Quoth Rainer Heilke on Mon, Mar 20, 2006 at 10:17:10AM -0800: > > Quoth Rainer Heilke on Fri, Mar 17, 2006 at 08:22:43AM -0800: ... > > If an administrator doesn't want ftpd to run for security reasons, > > then he should use disable the ftp service, in which case it won't > > run with any svcadm milestone setting. > > > > Making most services disabled out-of-the-box is the goal of > > a different project. It doesn't seem to be public, but it should > > hit Nevada soon. > > Odd. I seem to remember reading that, by default, 10 was going to have > a number of the "insecure" services turned off. Either I misread, or > my memory is worse than I thought. My apologies. > > Maybe the item was just referring to the extra security features > rolled in, like access to ipfilters and such?
You're probably thinking of the generic_limited_net.xml profile in /var/svc/profile, which you can use to disable most services on the system. This is not the default, and there are still a few services which remain exposed to the network (like rpcbind). The project I mentioned aims to fix those, and make this setup the default for Nevada. > > > By booting to multi-user and running the svcadm enable <fmri>, you > > > are adding that service to the multi-user milestone. Next time > > > you boot up to multi-user, that service will get started again. > > > > That's not true. The only way make services run in svcadm milestone > > settings other than "all" is by making the milestone service in > > question depend on the service, directly or indirectly. > > I think I may have phrased my comment badly, making it sound like > I had it backwards. In order to add a service to a milestone, that > milestone must now be dependant on the service. (Not the other way > around, where the service depends on the milestone. Is that more > accurate?) I think it's more likely that you were equating "multi-user milestone" with "runlevel 3". It's true that if you boot a system normally (the "all" milestone), and then you enable a service, and you reboot normally, the service will still be enabled and will be started. It's not true that if you boot to a specific milestone (either by booting to, say, *runlevel* s or with "-m milestone=", or by using svcadm milestone -d) and you enable a service which was disabled and then you boot the same way, the service will be started. If the service was disabled the first time, then the milestone doesn't depend on it, so it was temporarily disabled. Without changing the dependencies, svc.startd will still temporarily disable it the second time. David
