Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Hi On Fri, Aug 10, 2001 at 05:17:58PM +0200, Marko Kreen wrote: On Thu, Aug 09, 2001 at 02:01:30PM -0700, Dale Southard wrote: Marko Kreen [EMAIL PROTECTED] writes: Well, then we are on back on square one - how do we disable a service? If there is an interest in IRIX-style chkconfig, I can probably throw something together from the scripts and docs I have lying around I would be interested. :) You might want to check file-rc or rcconf as well... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED]7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Hi On Fri, Aug 10, 2001 at 05:17:58PM +0200, Marko Kreen wrote: On Thu, Aug 09, 2001 at 02:01:30PM -0700, Dale Southard wrote: Marko Kreen marko@l-t.ee writes: Well, then we are on back on square one - how do we disable a service? If there is an interest in IRIX-style chkconfig, I can probably throw something together from the scripts and docs I have lying around I would be interested. :) You might want to check file-rc or rcconf as well... MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED]7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Thu, Aug 09, 2001 at 02:01:30PM -0700, Dale Southard wrote: Marko Kreen marko@l-t.ee writes: Well, then we are on back on square one - how do we disable a service? As I said when I started this thread, IRIX style chkconfig is one option. Redhat style chkconfig is another (I'll admit being biased towards IRIX's implementation, but I've used both and it's useful to compare the two). A third would be some gui/cli for creating/deleting symlinks in the various rc?.d directories (but note that this option wouldn't survive updates). And of course, doing nothing, or something completely different is also an option. :-) If there is an interest in IRIX-style chkconfig, I can probably throw something together from the scripts and docs I have lying around I would be interested. :) -- marko
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Aug 08, 2001 at 05:17:33PM -0700, Dale Southard wrote: Marko Kreen marko@l-t.ee writes: I think this is not good, it takes away flexibility. IMHO it would be better if only /etc/init.d/rc ( rcS) checks whether a service should be auto-started on boot. That way the responsibility is also divided better, init-script's business is to start a service and rc/rcS business is start boot-time services. Interesting idea. It certainly simplifies the implementation, but it actually reduces the flexibility, rather than adds to it. If the ``do I run service X'' check is done in rcS it means that each init.d script is either on or off. This would eliminate the possibility of having more than one check in a script -- for example, it would be logical to configure the existing Debian networking script with chkconfig options for spoofprotect, syncookies, and ip_forward. This wouldn't be possible if the chkconfig is done in rcS. Well, rcS could do overall 'do I run anything from this package' check, then init script could check lesser variables, but maybe this gets confusing. IRIX actually leverages this significantly -- there are a dozen or so different chkconfig controls in the IRIX networking script used to enable/disable starting of things like nfs, autofs, timed, gated, etc. Well, we have basically one init script per package. Now I want state, that _nothing_ from this package gets started. Do I need examine the init script then one-by-one disable all vars? As in Debian most of services are nicely split up, this should not matter. -- marko
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Marko Kreen marko@l-t.ee writes: If the ``do I run service X'' check is done in rcS it means that each init.d script is either on or off. This would eliminate the possibility of having more than one check in a script -- for example, it would be logical to configure the existing Debian networking script with chkconfig options for spoofprotect, syncookies, and ip_forward. This wouldn't be possible if the chkconfig is done in rcS. Well, rcS could do overall 'do I run anything from this package' check, then init script could check lesser variables, but maybe this gets confusing. I think it's easier (or at least more obvious) to put check in the init.d scripts. It also makes things optional -- package maintainers can add support for (and dependence on) chkconfig on an individual basis. IRIX actually leverages this significantly -- there are a dozen or so different chkconfig controls in the IRIX networking script used to enable/disable starting of things like nfs, autofs, timed, gated, etc. Well, we have basically one init script per package. Now I want state, that _nothing_ from this package gets started. Do I need examine the init script then one-by-one disable all vars? Nope, you would likely have a hierarchy of checks in scripts that start more than one service. To use IRIX as an example, chkconfig'ing ``gated'' won't prevent the other networking daemons from starting. But chkconfig'ing ``network'' off prevents all the networking daemons (including gated) from starting. This also allows logical dependencies among related init.d scripts -- for instance there's no point in starting a service that depends on portmap if portmap isn't running. With a chkconfig like system this type of dependence is as simple as two chkconfigs in an clause. As in Debian most of services are nicely split up, this should not matter. Yes and no. The init.d scripts are indeed much better split up in Debian than in IRIX. They need to be, since enabling/disabling a service under Debian is generally done by not installing it or adding/removing rc?.d links. IRIX doesn't need to split out services since the chkconfig system is available to control what is/isn't started. But in Debian there are still some individual options that require editing of init.d scripts to enable or disable (see the mountnfs.sh and networking scripts for examples). Whether or not this makes adding a system like chkconfig ``worth the trouble'' is another question :-) -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Thu, Aug 09, 2001 at 12:38:52PM -0700, Dale Southard wrote: Marko Kreen marko@l-t.ee writes: Well, we have basically one init script per package. Now I want state, that _nothing_ from this package gets started. Do I need examine the init script then one-by-one disable all vars? Nope, you would likely have a hierarchy of checks in scripts that start more than one service. To use IRIX as an example, chkconfig'ing ``gated'' won't prevent the other networking daemons from starting. But chkconfig'ing ``network'' off prevents all the networking daemons (including gated) from starting. Hmm, currenctly such 'dependencies' are half-done using the SysV 'sequence numbers'. This also allows logical dependencies among related init.d scripts -- for instance there's no point in starting a service that depends on portmap if portmap isn't running. With a chkconfig like system this type of dependence is as simple as two chkconfigs in an clause. Btw, NetBSD is going in that direction. It will use lots of init.d scripts but not sequence numbers and rc.d links. On boot run order is calculated by examining dependencies. As in Debian most of services are nicely split up, this should not matter. Yes and no. The init.d scripts are indeed much better split up in Debian than in IRIX. They need to be, since enabling/disabling a service under Debian is generally done by not installing it or adding/removing rc?.d links. IRIX doesn't need to split out services since the chkconfig system is available to control what is/isn't started. But in Debian there are still some individual options that require editing of init.d scripts to enable or disable (see the mountnfs.sh and networking scripts for examples). Whether or not this makes adding a system like chkconfig ``worth the trouble'' is another question :-) Well, then we are on back on square one - how do we disable a service? -- marko
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Marko Kreen marko@l-t.ee writes: On Thu, Aug 09, 2001 at 12:38:52PM -0700, Dale Southard wrote: Marko Kreen marko@l-t.ee writes: Well, we have basically one init script per package. Now I want state, that _nothing_ from this package gets started. Do I need examine the init script then one-by-one disable all vars? Nope, you would likely have a hierarchy of checks in scripts that start more than one service. To use IRIX as an example, chkconfig'ing ``gated'' won't prevent the other networking daemons from starting. But chkconfig'ing ``network'' off prevents all the networking daemons (including gated) from starting. Hmm, currenctly such 'dependencies' are half-done using the SysV 'sequence numbers'. The sequence numbers correctly order the services (in both IRIX and Debian) , but don't actually do anything about disabling things with logical dependencies. Using the IRIX example, `chkconfig network off` turns an IRIX box into a clean standalone machine. In debian, one can remove an rc?.d symlink, but doing so in no way prevents daemons that depended on the service from starting. As in Debian most of services are nicely split up, this should not matter. Yes and no. The init.d scripts are indeed much better split up in Debian than in IRIX. They need to be, since enabling/disabling a service under Debian is generally done by not installing it or adding/removing rc?.d links. IRIX doesn't need to split out services since the chkconfig system is available to control what is/isn't started. But in Debian there are still some individual options that require editing of init.d scripts to enable or disable (see the mountnfs.sh and networking scripts for examples). Whether or not this makes adding a system like chkconfig ``worth the trouble'' is another question :-) Well, then we are on back on square one - how do we disable a service? As I said when I started this thread, IRIX style chkconfig is one option. Redhat style chkconfig is another (I'll admit being biased towards IRIX's implementation, but I've used both and it's useful to compare the two). A third would be some gui/cli for creating/deleting symlinks in the various rc?.d directories (but note that this option wouldn't survive updates). And of course, doing nothing, or something completely different is also an option. :-) If there is an interest in IRIX-style chkconfig, I can probably throw something together from the scripts and docs I have lying around -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Aug 08, 2001 at 08:44:50PM +0200, Marko Kreen wrote: On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Would not it be better to put this login in rcS script? That way the services can be manually started if needed (eg. for testing). If you want to login before services start in single user mode then change: # Set to yes if you want sulogin to be spawned on bootup SULOGIN=yes in /etc/default/rcS Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Would not it be better to put this login in rcS script? That way the services can be manually started if needed (eg. for testing). -- marko
