Red Hat Bugzilla – Bug 134
please keep services turned *off* on install
Last modified: 2008-05-01 11:37:48 EDT
Redhat keeps getting easier and easier to install. That's
great! There's only one problem - lots of naive users are
installing Redhat without really understanding what
/etc/inetd.conf is, much less what a daemon started at boot
Linux users inside my organization are getting a lot of
flack as vulnerabilities in imapd and named are being
exploited and the network as a whole is being compromised.
The irony is that most of the Linux machines here do not
even need to be running imapd or named and their installers
have no idea these programs are running. Redhat just started
them up by default.
The "right" solution to this is for everyone to install
security updates, and for Linux machine owners to learn
enough to configure their boxes. Sadly, in practice that's
hard to make happen.
So I ask that Redhat consider cutting down the number of
services that are turned on by a default install. Go ahead
and install imapd, but leave it commented out in inetd.conf.
Don't start named in /etc/rc.d. That way, a default install
will be considerably more secure.
There's obviously a trade-off here, you want Redhat to be
cool and super-functional for a default install. Some
services obviously should be on by default. But I think
Redhat has gone too far with the default, and the result is
a lot of security problems.
If you'd like, I can send you a list of the services I think
should be on by default.
I understand where you are coming from on this one but unfortunately
its a two sided argument. In our newest version 5.2, we have a
workstation install scenario that does not install alot of the server
related apps so therefore the entries in inetd.conf that pertain to
those packages would not be functional anyway. Also there is always
the option of just choosing to not have the inetd service start at all
on workstations during the install. The point is that more education
of the users is needed rather than shipping these turned off by
default. We are working on making the manual that ships with Red Hat
to better explain these issues.
Thanks for your repsonse. We understand each other, but disagree. I
really don't think more documentation will solve the problem. Users
don't read manuals.
Again, I strongly urge you to make the default be more secure, by
keeping services off by default. If a user reads the manual, then they
can learn how to turn the services on.
I agree with Nelson... Who is more likely to read the manual? Users
installing Linux for their own personal workstation or system
administrators installing Linux for their organization's Internet
server? Hopefully the sysadmin, if anybody.
Services should be disabled by default and enabled by the sysadmin
manually. Linux needs to take over the desktop market, but not have
crackers take over the Linux desktops. ;-)
Hooray! Redhat 6.2 has finally changed the policy, looks like most services are
off by default.