Limiting the power of package installation in Debian

Posted Nov 18, 2018 11:19 UTC (Sun) by berndp (guest, #52035)
In reply to: Limiting the power of package installation in Debian by jccleaver
Parent article: Limiting the power of package installation in Debian

You really *never* *ever* want to start a daemon (or "service" or ...) automatically at boot time or after the installation because folks may want to install a package just to get to the manual pages and/or other documentation. Period.

And yes, security is the second reason (because folks may habe a daemon running without knowing it).

Limiting the power of package installation in Debian

Posted Nov 18, 2018 14:29 UTC (Sun) by jezuch (subscriber, #52988) [Link] (4 responses)

Debian's motto is (was?) "just apt install it" (or something like that), which means that no additional manual steps are needed bedsides installing, the thing is immediately ready to be used. You really think this is not the sensible approach? If you want just the documentation, just apt install the corresponding -doc package.

Limiting the power of package installation in Debian

Posted Nov 19, 2018 21:03 UTC (Mon) by berndp (guest, #52035) [Link] (3 responses)

That motto is insecure by design - obviously.
It may also sound/be installation person friendly which may make it easier to sell Debian as such.

In reality, that motto is good for the "don't care about security" faction as the stuff just runs (somehow ...).
But for the "I want to know what I do" faction, one has to stop the daemon immediately (or add some iptables rules beforehand) so that one can read and think about the configuration - let alone testing it.

Well, thank you for pointing out explicitly what folks can expect from Debian on a real server accessible to the real Internet ....

Limiting the power of package installation in Debian

Posted Nov 20, 2018 11:24 UTC (Tue) by laarmen (subscriber, #63948) [Link] (2 responses)

IIRC most daemons are started automatically but don't listen to the outside, only localhost. (I might be wrong though)

Security is not a black-and-white issue. One might think that having a daemon automatically configured with sensible settings for basic, domestic use (such as, well, listening to localhost only), so that the user doesn't have to do anything, is better than having them copy-paste instructions from a random webpage on the Internet.

Limiting the power of package installation in Debian

Posted Nov 20, 2018 11:58 UTC (Tue) by karkhaz (subscriber, #99844) [Link] (1 responses)

I just had a look at the Debian openssh-server package, and it seems like it's open to the internet by default. (Though I don't have a Debian system to test on, so would be happy to be corrected either about that, or about the service being started upon installation).

If all of that is true, then I'd be especially concerned because the openssh-server package is pulled in by the ssh metapackage. It wouldn't surprise me if a new user, being asked to install SSH, took that to mean running `apt-get install ssh` and therefore inadvertently ended up with sshd connected to the internet when all they wanted was the client (openssh-client).

Anyway, if daemons are started automatically but only listen to localhost, then that still contradicts the "just apt-install it" motto, since you'll need to edit sshd.conf to do anything useful. If you're going to make the user do work, it's surely better to have a sane default sshd.conf and ask them to run `systemctl start sshd`, than to ask them to edit a text file and run the same command, except for s/start/restart?

Limiting the power of package installation in Debian

Posted Nov 20, 2018 14:22 UTC (Tue) by laarmen (subscriber, #63948) [Link]

sshd is different, as it cannot be useful without outside communication. There are few cases like that (Avahi and ntpd both come to mind). I'm with you with the apt install ssh scenario though.

I'm actually surprised, as Apache2 seems to listen to the outside by default (no fresh Debian at hand here though) even though there are relatively valid reasons to have a local-only web server. But in any cases, these are only examples, and I still think the policy of starting the services automatically with a sane default config is helpful for non-expert users, at the cost of a mild annoyance for the expert users.

Limiting the power of package installation in Debian

Posted Nov 18, 2018 16:15 UTC (Sun) by mpr22 (subscriber, #60784) [Link] (1 responses)

Binary packages of daemons prepared by conscientious Linux distribution packagers are arranged like:

foobard Foobar daemon
foobard-doc Foobar daemon documentation

(with foobard encouraging but not compelling you to install foobard-doc).

If all you want is the doc, you can then simply install foobard-doc and now you have the documentation but not the daemon, so there is no possible way for the daemon to run because it isn't on your system.

Under that scheme, if foobard can be given a safe, sane default configuration for live systems, it's perfectly reasonable for the act of installing foobard through the package tool to also automatically start foobard.

(And yes, the first statement of this post is intended as a dogmatic assertion that any Linux distribution packager who prepares the binary package of a daemon and its documentation as a monolithic lump is by definition not sufficiently conscientious.)

Limiting the power of package installation in Debian

Posted Nov 19, 2018 20:55 UTC (Mon) by berndp (guest, #52035) [Link]

... if there a separate -doc package.
Many packages don't have that. Or install a server/daemon together with the client.

Limiting the power of package installation in Debian

Posted Nov 18, 2018 22:43 UTC (Sun) by rodgerd (guest, #58896) [Link]

> And yes, security is the second reason

Indeed. "Listen on an open port by default" was one of the many things that Windows was ruthlessly (and rightly) mocked for at the start of the century.