Hi Francesco On Tue, Sep 18, 2007 at 12:57:30AM +0200, Francesco Poli wrote: > Package: harden-servers > Version: 0.1.31 > Severity: wishlist > > Hi! > > I installed the harden-servers package on a workstation/desktop box > in order to make sure I do not install excessively insecure daemons > by mistake.
Good choice. > But unfortunately many GNOME packages (galeon, libgnomevfs2-0, > gnome-control-center, gnome-mount, yelp, ...) seem to recommend fam, > either directly or indirectly. On its turn, fam depends on portmap, > which harden-servers conflicts with. > The net result of all this is: I cannot install galeon or contacts > (or other GNOME packages), unless I do so with the --without-recommends > option of aptitude. See below for an example. > > Why GNOME packages recommend services (fam) that depend on insecure > daemons (portmap)? You have to ask the GNOME people about that. However as you can install it with --without-recommends that means that is not strictly a dependency which means that you can actually have GNOME installed without fam. > Cannot I have a secure box with some full-feature GNOME packages > installed? Without the recommended packages that is possible. > Now the question is: what should I do? > Purge harden-servers and forget about it for any workstation/desktop > box (that is to say: only install it on machines that *only* run > servers)? > If this is the case, please clarify it in the package description... You can have harden-servers installed on a Desktop, you just need to make sure that fam is not installed. I can imagine a number of ways to configure a Desktop machine without insecure servers. Best regards, // Ola > > What follows is a transcript of my attempt at installing galeon: > > > $ aptitude -s install galeon > Reading package lists... > Building dependency tree... > Reading state information... > Reading extended state information... > Initializing package states... > Reading task descriptions... > Building tag database... > The following packages are BROKEN: > harden-servers > The following NEW packages will be automatically installed: > alacarte avahi-daemon binfmt-support capplets-data cdrdao cli-common > cups-pdf cupsys cupsys-client cupsys-common dbus dbus-x11 deskbar-applet > desktop-base desktop-file-utils docbook-xml dvd+rw-tools esound-clients > esound-common evolution-data-server evolution-data-server-common fam > foomatic-db foomatic-db-engine foomatic-filters galeon-common gconf2 > gconf2-common genisoimage gksu gnome-about gnome-applets > gnome-applets-data gnome-control-center gnome-desktop-data > gnome-doc-utils gnome-icon-theme gnome-keyring gnome-media > gnome-media-common gnome-menus gnome-mime-data gnome-mount > gnome-netstatus-applet gnome-panel gnome-panel-data gnome-session > gnome-system-monitor gnome-user-guide gnome-utils gs-esp > gstreamer0.10-alsa gstreamer0.10-plugins-base gstreamer0.10-plugins-good > gstreamer0.10-x hal hal-info imagemagick iso-codes libaa1 libao2 libapm1 > libart-2.0-2 libart2.0-cil libasound2 libaudiofile0 libavahi-client3 > libavahi-common-data libavahi-common3 libavahi-compat-libdnssd1 > libavahi-core5 libavahi-glib1 libavc1394-0 libbeagle0 libbonobo2-0 > libbonobo2-common libbonoboui2-0 libbonoboui2-common libcaca0 > libcamel1.2-10 libcdio6 libcdparanoia0 libcpufreq0 libcucul0 > libcupsimage2 libdaemon0 libdbus-1-3 libdbus-glib-1-2 libdv4 > libebook1.2-9 libecal1.2-7 libedata-book1.2-2 libedata-cal1.2-6 > libedataserver1.2-9 libedataserverui1.2-8 libeel2-2.18 libeel2-data > libegroupwise1.2-13 