Services that can start by default policy feedback
opensource at till.name
Sun Feb 27 22:13:44 UTC 2011
On Sun, Feb 27, 2011 at 07:21:30PM +0000, Matthew Garrett wrote:
> On Sun, Feb 27, 2011 at 04:33:56PM +0100, Till Maas wrote:
> > On Fri, Feb 25, 2011 at 07:00:20PM +0000, Matthew Garrett wrote:
> > > On Fri, Feb 25, 2011 at 07:30:34PM +0100, Till Maas wrote:
> > >
> > > > The services that are started when the respective package is installed
> > > > and the services that are enabled by default by the Fedora installer do
> > > > not need to be the same and are afaik currently not the same. There is
> > > > imho a huge difference, whether services are enabled during
> > > > installation, because afterwards one can usually expect that there are
> > > > unwanted services and whether services are enabled after the respective
> > > > package is installed long after the system has been installed.
> > >
> > > I think multipath is the only service enabled by Anaconda. Everything
> > > else depends on the package doing so.
> > This does not mean that this is a good way or the only way to do this.
> No, but it does mean that what you're proposing would involve adding
> functionality to Anaconda. The current situation is that the services
> that are started when the respective package is installed and the
> services that are enabled by default by the Fedora installer *are* the
You wrote that Anaconda already has the code to active services, so
there is no additional functionality needed. Only the list of services
to be enabled needs to be extended. Nevertheless, this is a lot cleaner
solution that having to recommend to users of Fedora to not install
packages on systems on a network or with non-admin users logged in to
avoid potential security risks because services might activate
Btw. it is also possible to move the initial activation of services into
a single package that actives the respective services once after
installation, so no changes to the Anaconda code is even required.
People who want a secure system can then just deselect it. It could work
like the firstboot package.
Btw. in case someone with yum plugin writing skills reads this: Is it
possible with a yum plugin that manipulates rpm scriptlets, e.g. one
that makes sure that no rpm can enable a service using "service foo on"?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 836 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110227/1fdeb739/attachment.bin
More information about the devel