001-05-04 Thread Tom Lear
On Mon, Apr 30, 2001 at 11:52:46PM +, Will Lowe wrote:
> Sure, don't run the daemon at all.  When you install exim, "rm
> /etc/init.d/rc?.d/S*exim" and it won't start.  Local processes will be

BTW, I think this is what ssh should do if you choose not to run the
daemon on startup (rather than making /etc/init.d/ssh not work at all).
I have ssh installed on my laptop, and I don't want it running by
default, but I'd like to be able to start and stop it with the
/etc/init.d script.  Anyone else agree with this (should I file a bug)?
- Tom




Re: Many ports open by default

2001-05-04 Thread Matt Zimmerman
On Fri, May 04, 2001 at 02:49:47PM +0200, Turbo Fredriksson wrote:

> Quoting [EMAIL PROTECTED]:
> 
> > On Mon, Apr 30, 2001 at 11:52:46PM +, Will Lowe wrote:
> > > > > I think it's safe to assume that your system MUST have a working MTA
> > > > > of some sort (even if it's local-only, which is supported by
> > > > > eximconfig).
> > > > This is true, but does it need to be world-accessible?  There should be
> > > > a way to either have it listen on localhost only, or not listen on
> > > 
> > > Sure, don't run the daemon at all.  When you install exim, "rm
> > > /etc/init.d/rc?.d/S*exim" and it won't start.  Local processes will be
> > /etc/rc?.d/S*exim
> 
> *beep, wrong* :)
> 
> update-rc.d -f exim remove

Er, *beep, wrong*.  That will remove _all_ links, which means that your changes
will be lost at the next upgrade.  update-rc.d remove is meant to be called
from postrm.  It would be nice if update-rc.d included a convenience option to
remove all S?? links, but it doesn't.

-- 
 - mdz




Re: Many ports open by default

2001-05-04 Thread Steve Greenland
On 04-May-01, 07:49 (CDT), Turbo Fredriksson <[EMAIL PROTECTED]> wrote: 
> Quoting [EMAIL PROTECTED]:
> 
> > On Mon, Apr 30, 2001 at 11:52:46PM +, Will Lowe wrote:
> > > > > I think it's safe to assume that your system MUST have a working MTA 
> > > > > of
> > > > > some sort (even if it's local-only, which is supported by eximconfig).
> > > > This is true, but does it need to be world-accessible?  There should
> > > > be a way to either have it listen on localhost only, or not listen on
> > > 
> > > Sure, don't run the daemon at all.  When you install exim, "rm
> > > /etc/init.d/rc?.d/S*exim" and it won't start.  Local processes will be
> > /etc/rc?.d/S*exim
> 
> *beep, wrong* :)
> 
> update-rc.d -f exim remove
> 

*beep*, *wrong* :)

The problem with "update-rc.d -f exim remove" is that it removes *all*
the links, not just the S*exim links. The next time exim is upgraded,
it's postinst will re-install all the links. Just rm'ing the S*exim
links will produce the desired affect.

Steve

-- 
Steve Greenland <[EMAIL PROTECTED]>
(Please do not CC me on mail sent to this list; I subscribe to and read
every list I post to.)




Re: Many ports open by default

2001-05-04 Thread Turbo Fredriksson
Quoting [EMAIL PROTECTED]:

> On Mon, Apr 30, 2001 at 11:52:46PM +, Will Lowe wrote:
> > > > I think it's safe to assume that your system MUST have a working MTA of
> > > > some sort (even if it's local-only, which is supported by eximconfig).
> > > This is true, but does it need to be world-accessible?  There should
> > > be a way to either have it listen on localhost only, or not listen on
> > 
> > Sure, don't run the daemon at all.  When you install exim, "rm
> > /etc/init.d/rc?.d/S*exim" and it won't start.  Local processes will be
> /etc/rc?.d/S*exim

