Re: Services that can start by default policy feedback

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Feb 27, 2011 at 07:21:30PM +0000, Matthew Garrett wrote:
> On Sun, Feb 27, 2011 at 04:33:56PM +0100, Till Maas wrote:
> > On Fri, Feb 25, 2011 at 07:00:20PM +0000, Matthew Garrett wrote:
> > > On Fri, Feb 25, 2011 at 07:30:34PM +0100, Till Maas wrote:
> > > 
> > > > The services that are started when the respective package is installed
> > > > and the services that are enabled by default by the Fedora installer do
> > > > not need to be the same and are afaik currently not the same. There is
> > > > imho a huge difference, whether services are enabled during
> > > > installation, because afterwards one can usually expect that there are
> > > > unwanted services and whether services are enabled after the respective
> > > > package is installed long after the system has been installed.
> > > 
> > > I think multipath is the only service enabled by Anaconda. Everything 
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > else depends on the package doing so.
> > 
> > This does not mean that this is a good way or the only way to do this.
> 
> No, but it does mean that what you're proposing would involve adding 
> functionality to Anaconda. The current situation is that the services 
> that are started when the respective package is installed and the 
> services that are enabled by default by the Fedora installer *are* the 
> same.

You wrote that Anaconda already has the code to active services, so
there is no additional functionality needed. Only the list of services
to be enabled needs to be extended. Nevertheless, this is a lot cleaner
solution that having to recommend to users of Fedora to not install
packages on systems on a network or with non-admin users logged in to
avoid potential security risks because services might activate
themselves.

Btw. it is also possible to move the initial activation of services into
a single package that actives the respective services once after
installation, so no changes to the Anaconda code is even required.
People who want a secure system can then just deselect it. It could work
like the firstboot package.

Btw. in case someone with yum plugin writing skills reads this: Is it
possible with a yum plugin that manipulates rpm scriptlets, e.g. one
that makes sure that no rpm can enable a service using "service foo on"?

Regards
Till

Attachment: pgpAnJEaiUJJK.pgp
Description: PGP signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux