On Thu, Feb 23, 2006 at 12:47:44PM +0100, aliban wrote: > > > I am sorry, but I am quite new linux and debian at all and you may excuse > my question: > > why is there no rule to "prompt the user" for all applications that open > ports on non-localhost? The default policy is a compromise between convenience and security. Debian has opted for convenience (services are enabled per default) and strives to have people do it properly (services are run as unprivileged users, with a minimun configuration to make them functional).. In some instances (only a few packages, mostly base/important) users are given a change to disable them on installation (or, even,, but most others services are enabled per default. Some services (which cannot be properly configured automatically) are left off until you configure them and enable them manually, but there are not that many of those. The philosophy is: if you installed it from a binary package then you wanted it to be acive, if you don't want it to be active then either introduce a policy that says "don't enable" it on install, or disable it manually post-install, or don't install a binary package (pick up the sources or the -doc packages instead if you just want to see how it works). You can find more information in http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.6 and http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html (FAQ Question 11.1.14.1 Why are all services activated upon installation?) HTH Javier
Attachment:
signature.asc
Description: Digital signature