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Aug 08, 2001 at 08:44:50PM +0200, Marko Kreen wrote: On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Would not it be better to put this login in rcS script? That way the services can be manually started if needed (eg. for testing). If you want to login before services start in single user mode then change: # Set to yes if you want sulogin to be spawned on bootup SULOGIN=yes in /etc/default/rcS Mike
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Marko Kreen marko@l-t.ee writes: On Wed, Aug 08, 2001 at 02:56:46PM -0700, Mike Fedyk wrote: On Wed, Aug 08, 2001 at 08:44:50PM +0200, Marko Kreen wrote: On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Would not it be better to put this login in rcS script? That way the services can be manually started if needed (eg. for testing). If you want to login before services start in single user mode then change: Uh. Ofcourse I meant 'code'. I have no idea how the word 'login' got there... Dale proposed that each init script checks itself whether it needs to be started, from some central location. Actually, it is how SGI's IRIX works -- so it's not really my idea, only something that I've seen work in practice and seems trivial to implement. I think this is not good, it takes away flexibility. IMHO it would be better if only /etc/init.d/rc ( rcS) checks whether a service should be auto-started on boot. That way the responsibility is also divided better, init-script's business is to start a service and rc/rcS business is start boot-time services. Interesting idea. It certainly simplifies the implementation, but it actually reduces the flexibility, rather than adds to it. If the ``do I run service X'' check is done in rcS it means that each init.d script is either on or off. This would eliminate the possibility of having more than one check in a script -- for example, it would be logical to configure the existing Debian networking script with chkconfig options for spoofprotect, syncookies, and ip_forward. This wouldn't be possible if the chkconfig is done in rcS. IRIX actually leverages this significantly -- there are a dozen or so different chkconfig controls in the IRIX networking script used to enable/disable starting of things like nfs, autofs, timed, gated, etc. One easy hack woud be to replace '-f' with '-x' in following code in rc, rcS: [ ! -f $i ] continue then later you can 'chmod -x' init scripts. Problem with this is that on upgrade your 'settings' will be lost. Exactly the problem we were discussing. The advantage of the IRIX chkconfig system is that it puts the ``on or off'' information for each service in a directory that isn't clobbered by upgrades. The above replacement wouldn't likely survive upgrades. -- /* Dale Southard Jr. [EMAIL PROTECTED] 925-422-1463, fax 422-9429 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-073, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Jul 25, 2001 at 01:37:00PM -0300, Henrique de Moraes Holschuh wrote: On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Thanks Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. Actually, Steve posted the URL on the 23rd, and I'm just reading it now. Let's see if we can get some progress out of this flame thread... Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Mike Fedyk [EMAIL PROTECTED] writes: Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Very nice, even better than sourcing... Though, source file is a one line change, and doesn't add logic to each package. But, that could lead to another flame war on what should go in that sourced file... [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... I think we would probably default to off if there isn't a file, or if it doesn't contain on. That way, all you have to do is touch the file on install... Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Mike Fedyk [EMAIL PROTECTED] writes: On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... -- /* Dale Southard Jr. [EMAIL PROTECTED]925-422-1463 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-550, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Daemon init scripts and apt-get [was: Re: red worm amusement]
On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. But that doesn't change the default. If you do something like this, you should add an option apt-get --run install foo Yes, that would make sense. Both --run and --no-run could be avalable as options with the default behavior determined by apt/dpkg configuration. As for what the default for apt/dpkg's config, that's for us to flame each other over... ;-) Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. I really don't want to have to type something more every time just to keep the daemons from starting... If you have -run and --no-run what happens when you don't specify either? Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Mike
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Wed, Jul 25, 2001 at 01:37:00PM -0300, Henrique de Moraes Holschuh wrote: On Wed, 25 Jul 2001, Mike Fedyk wrote: Yes, make the default configurable if you have your debconf setting to medium or low and default to Don't start otherwise. THAT is actually a good idea. Thanks Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. Please you two, do your homework. Search for invoke-rc.d in debian-policy; Since the sysvinit maintainer is MIA, you probably got a few weeks to give suggestions. Actually, Steve posted the URL on the 23rd, and I'm just reading it now. Let's see if we can get some progress out of this flame thread... Mike
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Mike Fedyk [EMAIL PROTECTED] writes: Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. On Wed, Jul 25, 2001 at 11:05:25AM -0700, Dale Southard wrote: I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi Very nice, even better than sourcing... Though, source file is a one line change, and doesn't add logic to each package. But, that could lead to another flame war on what should go in that sourced file... [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... I think we would probably default to off if there isn't a file, or if it doesn't contain on. That way, all you have to do is touch the file on install... Mike
Re: Daemon init scripts and apt-get [was: Re: red worm amusement]
Mike Fedyk [EMAIL PROTECTED] writes: On Sun, Jul 22, 2001 at 03:27:10AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. Actually, if we could get them all to source an sh script that contains that logic, all changes to policy would be self-contained. I think I've shot this one out before, but... Why not use something like the IRIX ``chkconfig'' system: Provide a simple program that takes the ``name'' of a service and then checks an external file/files for ``on'' or off status of each service, and returns 0 if on, 1 if off. Then have each init.d script do something like: case $1 in 'start') if /etc/chkconfig myservice; then ... start myservice ... fi [In IRIX, the /etc/config directory has a file for each name chkconfig knows about that contains either ``on'' or ``off'' so adding a new service is as simple as `echo on /etc/config/newservice`, though IRIX actually allows viewing and changing things with the chkconfig program itself (eg, `chkconfig` with no arguments lists every service known to chkconfig, `chkconfig service on|off` changes the state of a service, with a -f flag to ``force'' creation of a new service.)] This prevents ``uptdate surprises'' since updating everything including the init.d script doesn't change the on|off status of the service in the config directory. Of course it also means putting the above bit of logic in every init.d script that is put under chkconfig control and adding the necessary logic to the postinst script to create the config entry if it doesn't exist yet... -- /* Dale Southard Jr. [EMAIL PROTECTED]925-422-1463 */ /* Computer Scientist, Accelerated Strategic Computing Initiative */ /* L-550, Lawrence Livermore National Lab, Livermore CA 94551 */ /* AFF/I, SL/I, T/I, D-11216, Sr. Rig --- I'd rather be skydiving */
Re: --no-run option (was: Re: red worm amusement)
On 22-Jul-01, 16:06 (CDT), Steven Barker [EMAIL PROTECTED] wrote: On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. Hmmm, I don't know that that would work on a clean install (no /var/lib/dpkg/info/foo.conffiles). Must try... You are right, and I don't think that running with a default configuration would be a problem would be a problem often. But an option to prevent servers (or perhaps all daemons, networked or not) from running on install would let anyone who does not want the default configuration the chance to change settings before starting it up. Another problem with the current system is that disabled (as in, not running and removed from /etc/rc?.d) daemons restart themselves when they are upgraded. Folks, this is all designed and implemented, and is waiting on the sysvinit and file-rc maintainers to integrate. See http://bugs.debian.org/76868 (Note that it changed somewhat during the disccussion, so read *all* the way through before commenting.) Steve -- Steve Greenland [EMAIL PROTECTED] (Please do not CC me on mail sent to this list; I subscribe to and read every list I post to.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: --no-run option (was: Re: red worm amusement)
On 22-Jul-01, 16:06 (CDT), Steven Barker [EMAIL PROTECTED] wrote: On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. Hmmm, I don't know that that would work on a clean install (no /var/lib/dpkg/info/foo.conffiles). Must try... You are right, and I don't think that running with a default configuration would be a problem would be a problem often. But an option to prevent servers (or perhaps all daemons, networked or not) from running on install would let anyone who does not want the default configuration the chance to change settings before starting it up. Another problem with the current system is that disabled (as in, not running and removed from /etc/rc?.d) daemons restart themselves when they are upgraded. Folks, this is all designed and implemented, and is waiting on the sysvinit and file-rc maintainers to integrate. See http://bugs.debian.org/76868 (Note that it changed somewhat during the disccussion, so read *all* the way through before commenting.) Steve -- Steve Greenland [EMAIL PROTECTED] (Please do not CC me on mail sent to this list; I subscribe to and read every list I post to.)
