Rachel BarkerFeb 25

Today's sysadmin discovery:

So, for all that I like Debian, one big sticking point I've had with it is that when you install a package which contains a system service, even if it was pulled in as a dependency of something else, that service gets auto-enabled, with a default configuration.

That has always felt like bad security practice to me, as it means any update can suddenly expose new services to the outside world without warning. It's also subtly broken my setup on at least two different occasions.

Fortunately, there is a way to change the default policy, so that new services only get enabled when you tell them to be:

https://manpages.debian.org/trixie/systemd/systemd.preset.5.en.html (example 1)

Definitely going to put that in my ansible configs!

systemd.preset(5) — systemd — Debian trixie — Debian Manpages

Show threadMax

@rachelplusplus Be aware that adhering to this preset mechanism is up to the packagers (the installation scripts need to check for the setting), and in my testing of using Debian for one of our cloud environments, I found out that some services will happily ignore it, and got autostarted anyway.

I'm in the same boat as you, I like Debian to bits, but this "autostarting ALL the things!" is a show stopper for me.

Feb 26 at 7:09amWeb