*beep, wrong* :)

update-rc.d -f exim remove


-- 
 Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just 
 ^/ /(_)_ __  _   ___  __  selective about who its friends are 
 / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   [EMAIL PROTECTED]
  \\\/  \/_|_| |_|\__,_/_/\_\ Stockholm/Sweden

nuclear munitions AK-47 [Hello to all my fans in domestic
surveillance] Clinton radar jihad Rule Psix Ft. Meade strategic Semtex
FBI Nazi NSA Albanian
[See http://www.aclu.org/echelonwatch/index.html for more about this]




Re: Many ports open by default

2001-05-01 Thread David Nusinow
On 30 Apr 2001 15:30:48 -0400, Wolfgang Sourdeau wrote:
> > As always, that would be true if they weren't installed by default. The
> > current method requires too much prior knowledge.
> 
> This could be put as a question whenever someone installs Debian
> GNU/Linux. Something like "Do you want to enable the installed server
> software by default. Beware that this might cause security problems on
> your system since it is recommended to only run server programs if and
> only if needed. If you do not feel confident enough with system
> administration, you should answer No here."
> 

I like this idea a lot. Newbies simply don't know if they need a daemon
or not (or even what a daemon is sometimes), so they could use a little
hand holding. While I agree with Craig that if you don't want it run,
then either don't install or edit by hand, but I think that this doesn't
apply at all if it's installed by default. If you know enough to know
you need the server, then you should be able to install it yourself, you
don't need it installed by default for you.

- David Nusinow
   [EMAIL PROTECTED]




Re: Many ports open by default

2001-04-30 Thread mdanish
On Mon, Apr 30, 2001 at 11:52:46PM +, Will Lowe wrote:
> > > I think it's safe to assume that your system MUST have a working MTA of
> > > some sort (even if it's local-only, which is supported by eximconfig).
> > This is true, but does it need to be world-accessible?  There should
> > be a way to either have it listen on localhost only, or not listen on
> 
> Sure, don't run the daemon at all.  When you install exim, "rm
> /etc/init.d/rc?.d/S*exim" and it won't start.  Local processes will be
/etc/rc?.d/S*exim
> able to send mail via the /usr/sbin/sendmail link, and there's a cronjob
> in /etc/cron.d/exim that'll try to clear the queue twice an hour.
> 
There was a discussion on this list earlier about creating a better way
than just removing a link from /etc/rc?.d.  Either it should work through
update-rc.d or debconf.  This is a lot neater than removing a link from
the startup directories, which IMHO should not have to be touched
directly by the administrator.

> > and perhaps this should be the default (correct me if this is already
> > the case, but I don't recall it being so).  Would it be feasible to
> 
> There isn't a default, it just leaves the package unconfigured, IIRC.
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
;;
;; Matthew Danish email: [EMAIL PROTECTED] ;;
;; GPG public key available from:'finger [EMAIL PROTECTED]' ;;
;;


pgptIU8VUjFTI.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Will Lowe
> > I think it's safe to assume that your system MUST have a working MTA of
> > some sort (even if it's local-only, which is supported by eximconfig).
> This is true, but does it need to be world-accessible?  There should
> be a way to either have it listen on localhost only, or not listen on

Sure, don't run the daemon at all.  When you install exim, "rm
/etc/init.d/rc?.d/S*exim" and it won't start.  Local processes will be
able to send mail via the /usr/sbin/sendmail link, and there's a cronjob
in /etc/cron.d/exim that'll try to clear the queue twice an hour.

> and perhaps this should be the default (correct me if this is already
> the case, but I don't recall it being so).  Would it be feasible to

There isn't a default, it just leaves the package unconfigured, IIRC.




Re: Many ports open by default

2001-04-30 Thread mdanish
On Mon, Apr 30, 2001 at 08:12:59PM +, Will Lowe wrote:
> > Actually there are some packages that depend on a mail-transport-agent,
> > (such as lilo->logrotate->mailx), yet one may not want to have an MTA
> > running on certain systems.  I suppose a dummy or minimal MTA may be
> 
> I think it's safe to assume that your system MUST have a working MTA of
> some sort (even if it's local-only, which is supported by eximconfig).
> Running a Unix system without an MTA *at*all* means that you won't get
> notified of failing cron jobs, etc. ...
This is true, but does it need to be world-accessible?  There should be a
way to either have it listen on localhost only, or not listen on TCP at all,
and perhaps this should be the default (correct me if this is already
the case, but I don't recall it being so).  Would it be feasible to shoot
for a base install with no daemons listening on INADDR_ANY?