Re: red worm amusement
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. prove them wrong, and get away with it? Assuming it is rubbish, as you say. try reading bugtraq. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. Starting services by default is a bad idea. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. as for debian services are only started if you install them, a very logical assumption. criticising debian's choices in regards to what services are priority: standard could be a valid argument. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:34:50AM -0500, Nathan E Norman wrote: On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. You don't give a gun to a child because it is likely they will hurt themselves or others because they don't know what it does. Similarly, running a service without knowing what it does can hurt the operator, and leave their box open to attacks being launched from their box, thereby hurting others. I think it is quite fitting. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Well, it's kind of hard to argue a point, when pople start steering the discussion in bizzare directions. I thought maybe I had to put it in simpler terms. Aparently that was not a good idea, as now that has born yet another pointless post. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? or: WARNING: Coffee is served HOT! [0] -- Ethan Benson http://www.alaska.net/~erbenson/ [0] for those who don't remember there was a case some years ago where a woman sued McDonalds after she spilled a cup of thier coffee in her lap and as a result was burned, her argument was that she didn't know coffee was hot. This is why to this day McDonalds' coffee cups have a warning printed all around them saying: WARNING COFFEE IS HOT!! -- at least in the lawsuit happy US. PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 11:39:36PM -0700, Jacob Meuser wrote: I think it is quite fitting. i think is a 21st century varient of Godwin's law developing. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: root@foobar:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. -- Steven Barker [EMAIL PROTECTED] Perhaps, after all, America never has been discovered. I myself would say that it had merely been detected. -- Oscar Wilde PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? SCNR Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. What I would like is for packages to not start a service immediately upon installation. I don't want the installation of packages to put put links in /etc/rc?.d. IF not that, then something like: - WARNING -- Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote: Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jacob == Jacob Meuser [EMAIL PROTECTED] writes: Jacob What I would like is for packages to not start a service Jacob immediately upon installation. I don't want the installation of Jacob packages to put put links in /etc/rc?.d. IF not that, then Jacob something like: [cut] I'm not sure that would be an effective warning, and it may even be confusing to people, as it does not indicate that there is a potential security risk, but just tells them to read the security pages. Maybe something more like (disclaimer: it's late and I'm tired, so I can't write a proper warning, but hopefully this should be enough to get the idea across): WARNING: Apache has been started. Web servers in general potentially open up a large security hole. By running Apache, you may be vulnerable to [[list the relevant types of attacks]]. If you are not sure about what you are doing, please stop Apache at the first available moment by running /etc/init.d/apache stop and by removing the relevant links in /etc/rc?.d, and please read http://www.debian.org/security/. When you are confident that you know what you're doing then you may re-enable Apache. Having said that, I'll toss in my vote for not starting the services immediately on installation. At least give the admin a chance to configure it. Or something like exim, where you configure it in the installation process, before it gets started. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7WoFvZRhU33H9o38RAkawAKCv3oh/zIvySkEXJppmbpxk+tGwCACbBixc mYiGtigYd+tjcpArvs0MQVk= =huOg -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like any other OS, you must update when updates are available. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. Exactly. The claim is that there is no REMOTE exploit. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. What? What? I'm sorry, say that again. What falacies are you talking about? My position is, and always has been, that 'apt-get install' should not start the service, and should not put startup links in /etc/rd?.d. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. You have a short memory don't you Ethan? The last time I mentioned OpenBSD on this list, you jumped all over me like you have this time. Do you have something against OpenBSD? Was you're experience with OpenBSD 2.6 that bad? What, did you ask some silly question on an OpenBSD mailing list, and get flamed so bad you're still burning? I happen to be using OpenBSD to write this email. Next to me is my OpenBSD server, and when this I send this message, it will go through my OpenBSD firewall. Are you offended by the number of time I just wrote OpenBSD? I never claimed OpenBSD doesn't start ANY services. as for debian services are only started if you install them, a very logical assumption. Not really. Someone just posted an example of where he installed apache, but only needed it for a very short while. It is logical to assume that if a package is installed, it is for a reason. It is not logical to assume that there is a need to start it immediately, and everytime the machine is booted. criticising debian's choices in regards to what services are priority: standard could be a valid argument. I'll leave that to you. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:03:23AM -0500, Nathan E Norman wrote: Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. You are beginning to sound like a troll. - Nathan E Norman [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: On Sun, Jul 22, 2001 at 12:54:49PM +1000, CaT wrote: You know. You're right. We should make it as difficult as possible to install software. Right down to removing makefiles from source repositories and rot13ing the source code because the harder it is to install a piece of software, the more secure a box is. No, I'm simply saying not to start services immediately. I mean really, That wasn't what you were saying before. You were saying that the ease of install you get with apt-get is bad. This is a rather different issue. who in their right mind starts a service without looking at the config files? How hard is it to add the links from /etc/rc?.d to /etc/init.d (isn't there script to do this anyway)? Some packages already practice safety-first. You need to remove an echo and an exit from the init.d once you're good and ready. This just has to become more widespread. Then again, most of the time I install a service (90%) I want it to start running immediately. apache, ftp etc I compile by hand. And then the computer you just spent a few grand on will be about as useful as a toaster without heating elements. That's better than them getting sued for a hell of a lot more than they paid for their machine because someone launched an attack from their machine, and they can't prove they didn't to it. No machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running. -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 06:05:18PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. *shrug* -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. oh so your trying to sluff your own ignorance and incompetence onto debian because you installed a zillion services and didn't know what they did thus opening lots of `security holes'. yeah whatever. what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:38:23AM -0700, Magus Ba'al wrote: quoteNo machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running./quote Don't mean to sound like an annoyance, but I have a 100% secure computer. It's currently dissasembled, with the parts stored in different containers, and no OS on the hard drive. Crack that! *grabs HD and installs it into another pc* ;) Sorry, just a poor stab at humor. While I've always been proud that the debian list has pretty much been better than any other list at keeping flame wars to a minimum, today is an exception. At times this latest thread has become well, my cock is bigger, so I'm more right than it's starting to feel that way. you!. Yes, maybe daemons should ask to be started during startup, or prompt to be configured like exim. But who's to say that a new user won't choose an option that leads them to be vulnerable. When I first well. that'll be a concious choice by the user instead of an automated one I guess. started I *know* I made some big mistakes. Maybe Debian should have some mistakes are what we learn from the best. unfortunately they tend to have the nastiest of sideeffects at times (but I guess that's why they are such great teachers) firewall rules that are run to block vulnerable services when they are installed and then tell you how to unblock them. Maybe a billion different ways it could be, but it's not. I must commend the Debian team for maintaining the best distro, IMNSHO. I thought the Debian community aye. we're dumping redhat/slackware boxes for debian. one of the primary reasons is the ease with which you can keep the box uptodate and secure. -- CaT ([EMAIL PROTECTED])*** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. Please, quote me on where I have contradicted that. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:44:19AM -0800, Ethan Benson wrote: what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? And when, during the installation, or regular use of Debain, is that message ever displayed to the user? [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: Please, quote me on where I have contradicted that. Right below. Nothing is contradicting that. If you only wanted to talk about apt-get you should've stuck to it. Then I'm to ignore all other questions and ideas, as well personal comments aimed at me as an individual? anyways. i'm bowing out. Since it seems that suggesting that maybe something in Debian is not perfect, one will be personally ridiculed, and ridiculed further for replying to those comments, I too am bowing out. Although I never got any reason why they are started by default, other than if a service is installed, it is assumed that the admin wants it running. To me, the tiny bit of time saved by the admin is not worth the potential danger to new users. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
