Rachel BarkerFeb 25

Today's sysadmin discovery:

So, for all that I like Debian, one big sticking point I've had with it is that when you install a package which contains a system service, even if it was pulled in as a dependency of something else, that service gets auto-enabled, with a default configuration.

That has always felt like bad security practice to me, as it means any update can suddenly expose new services to the outside world without warning. It's also subtly broken my setup on at least two different occasions.

Fortunately, there is a way to change the default policy, so that new services only get enabled when you tell them to be:

https://manpages.debian.org/trixie/systemd/systemd.preset.5.en.html (example 1)

Definitely going to put that in my ansible configs!

systemd.preset(5) — systemd — Debian trixie — Debian Manpages

Show thread🏳️‍⚧️ Chloé: IA VeganFeb 26
@rachelplusplus
Really interesting!
I learn something, and checked on my Arch Linux.
It was disabled by default (I can conclude Arch do it right).
Show threadRachel Barker
@jenesuispersonne Yep, I've used Arch in the past and not enabling things by default was one of the things I liked about it. And if Debian's behaviour wasn't changeable, I would have moved back to Arch over it.
Feb 26 at 12:49pmWeb