Services that can start by default policy feedback
Till Maas
opensource at till.name
Thu Feb 24 16:59:33 UTC 2011
On Thu, Feb 24, 2011 at 03:04:26PM +0000, Matthew Garrett wrote:
> And once you've got a default set for the default install, why not just
> do it at the package level and ensure some level of consistency?
Because by enabling lots of potential vulnerable services you make it a
PITA to use Fedora securely. A proper way would be to have some system
setting to specify whether or not non-essential services require
explicit enabling, e.g. a file in /etc/sysconfig/initscripts file with a
variable that one can set to true, which ensures that all not explicitly
enabled services won't be enabled.
It is pretty easy to notice that a wanted service does not run compared
to notice that an unwanted/unused service suddenly runs, because an
innocent looking package has been installed. This is a trap that is
usually set on Debian systems which everyone I know who uses Debian
dislikes.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110224/4f68da78/attachment.bin
More information about the devel
mailing list