> 
> > used (and may exist, I'm not aware), but this certainly highlights the
> 
> "apt-get install ssmtp".  Note that this has terrible behaviour on even
> transient failure -- it just drops messages into dead-letter.  Exim (don't
> run the daemon, just the cronjob that cleans the queue) works better for
> me.
> 
> The OTHER daemons (certainly xdm) are optional.  But I think it's probably
> safe to say that running Debian without an MTA is "unsupported".
> 
>   Will
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
;;
;; Matthew Danish email: [EMAIL PROTECTED] ;;
;; GPG public key available from:'finger [EMAIL PROTECTED]' ;;
;;


pgpk7UZBqhFsa.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Matt Zimmerman
On Tue, May 01, 2001 at 12:22:47AM +1000, Craig Sanders wrote:

> On Sun, Apr 29, 2001 at 10:29:58PM -0600, Dwayne C. Litzenberger wrote:
> > I suspect it's already been discussed before, so I'll ask instead of
> > flaming.  (See!  I can learn!)
> 
> many times before.
> 
> > Why does a server automatically get run just because it's installed?
> 
> because if you didn't want it to run, you wouldn't have installed it.
> 
> if you want to install it but not run it, then edit the startup script.
> 
> simple.

Or, rm /etc/rc?.d/S??package, and not have to worry about merging in future
changes to the init script.

-- 
 - mdz




Re: Many ports open by default

2001-04-30 Thread Will Lowe
> Actually there are some packages that depend on a mail-transport-agent,
> (such as lilo->logrotate->mailx), yet one may not want to have an MTA
> running on certain systems.  I suppose a dummy or minimal MTA may be

I think it's safe to assume that your system MUST have a working MTA of
some sort (even if it's local-only, which is supported by eximconfig).
Running a Unix system without an MTA *at*all* means that you won't get
notified of failing cron jobs, etc. ...

> used (and may exist, I'm not aware), but this certainly highlights the

"apt-get install ssmtp".  Note that this has terrible behaviour on even
transient failure -- it just drops messages into dead-letter.  Exim (don't
run the daemon, just the cronjob that cleans the queue) works better for
me.

The OTHER daemons (certainly xdm) are optional.  But I think it's probably
safe to say that running Debian without an MTA is "unsupported".

Will




Re: Many ports open by default

2001-04-30 Thread mdanish
On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:
> Why would you keep something around if you don't want to run it?  Debian
> makes the (correct) assumption that if you've installed something, you
> want to run it.  If i install bind, it will assume i want it to run.  If
> i install exim, it will first configure it for me (prompting me), and
> then assume i want to run it.  Why should portmap be any different?
> The question you should be asking is, why is portmap installed by default?
> Similiarly, is there something that can be done during installation that
> asks the user if certain things (nfs) that require portmap should be
> installed.  If there's nothing that depends on portmap, then default
> to not installing portmap.  Having daemons shut off by default is
> not the way to go, however.
Actually there are some packages that depend on a mail-transport-agent,
(such as lilo->logrotate->mailx), yet one may not want to have an MTA
running on certain systems.  I suppose a dummy or minimal MTA may be
used (and may exist, I'm not aware), but this certainly highlights the
need to be able to disable daemons but still have them installed; especially
since most MTA's still have certain functionality even when not listening
on port 25.