Alright, I said I was bowing out, but I will reply to this last email. In my first post, I may not have been completely clear. I said that OpenBSD doesn't start services that are insecure. Now, we all know that no service is totally secure, so that statement is somewhat of an oxymoron. However, no one on any OpenBSD mailing list is telling people to turn off the services that are started by default, while on this list, everyone is always saying to turn off inetd and whatever else they are not using. My point is, why should someone have to go through the trouble of turning them off? Why are they started in the first place, if the advice it to immediately shut them off? If a person needs that service then they can turn it on, correct? This extends to packages that are added to the base system. I don't think it's right to assume that one wants to start the service immediately. The argument that you shouldn't install a service if you don't know what you're doing just doesn't make sense. If you never install the package, then how are you going to know anything about it? How are you going to customize a configuration file, if you have no file to modify? CaT's reply that packages are starting to made with provisions to exit the init script before the service is started, is I guess really the answer I was looking for. Is that a new policy? If it is, I think it's a good one. As to not waste any more innocent bystanders bandwidth/disk space, if anyone wishes to further discuss the questions I raised above, or try to flame me, please send your email to: [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 01:57:24AM -0800, Ethan Benson wrote: On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--no-run option (was: Re: red worm amusement)
On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, 22 Jul 2001, Jacob Meuser wrote: What I would like is for packages to not start a service immediately upon installation. Though I do not understand this, I do not want to argue again, see my other post... I don't want the installation of packages to put put links in /etc/rc?.d. Why, just remove them after installing. Noone forces you to reboot just after installation. And installing an package without the want to run it is only a security flaw. Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ This is only redicilous. The car-analogy fits here very good. Don't understand me wrong, I'm not again telling the user, if he does something dangerous. But coffee is hot, and an server lowers security. Why not also giving 5 pages of warnings, wenn configuring an networking- connection (which is the real security problem) and making the user to type Yes, I want to crash my computer before installing, so that he really knows, what can happen? Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
Jacob Meuser [EMAIL PROTECTED] writes: Still not the point. I'm talking about services being enabled, either by default, or by apt-get. [...] ftpd is not enabled by default. So imagine someone looking for a ftp-server, and, as it happens to be the case, finds one, say, per locate, in /usr/libexec, which already has a line corresponding to it in /etc/inetd.conf, though commented out... There are many ways to locally compromise any Unix-like OS, therefore it has a rather low priority. This sounds a bit illogical to me. If there are 'many ways', shouldn't it rather be 'high priority', especially, as this renders per-daemon uids basically useless? And whose going to teach them? Certainly not an OS that makes it as easy as 'apt-get install apache'! OSs don't teach people anything, documentation does. Which won't get read anyway or at least be ignored. Maybe you don't get it. A system that is compromised poses a danger to EVERYONE ON THE INTERNET. So what? Try a cable-cutter. -- stone me -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: --no-run option (was: Re: red worm amusement)
Exactly. It is more of a special case to *not* want a server to start at boot rather than the other way around. To those who think that apt-get install apache is too easy, then why is apt-get remove apache too hard? -Rob On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bernhard == Bernhard R Link [EMAIL PROTECTED] writes: Bernhard On public streets or public places, you are not Bernhard allowed. Otherwise you are allowed without licence. True. And I think that most of us won't care if people have insecure boxes, if those boxes aren't on the Internet. Bernhard (And even an licence does not avoid accidents and deaths, it Bernhard only may reduce them) True again. Just as knowing about security or hiring a security-conscious admin only reduces the chance of getting cracked. If we had the same sort of standards for computer use, though, we wouldn't have as much of a security problem as we do have. Bernhard Sure? Yes. Because at the minimum, it would inform people about the importance of paying attention to security. (Mind you, the standards that I'm talking about for driving only reflect my North American experiences. Germany may be (and I have heard it is) different.) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7W2X9ZRhU33H9o38RAvkGAJ0RCOxHO4uwP4dRnxRsi0I7557yAACfbKhQ JuCEXA8i9VC/U4W0YkO7yR4= =185s -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sun, 22 Jul 2001, Steven Barker wrote: On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I think this is a great idea, also, if dpkg / apt showed what servers were being setup to run after the initial install, it could be saved to a file. This would also assist if there was a break-in and a new server running you could check against your original list. I'm sure there are many ways this could work. Perhaps: root@foobar:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). One option here would be a simple [y/n] question whether or not to run the new service automatically as part of the package install. --snip-- Colin. -- Colin Johnson [EMAIL PROTECTED] Remember: Everything you see on screen is but ones and zeroes. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote: last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? It seems everyone on this list YELLS at people who leave rpc.statd running. I don't know whether it's exploitable or not, I know enough to turn it off because I don't use it. I am not talking about people who know what they are doing. I am talking about new users who have no practical knowledge of the system. I'm talking about protecting them from being immediately vulnerable. If people are running services, they should know how to start and stop them, right? [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 10:34:56PM -0500, Dana J. Laude wrote: On Sat, Jul 21, 2001 at 06:27:00PM -0700 Jacob Meuser wrote: IMHO, no distribution is secure out of the box. Hell, even OpenBSD has had major blunders in their lastest release. Security is, after all... an ongoing issue that needs to be dealt with *all* the time. I couldn't agree more. I never said OpenBSD was more secure than Debian. I merely pointed out that I think their policy of not starting services (perhaps I should qualify that as services that are added to the default base system) is a good policy. The only reason I suggested that is because, IIRC, this thread started with someone bashing M$ because they say its easy to administer their products. I have heard a lot of advocacy for Debian based on ease of use. That's the problem, it's too easy to put yourself in a bad situation. [EMAIL PROTECTED] PS We don't give guns to children, do we?
Re: red worm amusement
Microsoft Windows is not really bad, if you know how to admin it. However, Microsoft give this on its web site: http://www.microsoft.com/NTWorkstation/downloads/Recommended/Featured/NTZAK. asp Oh my god... Zero Administration ? Luckily, Debian is asking their administrator check for security updates periodiclly.
Re: red worm amusement
On 20010721.2117, Jacob Meuser said ... On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote: last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? It seems everyone on this list YELLS at people who leave rpc.statd running. I don't know whether it's exploitable or not, I know enough to turn it off because I don't use it. I am not talking about people who know what they are doing. I am talking about new users who have no practical knowledge of the system. I'm talking about protecting them from being immediately vulnerable. If people are running services, they should know how to start and stop them, right? I'm with you on this one. I ran 'apt-get install apache' because I wanted to run it once to configure Samba via Swat. It irked me that it started apache right away and set it up to start each time I rebooted. Not what I wanted, and I can see your point. I would much rather be running a system that depended on me to check the config before a service started, vulnerability or not. -Rob
Re: red worm amusement
On 20010721.2117, Jacob Meuser said ... On Sat, Jul 21, 2001 at 08:21:09PM -0700, Nicole Zimmerman wrote: last i used OpenBSD (2.6) it started portmap and identd by default at the very least, maybe fingerd too i don't remember for sure. The difference is, those were not exploitable. And they are on debian? It seems everyone on this list YELLS at people who leave rpc.statd running. I don't know whether it's exploitable or not, I know enough to turn it off because I don't use it. I am not talking about people who know what they are doing. I am talking about new users who have no practical knowledge of the system. I'm talking about protecting them from being immediately vulnerable. If people are running services, they should know how to start and stop them, right? I'm with you on this one. I ran 'apt-get install apache' because I wanted to run it once to configure Samba via Swat. It irked me that it started apache right away and set it up to start each time I rebooted. Not what I wanted, and I can see your point. I would much rather be running a system that depended on me to check the config before a service started, vulnerability or not. -Rob
Re: red worm amusement
On Sat, Jul 21, 2001 at 07:52:02PM -0700, Jacob Meuser wrote: And whose going to teach them? Certainly not an OS that makes it as easy as 'apt-get install apache' ! Well, your solution of making it more obfuscated and difficult will cause even more of a problem. Many new users will simply say This is annoying, I'll install PWS on my Windows box instead. Now which is more of a 'danger'? -Rob
