Comment 24 for bug 109434
Revision history for this message
| Rhonda D'Vine (rhonda) wrote Re: [Bug 109434] Re: Installing a server for a game automatically auto-inits and runs every boot. | #24 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
* Troy James Sobotka <email address hidden> [2009-01-21 03:54:37 CET]:
> And while we wait or fail to address this, countless other installations
> will happen.
Installations that want the server and get it in a way ready to use.
> I'd be pretty certain that at least one person that has read this
> report is capable of raising and forcing the issue to either be
> resolved or dismissed.
$> sudo dpkg-divert --local --rename /sbin/start-
$> sudo ln -s /bin/true /sbin/start-
Of course this is a crude hack, but it will make no servers be started
for you. Technically the symlinking of /bin/true should rather be
replaced by either a wrapper script that gives some warning, maybe even
asks if the server should be started when a tty is available, or do
something else.
> Debian's policy is absolutely absurd on servers. How much vision does
> it take to realize that this is a fundamental security problem?
I think you are fundamentally overreacting here. When someone wants a
server installed it can be safely assumed that they want to have it
running. Given that the package maintainers are expected to ship
sensible defaults for those servers it rather sounds hypocritical to
call it a fundamental security problem. Where the defaults aren't
sensible this has to be addressed with the package maintainer at hand.
There are e.g. some server packages around that don't start because they
can't sensibly offer sane default values to start out with.
> Remember the Debian security debacle from a few months ago? Remember
> the black eye? How would more feel? Say hello to Ubuntu XP edition...
Can we please come back to compare things that are at least remotely on
the same level or connected in any way? Thanks.
> Passive security is no security.
Noone forces people to install server packages. And even then I would
really love to have it addressed in the big picture and *not* have
wesnoth and tremulous singled out. Fighting the same thing for every
single package won't get us anywhere.
So long. :)
Rhonda