Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.
nobody
11:18

Debian Packages - Server autostart

All in all, I really like Debian and I use it a lot. However there is one thing which I do not understand: Why do all those daemon packages add the daemon to the default runlevels and why do they start them immediately?

If you are honest, most daemons which are not basic system daemons are somehow useless until configured correctly, if not even insecure. Latest examples: the ejabberd package starts ejabberd automatically on installation, also starting the erlang rpc daemon listening for connections from any IP address. The latter is a security issue. 

Or take jabberd2 (granted, this package is only in sid) it starts the xmpp router with the password "secret" also listening on any IP. This is also a security issue.

I wonder: At least for ejabberd the Debian maintainers' answer to that question was: "if we would bind the rpc daemon to ::1/127.0.0.1 instead, we would break clustering". Having the xmpp router listening on anything else than loopback is also only relevant for bigger jabber setups which have to distribute c2s,s2s,sm,transports over different machines. Is it really a good idea to configure packets with an insecure default configuration which allows for features most people won't need and of which those who need it know their way around, or should packages come with a secure default configuration?

Don't be the product, buy the product!

Schweinderl