Another common one is xdm (even though it's more than just a network daemon), 
which task-x-window-system depends on, and to remove xdm one must remove 
task-x-window-system.
> 
> 
> On Sun, Apr 29, 2001 at 10:29:58PM -0600, Dwayne C. Litzenberger wrote:
> > 
> > Why does a server automatically get run just because it's installed?  For
> > instance, portmap is installed by default whether you're using NFS or not, 
> > and
> > bnetd runs even if I just installed the package for bnchat.  Shouldn't the
> > default be to not run daemons unless they are explicitly enabled, like an
> > "exit" at the beginning of all daemon-starting init scripts that must be
> > commented out?
> > 
> > -- 
> > Dwayne C. Litzenberger - [EMAIL PROTECTED]
> 
> 
> 
> -- 
> "... being a Linux user is sort of like living in a house inhabited
> by a large family of carpenters and architects. Every morning when
> you wake up, the house is a little different. Maybe there is a new
> turret, or some walls have moved. Or perhaps someone has temporarily
> removed the floor under your bed." - Unix for Dummies, 2nd Edition
> -- found in the .sig of Rob Riggs, [EMAIL PROTECTED]
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
;;
;; Matthew Danish email: [EMAIL PROTECTED] ;;
;; GPG public key available from:'finger [EMAIL PROTECTED]' ;;
;;


pgpKIPOOicAnS.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Wolfgang Sourdeau
> As always, that would be true if they weren't installed by default. The
> current method requires too much prior knowledge.

This could be put as a question whenever someone installs Debian
GNU/Linux. Something like "Do you want to enable the installed server
software by default. Beware that this might cause security problems on
your system since it is recommended to only run server programs if and
only if needed. If you do not feel confident enough with system
administration, you should answer No here."

This seems to be a reasonable thing to me.


W.




Re: Many ports open by default

2001-04-30 Thread Warren A. Layton
On Tue, May 01, 2001 at 12:28:49AM +1000, Craig Sanders wrote:

> 1. ssh and sshd should be split into separate packages.  if it bothers you
> enough, file a bug report.  i'm happy with the way it is.
> 
> or
> 
> 2. the handful of people who want the ssh client but not the ssh daemon
> can learn how to edit /etc/init.d/ssh

It has been pointed out that ssh actually handles this correctly with
debconf, giving users the choice. I was just trying to use it as an
example but it seems that everything has already been taken care of.

Warren

-- 
Warren A. Layton
http://www.netwinder.org/~zeevon
GPG Fingerprint: F54C 019D 18BE 6ED8 678D  39D0 21FD D515 BFB8 80A3 


pgp8YNaRYZODm.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Michael Stone
On Tue, May 01, 2001 at 12:22:47AM +1000, Craig Sanders wrote:
> On Sun, Apr 29, 2001 at 10:29:58PM -0600, Dwayne C. Litzenberger wrote:
> > Why does a server automatically get run just because it's installed?
> 
> because if you didn't want it to run, you wouldn't have installed it.

As always, that would be true if they weren't installed by default. The
current method requires too much prior knowledge.

-- 
Mike Stone




Re: Many ports open by default

2001-04-30 Thread Frederico Muñoz

Warren A. Layton wrote:
On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:
Why would you keep something around if you don't want to run it?  Debian
makes the (correct) assumption that if you've installed something, you
want to run it.  If i install bind, it will assume i want it to run. 

Well, not everyone that installs ssh wants to run the server (some may just
want to use the client to connect to other machines). This is just one
example; I'm sure that there are many more.
There could be, but in the specific case of ssh, and IIRC, debiconf asks 
if you wan't to run the server or not;
I even think that the default field selected is 'No'. Of course, if you 
say 'Yes' then the server will run and the port
will open.