Re: red worm amusement
On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Besides, I was a great shot as a child. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpOZpmFM1nKg.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 06:27:00PM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 04:32:32PM -0800, Ethan Benson wrote: Not really what I was getting at. I was saying this is TOO EASY. I'm saying that Debian doesn't do a good enough job of warning people about doing these things. I'm thinking about first time users who are not behind a firewall. I'm thinking about myself two years ago, running apache, mysql, exim, telnetd, portmap, and who knows what else, all while directly connected to the internet. Sure, I had some idea that running servers could be dangerous, but as Debian touts itself as secure, I figured it would tell me if I were doing something dangerous. WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? SCNR Greeting from Unna/Ger Martin
Re: red worm amusement
On Sat, Jul 21, 2001 at 04:39:48PM -0800, Ethan Benson wrote: fool me once, shame on you, fool me twice shame on me. Fool me twice? Our hospital is building a network and needs special software. The only software we found usefull runs under Win. We would have installed linux, but we are nearly *forced* to use Win. We are forced to use Win2000 (and not cheaper used licences of NT4) and office2000 (and not cheaper used licences of office97), because support for NT and office97 ends in 2002. Don't want to talk about how M$ interprets support, but these are facts, that impress people, who have to decide. We are all wearing black... Greeting from Unna/Ger Martin
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin == Martin Bieder [EMAIL PROTECTED] writes: Martin WARNING: You have started this car! You are about to drive this Martin car. That means, you will be moving, what means that accidents Martin could be harmful for you. Do you really want to proceed? Martin [Yes] [No] [Abort] Umm. Bad analogy here. You have to be *tested* before you can drive a car. It is not _legal_ to drive without a license. If we had the same sort of standards for computer use, though, we wouldn't have as much of a security problem as we do have. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7WnCRZRhU33H9o38RAlaTAKC7EMtJeUpL3kWqLq9T1SDrZgvFUgCgnwqd fHSAyKPtablyy/xzQBikHfc= =UWQc -END PGP SIGNATURE-
Re: red worm amusement
On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. prove them wrong, and get away with it? Assuming it is rubbish, as you say. try reading bugtraq. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. Starting services by default is a bad idea. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. as for debian services are only started if you install them, a very logical assumption. criticising debian's choices in regards to what services are priority: standard could be a valid argument. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpcIUb0NnbrZ.pgp Description: PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:34:50AM -0500, Nathan E Norman wrote: On Sat, Jul 21, 2001 at 09:28:35PM -0700, Jacob Meuser wrote: PS We don't give guns to children, do we? What the hell does this have to do with running services on a freaking computer connected to the Internet? You are beginning to sound like a troll. You don't give a gun to a child because it is likely they will hurt themselves or others because they don't know what it does. Similarly, running a service without knowing what it does can hurt the operator, and leave their box open to attacks being launched from their box, thereby hurting others. I think it is quite fitting. HINT: It's difficult to kill someone with a computer without regard to whether the computer operator is a child. Obfuscating the issue with inane comparisons to loaded political issues generally means you can't argue your original position effectively. Well, it's kind of hard to argue a point, when pople start steering the discussion in bizzare directions. I thought maybe I had to put it in simpler terms. Aparently that was not a good idea, as now that has born yet another pointless post. [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? or: WARNING: Coffee is served HOT! [0] -- Ethan Benson http://www.alaska.net/~erbenson/ [0] for those who don't remember there was a case some years ago where a woman sued McDonalds after she spilled a cup of thier coffee in her lap and as a result was burned, her argument was that she didn't know coffee was hot. This is why to this day McDonalds' coffee cups have a warning printed all around them saying: WARNING COFFEE IS HOT!! -- at least in the lawsuit happy US. pgp96T2Cgw8q5.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 11:39:36PM -0700, Jacob Meuser wrote: I think it is quite fitting. i think is a 21st century varient of Godwin's law developing. -- Ethan Benson http://www.alaska.net/~erbenson/ pgp4AnOA3mFuw.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: [EMAIL PROTECTED]:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. -- Steven Barker [EMAIL PROTECTED] Perhaps, after all, America never has been discovered. I myself would say that it had merely been detected. -- Oscar Wilde PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:42:28AM +0200, Martin Bieder wrote: WARNING: You have started this car! You are about to drive this car. That means, you will be moving, what means that accidents could be harmful for you. Do you really want to proceed? [Yes] [No][Abort] Do you want something like that? SCNR Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. What I would like is for packages to not start a service immediately upon installation. I don't want the installation of packages to put put links in /etc/rc?.d. IF not that, then something like: - WARNING -- Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip ... I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I'm sure there are many ways this could work. Perhaps: [EMAIL PROTECTED]:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. But that doesn't change the default. If you do something like this, you should add an option apt-get --run install foo Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Mike
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:01:55AM -0700, Jacob Meuser wrote: Well, someone has decided to attack me for using an analogy, so I will refrain from saying how this doesn't go with what I'm saying. Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpZ3ws3vVRRT.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 11:59:17PM -0700, Mike Fedyk wrote: On Sun, Jul 22, 2001 at 02:50:14AM -0400, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. But that doesn't change the default. If you do something like this, you should add an option apt-get --run install foo Yes, that would make sense. Both --run and --no-run could be avalable as options with the default behavior determined by apt/dpkg configuration. As for what the default for apt/dpkg's config, that's for us to flame each other over... ;-) Personally, I think there should either be a /etc/do-not-start/package dir that packages' init scripts check for non-existance before starting, or a commented entry in the config file that the init script checks for non-existance before starting... Well, now we're getting into heavy policy stuff I think it would be hard enough to get all the daemon postinst scripts to work in run and no-run mode. -- Steven Barker [EMAIL PROTECTED] There's so much to say but your eyes keep interrupting me. PGP Key Fingerprint: 1A33 9F2E 368D 24B1 81D4 60BF E928 9E28 958F 2058
Re: red worm amusement
On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like any other OS, you must update when updates are available. the kernel hole (basically the same ptrace race the linux kernel had previous to 2.2.19) was only locally exploitable so that `doesn't count' since its not remote. Exactly. The claim is that there is no REMOTE exploit. If anyone who reads the posts I made looks at them with an objective outlook, they will see that my message is clearly stated. no its not you change your position every time a falicy is pointed out. What? What? I'm sorry, say that again. What falacies are you talking about? My position is, and always has been, that 'apt-get install' should not start the service, and should not put startup links in /etc/rd?.d. and you keep pointing at OpenBSD as an example of a distribution that doesn't start any services, if you had ever actually installed an OpenBSD box you would see that is not true. You have a short memory don't you Ethan? The last time I mentioned OpenBSD on this list, you jumped all over me like you have this time. Do you have something against OpenBSD? Was you're experience with OpenBSD 2.6 that bad? What, did you ask some silly question on an OpenBSD mailing list, and get flamed so bad you're still burning? I happen to be using OpenBSD to write this email. Next to me is my OpenBSD server, and when this I send this message, it will go through my OpenBSD firewall. Are you offended by the number of time I just wrote OpenBSD? I never claimed OpenBSD doesn't start ANY services. as for debian services are only started if you install them, a very logical assumption. Not really. Someone just posted an example of where he installed apache, but only needed it for a very short while. It is logical to assume that if a package is installed, it is for a reason. It is not logical to assume that there is a need to start it immediately, and everytime the machine is booted. criticising debian's choices in regards to what services are priority: standard could be a valid argument. I'll leave that to you. [EMAIL PROTECTED]
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jacob == Jacob Meuser [EMAIL PROTECTED] writes: Jacob What I would like is for packages to not start a service Jacob immediately upon installation. I don't want the installation of Jacob packages to put put links in /etc/rc?.d. IF not that, then Jacob something like: [cut] I'm not sure that would be an effective warning, and it may even be confusing to people, as it does not indicate that there is a potential security risk, but just tells them to read the security pages. Maybe something more like (disclaimer: it's late and I'm tired, so I can't write a proper warning, but hopefully this should be enough to get the idea across): WARNING: Apache has been started. Web servers in general potentially open up a large security hole. By running Apache, you may be vulnerable to [[list the relevant types of attacks]]. If you are not sure about what you are doing, please stop Apache at the first available moment by running /etc/init.d/apache stop and by removing the relevant links in /etc/rc?.d, and please read http://www.debian.org/security/. When you are confident that you know what you're doing then you may re-enable Apache. Having said that, I'll toss in my vote for not starting the services immediately on installation. At least give the admin a chance to configure it. Or something like exim, where you configure it in the installation process, before it gets started. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7WoFvZRhU33H9o38RAkawAKCv3oh/zIvySkEXJppmbpxk+tGwCACbBixc mYiGtigYd+tjcpArvs0MQVk= =huOg -END PGP SIGNATURE-
