Christian Borntraeger <[EMAIL PROTECTED]> writes: > I have some installed packages but don't start them during bootup. I disabled > them with chkconfig. > Unfortunately they are reactivated after an update, even if its a security > update. If you don't care, you have listening ports you even don't know > about. (drakxtools_http is another config thing which listens to TCP/IP)
this is weird. I don't have such a problem. And there shouldn't be such a pb: drakxtools_http's %post used to have: if [ $1 = 1 ]; then /sbin/chkconfig --add drakxtools_http; it now has: /usr/share/rpm-helper/add-service drakxtools $1 drakxtools_http which should do the same, ie. only call chkconfig at install, not when upgrading. > I consider this a high security risk. > In my opinion installation and activation should be _strictly_ seperated. > Standard should be _off_ with an easy turn on option in drakconf and during > installation.(which exists. but after an simple security update the disabled > tools are activated) > > The same is valid for Xfree. Debian has the -nolisten tcp option as standard, > which is for a desktop usage the best solution. After all, a desktop system > should have 0 listen ports. > > Are there other opinions and arguments, to convince me of the opposite. this has already been discussed quite a few time. - most desktop ports that do not disturb standard usage have been closed. Still open one are X11, portmap when client nfs is used (for lockd). No easy solution for them (even if they do exist) - servers that can have sensible default configurations are better activated by default (example: sshd). Those packages are installed when you ask for them, and are not installed without you asking for them. DrakX warn about these servers. For higher security, use a higher security level in msec! You'll get firewalling closing ports, services disabled by default...