My 2 cents,
Regards,
fsm
--
Frederico Muñoz
[EMAIL PROTECTED]



Re: Many ports open by default

2001-04-30 Thread Craig Sanders
On Mon, Apr 30, 2001 at 07:37:21AM -0500, Warren A. Layton wrote:
> Well, not everyone that installs ssh wants to run the server (some may
> just want to use the client to connect to other machines). This is
> just one example; I'm sure that there are many more.

that means either:

1. ssh and sshd should be split into separate packages.  if it bothers you
enough, file a bug report.  i'm happy with the way it is.

or

2. the handful of people who want the ssh client but not the ssh daemon
can learn how to edit /etc/init.d/ssh

craig


--
craig sanders <[EMAIL PROTECTED]>

  GnuPG Key: 1024D/CD5626F0 
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0




Re: Many ports open by default

2001-04-30 Thread Craig Sanders
On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:

> If there's nothing that depends on portmap, then default to not
> installing portmap.

speaking of portmap, debian's portmap is not an insecure thing to run by
default because it is compiled with tcp-wrappers support and rejects all
non-localhost connections that aren't explicitly allowed (by ip address)
in /etc/hosts.allow

> Having daemons shut off by default is not the way to go, however.

yep.


craig

--
craig sanders <[EMAIL PROTECTED]>

  GnuPG Key: 1024D/CD5626F0 
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0




Re: Many ports open by default

2001-04-30 Thread Craig Sanders
On Sun, Apr 29, 2001 at 10:29:58PM -0600, Dwayne C. Litzenberger wrote:
> I suspect it's already been discussed before, so I'll ask instead of
> flaming.  (See!  I can learn!)

many times before.

> Why does a server automatically get run just because it's installed?

because if you didn't want it to run, you wouldn't have installed it.

if you want to install it but not run it, then edit the startup script.

simple.

> Shouldn't the default be to not run daemons unless they are explicitly
> enabled, [...]

no, users shouldn't install daemon packages if they don't want the
daemon to run - or they should learn how to edit the startup scripts (or
inetd.conf) if they want non-standard behaviour.

craig


--
craig sanders <[EMAIL PROTECTED]>

  GnuPG Key: 1024D/CD5626F0 
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0




Re: Many ports open by default

2001-04-30 Thread Josip Rodin
On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:
> The question you should be asking is, why is portmap installed by default?

Fortunately, nowadays it can be removed since it's no longer part of
netbase.

-- 
Digital Electronic Being Intended for Assassination and Nullification




Re: Many ports open by default

2001-04-30 Thread Josip Rodin
On Mon, Apr 30, 2001 at 07:37:21AM -0500, Warren A. Layton wrote:
> > Why would you keep something around if you don't want to run it?  Debian
> > makes the (correct) assumption that if you've installed something, you
> > want to run it.  If i install bind, it will assume i want it to run. 
> 
> Well, not everyone that installs ssh wants to run the server (some may just
> want to use the client to connect to other machines). This is just one
> example; I'm sure that there are many more.

ssh asks you if you want to run sshd.

-- 
Digital Electronic Being Intended for Assassination and Nullification




Re: Many ports open by default

2001-04-30 Thread Dwayne C. Litzenberger
I'm not suggesting we "ruin" anything.  exit 0 isn't the only way to disable
something by default.

My main concern is of security.  I know a newbie who installed Debian
recently, and he has something like 15 open ports, which wouldn't be a problem
except for the history of these daemons to have root exploits.

I just don't think I should have to "lock down" a Debian machine that is going
to be used for nothing but web browsing, nor should a newbie have to.

I like OpenBSD's security level option that you can set at install time.
 
-- 
Dwayne C. Litzenberger - [EMAIL PROTECTED]


pgpL1gEEk2SfL.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Anthony Towns
On Mon, Apr 30, 2001 at 07:37:21AM -0500, Warren A. Layton wrote:
> On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:
> > Why would you keep something around if you don't want to run it?  Debian
> > makes the (correct) assumption that if you've installed something, you
> > want to run it.  If i install bind, it will assume i want it to run. 
> Well, not everyone that installs ssh wants to run the server (some may just
> want to use the client to connect to other machines). This is just one
> example; I'm sure that there are many more.

And, indeed, there's a debconf question for this very reason. OTOH, anyone
who wants to use telnet, but not telnetd, can just install the telnet.deb,
but not the telnetd.deb.

In general, services get their own package, and when they do, if you
don't want them running: don't install them.