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:03:23AM -0500, Nathan E Norman wrote: Oh, grow up. I did not attack you, I questioned the wisdom of comparing running services on a computer to the politically loaded question of guns. You are beginning to sound like a troll. - Nathan E Norman [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: On Sun, Jul 22, 2001 at 12:54:49PM +1000, CaT wrote: You know. You're right. We should make it as difficult as possible to install software. Right down to removing makefiles from source repositories and rot13ing the source code because the harder it is to install a piece of software, the more secure a box is. No, I'm simply saying not to start services immediately. I mean really, That wasn't what you were saying before. You were saying that the ease of install you get with apt-get is bad. This is a rather different issue. who in their right mind starts a service without looking at the config files? How hard is it to add the links from /etc/rc?.d to /etc/init.d (isn't there script to do this anyway)? Some packages already practice safety-first. You need to remove an echo and an exit from the init.d once you're good and ready. This just has to become more widespread. Then again, most of the time I install a service (90%) I want it to start running immediately. apache, ftp etc I compile by hand. And then the computer you just spent a few grand on will be about as useful as a toaster without heating elements. That's better than them getting sued for a hell of a lot more than they paid for their machine because someone launched an attack from their machine, and they can't prove they didn't to it. No machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running. -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:32:00AM -0600, Hubert Chan wrote: I'm not sure that would be an effective warning, and it may even be confusing to people, as it does not indicate that there is a potential security risk, but just tells them to read the security pages. Hmmm, silly me referenced http://www.debian.org/security/ before I looked at it. I assumed there would at least be some links to more security information, as the first thing it says is Debian takes security very seriously. Then it goes on to talk about reactive security, not proactive security. Or something like exim, where you configure it in the installation process, before it gets started. At least it lets you set it up for local service only. [EMAIL PROTECTED]
Re: red worm amusement
For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 06:05:18PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: On Sat, Jul 21, 2001 at 10:26:38PM -0800, Ethan Benson wrote: On Sat, Jul 21, 2001 at 09:02:54PM -0700, Jacob Meuser wrote: Oh, I guess anyone can say something like Four years without a remote hole in the default install! on the internet, where anyone is free to that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. You don't need a marketing department to practice the 'art' of marketing. they don't count the recent ftpd remote root hole in that `four years' because they stopped activitating ftpd in the default install of OpenBSD 2.7, which was released only a very short time before the hole was discovered. And so the default install was not vulnerable to remote attacks. Like Debian's default install is not vulnerable to attacks either. Your point? -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. Please don't try to steer me off course, and then say I keep changing my position. It's simply not polite, and rather silly. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. *shrug* -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
RE: red worm amusement
-Original Message- From: CaT [mailto:[EMAIL PROTECTED] Sent: Sunday, July 22, 2001 1:11 AM To: Jacob Meuser Cc: debian-security@lists.debian.org Subject: Re: red worm amusement quoteNo machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running./quote Don't mean to sound like an annoyance, but I have a 100% secure computer. It's currently dissasembled, with the parts stored in different containers, and no OS on the hard drive. Crack that! Sorry, just a poor stab at humor. While I've always been proud that the debian list has pretty much been better than any other list at keeping flame wars to a minimum, today is an exception. At times this latest thread has become well, my cock is bigger, so I'm more right than you!. Yes, maybe daemons should ask to be started during startup, or prompt to be configured like exim. But who's to say that a new user won't choose an option that leads them to be vulnerable. When I first started I *know* I made some big mistakes. Maybe Debian should have some firewall rules that are run to block vulnerable services when they are installed and then tell you how to unblock them. Maybe a billion different ways it could be, but it's not. I must commend the Debian team for maintaining the best distro, IMNSHO. I thought the Debian community was better than the others due to the fact that we work together to come up with ideas, not thinking 'My Way(tm)' is the only good option. So far all the points brought up have been valid and very arguable. The problem is that it's turning into a 'your idea sucks' pissing match. The best idea is to gather all the ideas and pick the best way to do things. Maybe the way it's currently done was the best of the ideas at the time. Trying to get amy package maintainers to redo their packages at the snap of a finger is ridiculous. Maybe we should try putting our heads together and find the best solution to securely installing/configuring/starting daemons, and then present that to the Debian team? Maybe someone has a better idea than I do on how to get stuff changed. The point is to work together! All flames are welcome is you are so inclined. But please email me directly, and me only. Do not reply, CC/BCC the list directly if you really need to get some aggression out. Thanks! Steven Beverly I am the Illustrious Postmaster and Grand Poobah of Electronic Transmissions -Mary Jo Pehl, MST3K He who fights with monsters should look to it that he himself does not become a monster...when you gaze long into the abyss the abyss also gazes into you. -Friedrich Nietzsche
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:40:11AM -0700, Jacob Meuser wrote: that quote is pure marketing. Marketing? OpenBSD has about as much of an adversising dept as does Debian. None. that quote is still marketing, its backed up by excuses and lawyerly nitpicking, not real fact. And so the default install was not vulnerable to remote attacks. Like any other OS, you must update when updates are available. wrong. default install of all versions of OpenBSD prior to 2.7 WERE vulnerable because they turned on ftpd by default in the default install. the only reason they maintain that absurd `4 years without a root hole' is because they narrowly obsoleted 2.6 with 2.7 before that hole was discovered. like i said: lawyerly nitpicking. Exactly. The claim is that there is no REMOTE exploit. and local exploits don't matter? exactly the response i expect from a marketing person. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpHxdeRowuRT.pgp Description: PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. I could give a rats @$$ about what is Debian's base system. Those aren't installed with apt-get install anyway. I could give two $#1+$ about whether or not an OS is secure out of the box. This is not a question about OSes, it's a question about installing packages that install services. oh so your trying to sluff your own ignorance and incompetence onto debian because you installed a zillion services and didn't know what they did thus opening lots of `security holes'. yeah whatever. what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? -- Ethan Benson http://www.alaska.net/~erbenson/ pgpDoqBbOgsU2.pgp Description: PGP signature
Re: red worm amusement
On Sun, Jul 22, 2001 at 01:38:23AM -0700, Magus Ba'al wrote: quoteNo machine is 100% secure, except those machines that do not exist. Anyone who thinks their box is 100% secure has rocks in their heads, regardless what OS they are running./quote Don't mean to sound like an annoyance, but I have a 100% secure computer. It's currently dissasembled, with the parts stored in different containers, and no OS on the hard drive. Crack that! *grabs HD and installs it into another pc* ;) Sorry, just a poor stab at humor. While I've always been proud that the debian list has pretty much been better than any other list at keeping flame wars to a minimum, today is an exception. At times this latest thread has become well, my cock is bigger, so I'm more right than it's starting to feel that way. you!. Yes, maybe daemons should ask to be started during startup, or prompt to be configured like exim. But who's to say that a new user won't choose an option that leads them to be vulnerable. When I first well. that'll be a concious choice by the user instead of an automated one I guess. started I *know* I made some big mistakes. Maybe Debian should have some mistakes are what we learn from the best. unfortunately they tend to have the nastiest of sideeffects at times (but I guess that's why they are such great teachers) firewall rules that are run to block vulnerable services when they are installed and then tell you how to unblock them. Maybe a billion different ways it could be, but it's not. I must commend the Debian team for maintaining the best distro, IMNSHO. I thought the Debian community aye. we're dumping redhat/slackware boxes for debian. one of the primary reasons is the ease with which you can keep the box uptodate and secure. -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. Please, quote me on where I have contradicted that. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?!
