Hi Aaron, On 12-06-01 at 11:22am, Aaron Toponce wrote: > Just because I have installed a service package, doesn't mean I want > the service immediately running after installation. I would like to > spend the necessary time as an administrator to configure and secure > the service to my liking, before starting the service.
Debian goal is - as you probably know already - for packages to work out of the box. For daemons this means they are started by default. If a package (service or not) is insecure by default, it is a bug! Severity of such bugs vary - e.g. some may consider it insecure for a web server to publicly display a static page saying "It works!" while most probably won't. You can override the default of daemons using policy.d. What I do for chroots - which you can adapt to your own personal needs, is to install the package policyrcd-script-zg2 and add the attached config file as /usr/local/sbin/policy-rc.d . Hope that helps, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
#!/bin/sh # $Id: policy-rc.d,v 1.5 2007-01-16 09:59:43 jonas Exp $ # # Copyright © 2006 Jonas Smedegaard <d...@jones.dk> # Description: Suppress system V scripts if invoked within a chroot. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as # published by the Free Software Foundation; either version 2, or (at # your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # Policy-rc.d is mentioned in manpage invoke-rc.d(8) and documented at # http://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt set -e PRG=`basename $0` TEMP=`getopt -s sh --long list,quiet -n "$PRG" -- "$@"` if [ $? != 0 ] ; then echo "Terminating..." >&2 ; exit 1 ; fi eval set -- "$TEMP" # Stolen from udev postinst chrooted() { if [ "$(stat -c %d/%i /)" = "$(stat -Lc %d/%i /proc/1/root 2>/dev/null)" ]; then # the devicenumber/inode pair of / is the same as that of /sbin/init's # root, so we're *not* in a chroot and hence return false. return 1 fi return 0 } quiet="" list="" while true ; do case "$1" in --quiet) quiet="1" ; shift ;; --list) list="1" ; shift ;; --) shift ; break ;; *) echo "Internal error!" ; exit 1 ;; esac done initscript="$1" actions="$2" runlevel="$3" if [ "$list" ]; then cat <<EOF The following policies are known to this policy daemon: default: All actions are allowed. chroot: If invoked from within a chroot environment, no actions are allowed, else all are allowed. This policy daemon care not about actions, so all standard actions (start, [force-]stop, restart, [force-]reload and status), and any additionally implemented ones, are supported. EOF exit 0 fi if chrooted; then if ! [ "$quiet" ]; then echo >&2 "Chroot environment detected, suppressing sysV script." fi exit 101 fi exit 0
signature.asc
Description: Digital signature