Cheers,
aj

-- 
Anthony Towns <[EMAIL PROTECTED]> 
I don't speak for anyone save myself. GPG signed mail preferred.

``_Any_ increase in interface difficulty, in exchange for a benefit you
  do not understand, cannot perceive, or don't care about, is too much.''
  -- John S. Novak, III (The Humblest Man on the Net)




Re: Many ports open by default

2001-04-30 Thread Dwayne C. Litzenberger
> Why would you keep something around if you don't want to run it?  Debian
> makes the (correct) assumption that if you've installed something, you
> want to run it.  If i install bind, it will assume i want it to run.  

I may want to look at the package's documentation, or use some tool that's not
by packaged itself.

> If i install exim, it will first configure it for me (prompting me), and
> then assume i want to run it.  Why should portmap be any different?  The
> question you should be asking is, why is portmap installed by default?
> Similiarly, is there something that can be done during installation that
> asks the user if certain things (nfs) that require portmap should be
> installed.  If there's nothing that depends on portmap, then default to not
> installing portmap.  Having daemons shut off by default is not the way to
> go, however.
 
Perhaps a configuration option that is checked at install time to decide
whether or not to uncomment a "#exit 0 #APT" near the top of init scripts?

-- 
Dwayne C. Litzenberger - [EMAIL PROTECTED]


pgp35LA7n1FW1.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Paul Martin
On Mon, Apr 30, 2001 at 08:45:44AM +0300, Sami Haahtinen wrote:
> The 'exit 0' line in the beginning of the init file is a bad idea. for so many
> times i've commented out the '### comment this line to really start the
> service' lines. and then after upgrade gotten in to the position where i have
> to diff bethween two maintainer scripts to add the changes or just replace the
> old script and recomment the exit line.

The strategy I'm taking for mars-nwe's init.d script is:

case "$1" in
  start)
test -f /etc/mars-nwe/nwserv.conf || exit 0
if grep -q "^### NOT CONFIGURED YET ###" /etc/mars-nwe/nwserv.conf
then
echo "mars-nwe has not yet been configured."
exit 0;
fi
echo -n "Starting $DESC: "

However, this is a special case, as my idea of "sensible defaults" are
very unlikely to appear sensible to most users. I'd rather the default
to be no service, rather than insecure server.

-- 
Paul Martin <[EMAIL PROTECTED]>


pgpwo3GLOXXaf.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Warren A. Layton
On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:
> Why would you keep something around if you don't want to run it?  Debian
> makes the (correct) assumption that if you've installed something, you
> want to run it.  If i install bind, it will assume i want it to run. 

Well, not everyone that installs ssh wants to run the server (some may just
want to use the client to connect to other machines). This is just one
example; I'm sure that there are many more.

Warren

-- 
Warren A. Layton
http://www.netwinder.org/~zeevon
GPG Fingerprint: F54C 019D 18BE 6ED8 678D  39D0 21FD D515 BFB8 80A3 


pgpTWI8IbDA01.pgp
Description: PGP signature


Re: Many ports open by default

2001-04-30 Thread Andres Salomon
On Sun, Apr 29, 2001 at 11:43:43PM -0700, Aaron Lehmann wrote:
> 
> On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:
> > Why would you keep something around if you don't want to run it?  Debian
> > makes the (correct) assumption that if you've installed something, you
> > want to run it.
> 
> That's not true. inetd is depended on by the lame metapackage netbase,
> but I do not want to run inetd.
> 

I completely agree; however, this is a bug in netbase.  AJ obviously
disagrees (bug #92465) w/ me. :P


-- 
"... being a Linux user is sort of like living in a house inhabited
by a large family of carpenters and architects. Every morning when
you wake up, the house is a little different. Maybe there is a new
turret, or some walls have moved. Or perhaps someone has temporarily
removed the floor under your bed." - Unix for Dummies, 2nd Edition
-- found in the .sig of Rob Riggs, [EMAIL PROTECTED]




Re: Many ports open by default

2001-04-30 Thread Aaron Lehmann
On Mon, Apr 30, 2001 at 02:25:34AM -0400, Andres Salomon wrote:
> Why would you keep something around if you don't want to run it?  Debian
> makes the (correct) assumption that if you've installed something, you
> want to run it.