Re: red worm amusement
On Sun, Jul 22, 2001 at 12:44:19AM -0800, Ethan Benson wrote: what part of `don't install the service if you don't need it/don't know how to configure it' don't you understand? And when, during the installation, or regular use of Debain, is that message ever displayed to the user? [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: On Sun, Jul 22, 2001 at 06:35:34PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 01:37:29AM -0700, Jacob Meuser wrote: For the last time: I am saying that apt-get install should not immediately start a service, and it should not install the startup links in /etc/rc?.d. Then stick to that. Please, quote me on where I have contradicted that. Right below. Noone is steering you offcourse. You're doing just that. You mention that OpenBSD has been secure out-of-the-box for 4yrs and then when ppl aren't impressed you chuck a hissy fit. I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's If you only wanted to talk about apt-get you should've stuck to it. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! don't care. remember, this is meant to be about apt-get only? anyways. i'm bowing out. -- CaT ([EMAIL PROTECTED]) *** Jenna has joined the channel. cat speaking of mental giants.. Jenna me, a giant, bullshit Jenna And i'm not mental - An IRC session, 20/12/2000
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: Please, quote me on where I have contradicted that. Right below. Nothing is contradicting that. If you only wanted to talk about apt-get you should've stuck to it. Then I'm to ignore all other questions and ideas, as well personal comments aimed at me as an individual? anyways. i'm bowing out. Since it seems that suggesting that maybe something in Debian is not perfect, one will be personally ridiculed, and ridiculed further for replying to those comments, I too am bowing out. Although I never got any reason why they are started by default, other than if a service is installed, it is assumed that the admin wants it running. To me, the tiny bit of time saved by the admin is not worth the potential danger to new users. [EMAIL PROTECTED]
Re: red worm amusement
On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpxgMeBD0ZRm.pgp Description: PGP signature
Re: red worm amusement
Alright, I said I was bowing out, but I will reply to this last email. In my first post, I may not have been completely clear. I said that OpenBSD doesn't start services that are insecure. Now, we all know that no service is totally secure, so that statement is somewhat of an oxymoron. However, no one on any OpenBSD mailing list is telling people to turn off the services that are started by default, while on this list, everyone is always saying to turn off inetd and whatever else they are not using. My point is, why should someone have to go through the trouble of turning them off? Why are they started in the first place, if the advice it to immediately shut them off? If a person needs that service then they can turn it on, correct? This extends to packages that are added to the base system. I don't think it's right to assume that one wants to start the service immediately. The argument that you shouldn't install a service if you don't know what you're doing just doesn't make sense. If you never install the package, then how are you going to know anything about it? How are you going to customize a configuration file, if you have no file to modify? CaT's reply that packages are starting to made with provisions to exit the init script before the service is started, is I guess really the answer I was looking for. Is that a new policy? If it is, I think it's a good one. As to not waste any more innocent bystanders bandwidth/disk space, if anyone wishes to further discuss the questions I raised above, or try to flame me, please send your email to: [EMAIL PROTECTED] On Sun, Jul 22, 2001 at 01:57:24AM -0800, Ethan Benson wrote: On Sun, Jul 22, 2001 at 07:11:04PM +1000, CaT wrote: On Sun, Jul 22, 2001 at 02:08:36AM -0700, Jacob Meuser wrote: I mentioned that OpenBSD has a policy of not starting services by default. Ethan Benson went off on how OpenBSD is rubbish. As no i said the claim that OpenBSD starts no services was rubbish. NOT that openbsd was rubbish. an OpenBSD user, I felt I should point out that he was the one full of rubbish. I really don't care whether people think it's your the own who is full of it Jacob. If you only wanted to talk about apt-get you should've stuck to it. yup. a good idea or not. I just wish they'd discuss the issue I'm talking about. I mean really, Ethan claimed I never installed OpenBSD. How could he have ever known whether or not that is true? Someone called ME a troll!?!?!?!?! because you (Jacob) made it quite clear you don't know anything about OpenBSD by making claims about it which are not true at all. -- Ethan Benson http://www.alaska.net/~erbenson/
--no-run option (was: Re: red worm amusement)
On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link
Re: red worm amusement
On Sun, 22 Jul 2001, Jacob Meuser wrote: What I would like is for packages to not start a service immediately upon installation. Though I do not understand this, I do not want to argue again, see my other post... I don't want the installation of packages to put put links in /etc/rc?.d. Why, just remove them after installing. Noone forces you to reboot just after installation. And installing an package without the want to run it is only a security flaw. Apache by default listens on port 80. Apache is now listening for incoming internet connections on port 80. Links have been installed in /etc/rc?.d, so that this machine will be listening for connections on port 80 everytime this machine is booted. Because you are running a service, it is VERY important that you read and follow the advice at http://www.debian.org/security/ This is only redicilous. The car-analogy fits here very good. Don't understand me wrong, I'm not again telling the user, if he does something dangerous. But coffee is hot, and an server lowers security. Why not also giving 5 pages of warnings, wenn configuring an networking- connection (which is the real security problem) and making the user to type Yes, I want to crash my computer before installing, so that he really knows, what can happen? Hochachtungsvoll, Bernhard R. Link
Re: red worm amusement
Jacob Meuser [EMAIL PROTECTED] writes: Still not the point. I'm talking about services being enabled, either by default, or by apt-get. [...] ftpd is not enabled by default. So imagine someone looking for a ftp-server, and, as it happens to be the case, finds one, say, per locate, in /usr/libexec, which already has a line corresponding to it in /etc/inetd.conf, though commented out... There are many ways to locally compromise any Unix-like OS, therefore it has a rather low priority. This sounds a bit illogical to me. If there are 'many ways', shouldn't it rather be 'high priority', especially, as this renders per-daemon uids basically useless? And whose going to teach them? Certainly not an OS that makes it as easy as 'apt-get install apache'! OSs don't teach people anything, documentation does. Which won't get read anyway or at least be ignored. Maybe you don't get it. A system that is compromised poses a danger to EVERYONE ON THE INTERNET. So what? Try a cable-cutter. -- stone me
Re: red worm amusement
Iam new to Debian and this is my first post to the debian-security mailinglist, having read this threath i realy aint seeing anybody pointing out that it is the Sysadmin who makes the machine secure, it's not an OS what makes a machine secure, it's the admin behind it. I use a broad range of OS'es, including OpenBSD, claiming blunt out that OpenBSD is secure by default is like dancing with the devil because it isn't, every *NIX distro is by default leak\insecure, YOU have to make it secure, when it comes to Microsoft products you can patch and upgrade all you wan't, it isn't gona help you make a secure system, you have to realize that bugs and holes is something what comes by default with Microsoft. On *NIX you can make a difference. Jörgen V. -- http://security.veendam.org http://www.securitydatabase.net
Re: --no-run option (was: Re: red worm amusement)
Exactly. It is more of a special case to *not* want a server to start at boot rather than the other way around. To those who think that apt-get install apache is too easy, then why is apt-get remove apache too hard? -Rob On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. ( If you are that paranoic you should not only do ar -x xxx.deb ; tar -xzf data.tgz etc/configfile , but also check the whole package before installing it). would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). Not adding rc.d-Links is really ridicilous. If you have an computer, that justs boots after installing without the chance to change links, than you should plug-out the network-cable so or so. This would have to be both a policy change and a technical change in apt and/or dpkg. I think it would be a good compromise between security and the simplicity of apt-get install foo. I do not see a nesecarity for it. Though if you want to supply patches to carry an --no-run in dpkg to some environment-variable to the script and and patch to dh_xxx to check this, go ahead, but there are important and senseful thing to do. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: --no-run option (was: Re: red worm amusement)
On Sun, Jul 22, 2001 at 04:00:43PM +0200, Bernhard R. Link wrote: On Sun, 22 Jul 2001, Steven Barker wrote: I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. Why should anyone want to install a server without letting it run? Security, customibility, flexability The standard-config is normally sane, and when you do not think so, place another config-file there before installing it. You are right, and I don't think that running with a default configuration would be a problem would be a problem often. But an option to prevent servers (or perhaps all daemons, networked or not) from running on install would let anyone who does not want the default configuration the chance to change settings before starting it up. Another problem with the current system is that disabled (as in, not running and removed from /etc/rc?.d) daemons restart themselves when they are upgraded. Often they are in packages that are so fundamental that they cannot realistically be removed (ie: inetd). The same mechanism in apt/dpgk that allows non-run installations could also permit non-run upgrades (perhaps even automatically detected). I'm not planning to hacking this into dpkg, but perhaps it will be a future project. I'm always interested in other opinions as well. -- Steven Barker [EMAIL PROTECTED] I will make no bargains with terrorist hardware. -- Peter da Silva I have a new PGP key! It's ID is EBD5936B. Get it at http://www.students.uiuc.edu~/scbarker/pubkey.asc PGP Key Fingerprint: 272A 3EC8 52CE F22B F745 775E 5292 F743 EBD5 936B
Re: red worm amusement
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bernhard == Bernhard R Link [EMAIL PROTECTED] writes: Bernhard On public streets or public places, you are not Bernhard allowed. Otherwise you are allowed without licence. True. And I think that most of us won't care if people have insecure boxes, if those boxes aren't on the Internet. Bernhard (And even an licence does not avoid accidents and deaths, it Bernhard only may reduce them) True again. Just as knowing about security or hiring a security-conscious admin only reduces the chance of getting cracked. If we had the same sort of standards for computer use, though, we wouldn't have as much of a security problem as we do have. Bernhard Sure? Yes. Because at the minimum, it would inform people about the importance of paying attention to security. (Mind you, the standards that I'm talking about for driving only reflect my North American experiences. Germany may be (and I have heard it is) different.) - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/651854DF71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7W2X9ZRhU33H9o38RAvkGAJ0RCOxHO4uwP4dRnxRsi0I7557yAACfbKhQ JuCEXA8i9VC/U4W0YkO7yR4= =185s -END PGP SIGNATURE-
Re: red worm amusement
On Sun, 22 Jul 2001, Steven Barker wrote: On Sat, Jul 21, 2001 at 08:51:23PM -0700, Jacob Meuser wrote: snip No, I'm simply saying not to start services immediately. snip Well, I'm going to wade into this growing flamewar to point out what I think is a sound idea. The trouble with the current system is that installed daemons automatically start running with a default configuration. This is not always bad, but does not allow a paranoid sysadmin to protect themselves (short of ugly workarounds like taking down the network interface until the server is shut off). I think that there should be a way to install a debian server packages without having the installation scripts start the server. This need not be default, but it should be possible. I think this is a great idea, also, if dpkg / apt showed what servers were being setup to run after the initial install, it could be saved to a file. This would also assist if there was a break-in and a new server running you could check against your original list. I'm sure there are many ways this could work. Perhaps: [EMAIL PROTECTED]:/etc# apt-get install --no-run apache would download, install and configure apache, but not run it. When the sysadmin was satisfied with the configureation files, etc, then update-rc.d and such could be run by hand (or by another call to apt-get/dpkg with another flag). One option here would be a simple [y/n] question whether or not to run the new service automatically as part of the package install. --snip-- Colin. -- Colin Johnson [EMAIL PROTECTED] Remember: Everything you see on screen is but ones and zeroes.
