Limiting the power of package installation in Debian

Posted Nov 18, 2018 14:29 UTC (Sun) by jezuch (subscriber, #52988)
In reply to: Limiting the power of package installation in Debian by berndp
Parent article: Limiting the power of package installation in Debian

Debian's motto is (was?) "just apt install it" (or something like that), which means that no additional manual steps are needed bedsides installing, the thing is immediately ready to be used. You really think this is not the sensible approach? If you want just the documentation, just apt install the corresponding -doc package.

Limiting the power of package installation in Debian

Posted Nov 19, 2018 21:03 UTC (Mon) by berndp (guest, #52035) [Link] (3 responses)

That motto is insecure by design - obviously.
It may also sound/be installation person friendly which may make it easier to sell Debian as such.

In reality, that motto is good for the "don't care about security" faction as the stuff just runs (somehow ...).
But for the "I want to know what I do" faction, one has to stop the daemon immediately (or add some iptables rules beforehand) so that one can read and think about the configuration - let alone testing it.

Well, thank you for pointing out explicitly what folks can expect from Debian on a real server accessible to the real Internet ....

Limiting the power of package installation in Debian

Posted Nov 20, 2018 11:24 UTC (Tue) by laarmen (subscriber, #63948) [Link] (2 responses)

IIRC most daemons are started automatically but don't listen to the outside, only localhost. (I might be wrong though)

Security is not a black-and-white issue. One might think that having a daemon automatically configured with sensible settings for basic, domestic use (such as, well, listening to localhost only), so that the user doesn't have to do anything, is better than having them copy-paste instructions from a random webpage on the Internet.

Limiting the power of package installation in Debian

Posted Nov 20, 2018 11:58 UTC (Tue) by karkhaz (subscriber, #99844) [Link] (1 responses)

I just had a look at the Debian openssh-server package, and it seems like it's open to the internet by default. (Though I don't have a Debian system to test on, so would be happy to be corrected either about that, or about the service being started upon installation).

If all of that is true, then I'd be especially concerned because the openssh-server package is pulled in by the ssh metapackage. It wouldn't surprise me if a new user, being asked to install SSH, took that to mean running `apt-get install ssh` and therefore inadvertently ended up with sshd connected to the internet when all they wanted was the client (openssh-client).

Anyway, if daemons are started automatically but only listen to localhost, then that still contradicts the "just apt-install it" motto, since you'll need to edit sshd.conf to do anything useful. If you're going to make the user do work, it's surely better to have a sane default sshd.conf and ask them to run `systemctl start sshd`, than to ask them to edit a text file and run the same command, except for s/start/restart?

Limiting the power of package installation in Debian

Posted Nov 20, 2018 14:22 UTC (Tue) by laarmen (subscriber, #63948) [Link]

sshd is different, as it cannot be useful without outside communication. There are few cases like that (Avahi and ntpd both come to mind). I'm with you with the apt install ssh scenario though.

I'm actually surprised, as Apache2 seems to listen to the outside by default (no fresh Debian at hand here though) even though there are relatively valid reasons to have a local-only web server. But in any cases, these are only examples, and I still think the policy of starting the services automatically with a sane default config is helpful for non-expert users, at the cost of a mild annoyance for the expert users.