Rachel BarkerFeb 25

Today's sysadmin discovery:

So, for all that I like Debian, one big sticking point I've had with it is that when you install a package which contains a system service, even if it was pulled in as a dependency of something else, that service gets auto-enabled, with a default configuration.

That has always felt like bad security practice to me, as it means any update can suddenly expose new services to the outside world without warning. It's also subtly broken my setup on at least two different occasions.

Fortunately, there is a way to change the default policy, so that new services only get enabled when you tell them to be:

https://manpages.debian.org/trixie/systemd/systemd.preset.5.en.html (example 1)

Definitely going to put that in my ansible configs!

systemd.preset(5) — systemd — Debian trixie — Debian Manpages

Show threadDavid Chisnall (*Now with 50% more sarcasm!*)Feb 26

@rachelplusplus

FreeBSD has the opposite policy: the post-install message tells you how to enable the service. It’s a common source of complaints, especially for things installed as dependencies (for example, you install KDE, it brings in things like dbusd, which it requires, but you need to manually enable it. As an end user, you have no idea what dbusd is or why KDE needs it, it’s just an implementation detail).

Show threadRachel Barker

@david_chisnall I'm not sure if FreeBSD has this mechanism, but systemd units can specify dependencies on other units. So in theory that should be solvable; I'll have to try it for a while and see if there are any issues in practice.

(I suppose that does re-introduce the "services I didn't explicitly enable are running" problem, just on a hopefully smaller scale. C'est la vie.)

Feb 26 at 12:58pmWeb