Re: red worm amusement
On Fri, Jul 20, 2001 at 07:52:26PM -0700, Tim Uckun wrote: You really can not blame people for not hiring expensive unix sysadmins and letting some semi competent windows user run the NT network. oh? and whyever not? its this blatent irreponsibilty that we have such a mess security wise on the internet today. that is sort of like saying `you really cannot blame people for not hiring expensive archetectural engineers and letting some semi competant carpenter design your 10 story office building' -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement - redirect
On Fri, Jul 20, 2001 at 06:24:54PM -0700, Alvin Oga wrote: hi ya Alson.. if ya wrote a script... was thinking..wouldnt it be funny to redirect that incoming attack with the cgi script to redirect it back to the incoming machine ??? I don't think the worm implements the full HTTP protocol, I'm afraid it won't do HTTP redirects, it might be possible with port forwarding like stuff, but I don't really want to spend much time on it anymore, since the worm won't attack after 19 July. It might be an idea for the next time though, would be funny, IIRC it was possible to get infected multiple times :) On Sat, 21 Jul 2001, Alson van der Meulen wrote: On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: For amusement I checked the web logs for a few debian machines to see if they had some red worm attempts. Seems we've been probed a fair bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 on www.debian.org. Almost all attempts were made on July 19. Aren't we glad we all run Linux? :) I first saw it while tailing my access.log at home, grepping access.log's of other servers showed indeed around 20 hits per server. Made some funny cgi script called /default.ida for fun :), apache didn't appear to like the HTTP request though, but thttpd passed it nicely to the cgi script. I even set up a temporary thttpd on a box just for fun of logging, wondered what would happen if I would adjust the router config at school to forward port 80 to an win2k server running IIS (prolly wouldn't have worked with Dutch localized IIS :( ) Linux people having fun with win2k-exploits ;) Cheers, Alson -- ,---. Name: Alson van der Meulen Personal:[EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' Where's the DIR command? - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 12:09:07AM -0800, Ethan Benson wrote: On Fri, Jul 20, 2001 at 07:52:26PM -0700, Tim Uckun wrote: You really can not blame people for not hiring expensive unix sysadmins and letting some semi competent windows user run the NT network. oh? and whyever not? its this blatent irreponsibilty that we have such a mess security wise on the internet today. that is sort of like saying `you really cannot blame people for not hiring expensive archetectural engineers and letting some semi competant carpenter design your 10 story office building' ... except at this point in the game, most businesses don't see server/network reliability in the same light they view reliability of a building. I never understood this attitude; most IT/IS managers track uptime and pay a lot of lip service to fault analysis, but when push comes to shove they don't really do anything about it. Security rarely enters the equation at all. It seems to be diffivult to grasp that better security often leads to better reliability (at least from the user's POV) At my previous job I was repeatedly told we will not make security enhancements if they make the network harder to use, where harder might mean learning a new way to do something, or banning old insecure behavior (telnet). Oh well ... -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Ltd. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 12:09:07AM -0800, Ethan Benson wrote: On Fri, Jul 20, 2001 at 07:52:26PM -0700, Tim Uckun wrote: You really can not blame people for not hiring expensive unix sysadmins and letting some semi competent windows user run the NT network. oh? and whyever not? its this blatent irreponsibilty that we have such a mess security wise on the internet today. Blatant irresponsibility, hmmm ... Perhaps Debian should follow the example of OpenBSD, and not start possibly dangerous services by default. It's really easy to install Debian and have all kinds of services running immediately. I doubt everyone who is running servers on Debain (by choosing to do so during the 'oh so easy' installation) really knows what they're doing. [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
At 12:09 AM 7/21/2001 -0800, Ethan Benson wrote: On Fri, Jul 20, 2001 at 07:52:26PM -0700, Tim Uckun wrote: You really can not blame people for not hiring expensive unix sysadmins and letting some semi competent windows user run the NT network. oh? and whyever not? its this blatent irreponsibilty that we have such a mess security wise on the internet today. Well I thought I answered this question. Because Microsoft claims that you don't need them. They promise that their servers are easy to set up and maintain by normal people. When your CIO goes to shop around for a product and makes his cost analysis he does not add the cost of the sysadmin to the NT column. Microsoft told him that it was not needed and that it's a useless expense. I suppose CIO could be blamed for actually believing what MS says but let's face it most people don't realize that an MS executive will get fired if they don't lie to ten people by noon. In a nutshell. The CIO bought a product and used it as advertised. It's really not the fault of the CIO that the product when used as advertised is faulty. The irresponsibility rests with MS who advertises stable, secure and high performance operating systems which don't need sysadmins to run. -- Tim Uckun Mobile Intelligence Unit. -- There are some who call me TIM? -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 10:57:39PM +0100, Nik Butler wrote: Jacon Said: . I doubt everyone who is running servers on Debain (by choosing to do so during the 'oh so easy' installation) really knows what they're doing. Grr, talk about giving companies like mine a bad name, Im promoting Open Source software and and its benefits, I gotta sit here on a saturday afternoon , playing catchup with my email and read comments like this. sigh. Don't get my wrong. Debain is great, and I think it's fantastic that you're helping to spread the good word. I just think it's dangerous (and somewhat irresponsible) that 'apt-get install apache' installs AND starts apache AND adds links in /etc/rd?.d, so that apache will be running everytime the box is started. Not to mention one doesn't even have to look at httpd.conf. For those that do know how to safely run servers, is it really that time consuming to do these things yourself? I think 'apt-get'ting a service should first display some sort of warning. It should be rather technical, perhaps confusing to people who don't know anything about running servers, so it at least makes them think twice about installing said service. I know security and useability are (at least said to be) inversely proportional. It seems to me that Debain is more concerned about useability than security, which is bad for the rest of the internet. (I know, Debian is not the only distro that makes running servers dangerously easy, but I look at Debian as the example that others should follow ;) [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