That's not true. inetd is depended on by the lame metapackage netbase,
but I do not want to run inetd.




Re: Many ports open by default

2001-04-30 Thread Andres Salomon
Why would you keep something around if you don't want to run it?  Debian
makes the (correct) assumption that if you've installed something, you
want to run it.  If i install bind, it will assume i want it to run.  If
i install exim, it will first configure it for me (prompting me), and
then assume i want to run it.  Why should portmap be any different?
The question you should be asking is, why is portmap installed by default?
Similiarly, is there something that can be done during installation that
asks the user if certain things (nfs) that require portmap should be
installed.  If there's nothing that depends on portmap, then default
to not installing portmap.  Having daemons shut off by default is
not the way to go, however.


On Sun, Apr 29, 2001 at 10:29:58PM -0600, Dwayne C. Litzenberger wrote:
> 
> Why does a server automatically get run just because it's installed?  For
> instance, portmap is installed by default whether you're using NFS or not, and
> bnetd runs even if I just installed the package for bnchat.  Shouldn't the
> default be to not run daemons unless they are explicitly enabled, like an
> "exit" at the beginning of all daemon-starting init scripts that must be
> commented out?
> 
> -- 
> Dwayne C. Litzenberger - [EMAIL PROTECTED]



-- 
"... being a Linux user is sort of like living in a house inhabited
by a large family of carpenters and architects. Every morning when
you wake up, the house is a little different. Maybe there is a new
turret, or some walls have moved. Or perhaps someone has temporarily
removed the floor under your bed." - Unix for Dummies, 2nd Edition
-- found in the .sig of Rob Riggs, [EMAIL PROTECTED]




Re: Many ports open by default

2001-04-30 Thread Sami Haahtinen
On Sun, Apr 29, 2001 at 10:29:58PM -0600, Dwayne C. Litzenberger wrote:
> Why does a server automatically get run just because it's installed?  For
> instance, portmap is installed by default whether you're using NFS or not, and
> bnetd runs even if I just installed the package for bnchat.  Shouldn't the
> default be to not run daemons unless they are explicitly enabled, like an
> "exit" at the beginning of all daemon-starting init scripts that must be
> commented out?

The 'exit 0' line in the beginning of the init file is a bad idea. for so many
times i've commented out the '### comment this line to really start the
service' lines. and then after upgrade gotten in to the position where i have
to diff bethween two maintainer scripts to add the changes or just replace the
old script and recomment the exit line.

the usual policy has been, (to my knowledge) if you can't set reasonable
defaults for the daemon (yes, this is why debconf is there) you should add some
method that won't allow it to start. Otherwise, if you can set reasonable
defaults or better yet, configure it while installing, it should be enabled by
default.

the above schema allows upgrading of packages without always editing the init
files, and almost always assures that you have working system after installing
the packages.

If you don't want the daemons to start, don't install it. there are no daemons
that either cannot be easily disabled (with update-inetd or something) or
removed. This is one of the most powerful features of Debian, why would we want
to ruin that?

-- 
  -< Sami Haahtinen >-
-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-


pgp0kZN9Lqfen.pgp
Description: PGP signature


Many ports open by default

2001-04-29 Thread Dwayne C. Litzenberger
I suspect it's already been discussed before, so I'll ask instead of flaming.
(See!  I can learn!)

Why does a server automatically get run just because it's installed?  For
instance, portmap is installed by default whether you're using NFS or not, and
bnetd runs even if I just installed the package for bnchat.  Shouldn't the
default be to not run daemons unless they are explicitly enabled, like an
"exit" at the beginning of all daemon-starting init scripts that must be
commented out?

-- 
Dwayne C. Litzenberger - [EMAIL PROTECTED]


pgpuOuSLMGM6c.pgp
Description: PGP signature