FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 12-06-2010, 06:32 PM
Miloslav Trma─Ź
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

Micha┼é Piotrowski p├*┼íe v Po 06. 12. 2010 v 20:22 +0100:
> 2010/12/6 Bill Nottingham <notting@redhat.com>:
> Does openssh stands out something special between other demons?
Actually, it does - for remote installations (sometimes the only option)
ssh needs to be running after installation so that the system
administrator can connect to it and start configuring it. Other
services are not necessary like this.

(Yes, the system administrator can write a kickstart script that enables
the service after installation. I'm not sure that something we can ask
a novice sysadmin to do, however.)
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 11:03 PM
Matt McCutchen
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote:
> Cron - but should be activated only when cron files exist
>
> It seems to me that the list:
> - ssh
> - Dbus
> - syslog
> - iptables
> - ip6tables
> - auditd
> - restorecond
> is an absolute minimum to get "working system".

I don't agree that ssh is required for a "working system". A desktop
user may never ssh to his/her own machine. (Whether to enable ssh by
default is a different question.)

--
Matt

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-06-2010, 11:43 PM
Matt McCutchen
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On Tue, 2010-12-07 at 01:07 +0100, Michał Piotrowski wrote:
> 2010/12/7 Matt McCutchen <matt@mattmccutchen.net>:
> > On Tue, 2010-12-07 at 00:38 +0100, Michał Piotrowski wrote:
> >> Cron - but should be activated only when cron files exist
> >>
> >> It seems to me that the list:
> >> - ssh
> >> - Dbus
> >> - syslog
> >> - iptables
> >> - ip6tables
> >> - auditd
> >> - restorecond
> >> is an absolute minimum to get "working system".
> >
> > I don't agree that ssh is required for a "working system".
>
> It's required for all systems without display device

That is, some servers. It needs to be easy to enable sshd when
installing a server, but I don't see a reason to have it enabled by
default on desktops.

--
Matt

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-07-2010, 01:04 AM
Miloslav Trma─Ź
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

Adam Williamson p├*┼íe v Po 06. 12. 2010 v 17:57 -0800:
> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
>
> > There are no stupid questions
> >
> > On most desktop systems firewall is not needed. Many users do not even
> > know how to configure it. In fact I disable it in most of my systems,
> > because there is no real use for it. So I asked a simple question
> > whether there is a need to install iptables by default?
>
> On most laptops, however, which are the most common types of system sold
> today, a firewall is very definitely needed when you're connecting to
> hotel networks, public wifi access points...
It's not quite as clear as that. Yes, the networks are dangerous. But
what specifically is the firewall protecting, and what specifically does
it prevent?
Mirek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-07-2010, 01:08 AM
Matt McCutchen
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On Mon, 2010-12-06 at 17:57 -0800, Adam Williamson wrote:
> On Mon, 2010-12-06 at 10:54 +0100, Michał Piotrowski wrote:
>
> > There are no stupid questions
> >
> > On most desktop systems firewall is not needed. Many users do not even
> > know how to configure it. In fact I disable it in most of my systems,
> > because there is no real use for it. So I asked a simple question
> > whether there is a need to install iptables by default?
>
> On most laptops, however, which are the most common types of system sold
> today, a firewall is very definitely needed when you're connecting to
> hotel networks, public wifi access points...

We're trying to get beyond that conventional wisdom and look at what
services might actually get unintentionally exposed in the absence of a
firewall and whether there is some other solution (e.g., don't enable
them by default, or bind to localhost).

https://lists.fedoraproject.org/pipermail/devel/2010-December/146758.html

--
Matt

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 12-07-2010, 07:27 AM
Tomas Mraz
 
Default Fedora default services (was: F15 Feature - convert as many service init files as possible to the native SystemD services)

On Mon, 2010-12-06 at 20:08 -0600, Chris Adams wrote:
> Once upon a time, Adam Williamson <awilliam@redhat.com> said:
> > On most laptops, however, which are the most common types of system sold
> > today, a firewall is very definitely needed when you're connecting to
> > hotel networks, public wifi access points...
>
> The only thing you need a firewall by default for is to prevent services
> that are listening on the network from being accessible. The better
> solution is to stop having services listen on the network by default.
>
> This was done for sendmail many years ago; why hasn't it been done for
> other things, such as rpcbind (and RPC services), cups, etc.? These
> daemons should bind to localhost only unless otherwise configured.
In the cups case might be probably reasonable to default to localhost.
However for rpcbind it is clearly not so - what's the point of starting
things that are mostly needed for NFS when you would be able to mount
only NFS provided by the localhost and export it to the localhost only
as well. In that sense it is debatable whether we want to have rpcbind
ON by default but having it on and bind to localhost only does not make
any sense to me.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 08:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org