libenchant1c2a libesd0 libexif12 libfam0 libflac8 > libgail-common libgail18 libgconf2-4 libgconf2.0-cil libgksu2-0 > libglade2.0-cil libglib2.0-cil libgmime-2.0-2 libgmime2.2-cil > libgnome-desktop-2 libgnome-keyring0 libgnome-media0 libgnome-menu2 > libgnome-vfs2.0-cil libgnome-window-settings1 libgnome2-0 > libgnome2-common libgnome2.0-cil libgnomecanvas2-0 libgnomecanvas2-common > libgnomecups1.0-1 libgnomekbd-common libgnomekbd1 libgnomekbdui1 > libgnomeprint2.2-0 libgnomeprint2.2-data libgnomeprintui2.2-0 > libgnomeprintui2.2-common libgnomeui-0 libgnomeui-common libgnomevfs2-0 > libgnomevfs2-common libgnomevfs2-extra libgstreamer-plugins-base0.10-0 > libgstreamer0.10-0 libgtk2.0-cil libgtkhtml2.0-cil libgtkhtml3.8-15 > libgtksourceview-common libgtksourceview1.0-0 libgtop2-7 libgtop2-common > libgucharmap6 libhal-storage1 libhal1 libhunspell-1.1-0 libidl0 > libiec61883-0 libjasper1 liblcms1 libmagick9 libmetacity0 > libmono-cairo1.0-cil libmono-corlib1.0-cil libmono-corlib2.0-cil > libmono-data-tds2.0-cil libmono-security2.0-cil libmono-sharpzip2.84-cil > libmono-system-data2.0-cil libmono-system-web2.0-cil > libmono-system1.0-cil libmono-system2.0-cil libmono0 libmono2.0-cil > libmozjs0d libnautilus-burn4 libnautilus-extension1 > libndesk-dbus-glib1.0-cil libndesk-dbus1.0-cil libnotify1 libnspr4-0d > libnss-mdns libnss3-0d libogg0 liboil0.3 liborbit2 libpanel-applet2-0 > libpci2 libpoppler1 libraw1394-8 librsvg2.0-cil libscrollkeeper0 libsexy2 > libshout3 libslab0 libslp1 libsmbclient libsmbios1 libsoup2.2-8 libspeex1 > libstartup-notification0 libsysfs2 libtag1c2a libtheora0 > libtotem-plparser1 libtrackerclient0 libvisual-0.4-0 > libvisual-0.4-plugins libvorbis0a libvorbisenc2 libvorbisfile3 > libwavpack1 libwnck-common libwnck18 libxklavier11 libxml2-utils libxres1 > libxslt1.1 libxul-common libxul0d menu-xdg metacity metacity-common > mono-common mono-gac mono-jit mono-runtime nautilus nautilus-cd-burner > nautilus-data notification-daemon openssl oss-compat pciutils > poppler-utils portmap powermgmt-base python-beagle python-cairo > python-dbus python-fpconst python-glade2 python-gmenu python-gnome2 > python-gnome2-desktop python-gobject python-gtk2 python-gtk2-doc > python-libxml2 python-numeric python-pyorbit python-soappy python-support > samba-common scrollkeeper sgml-data shared-mime-info smbclient ssl-cert > sudo tomboy wodim xsltproc yelp > The following NEW packages will be installed: > alacarte avahi-daemon binfmt-support capplets-data cdrdao cli-common > cups-pdf cupsys cupsys-client cupsys-common dbus dbus-x11 deskbar-applet > desktop-base desktop-file-utils docbook-xml dvd+rw-tools esound-clients > esound-common evolution-data-server evolution-data-server-common fam > foomatic-db foomatic-db-engine foomatic-filters galeon galeon-common > gconf2 gconf2-common genisoimage gksu gnome-about gnome-applets > gnome-applets-data gnome-control-center gnome-desktop-data > gnome-doc-utils gnome-icon-theme gnome-keyring gnome-media > gnome-media-common gnome-menus gnome-mime-data gnome-mount > gnome-netstatus-applet gnome-panel gnome-panel-data gnome-session > gnome-system-monitor gnome-user-guide gnome-utils gs-esp > gstreamer0.10-alsa gstreamer0.10-plugins-base gstreamer0.10-plugins-good > gstreamer0.10-x hal hal-info imagemagick iso-codes libaa1 libao2 libapm1 > libart-2.0-2 libart2.0-cil libasound2 libaudiofile0 libavahi-client3 > libavahi-common-data libavahi-common3 libavahi-compat-libdnssd1 > libavahi-core5 libavahi-glib1 libavc1394-0 libbeagle0 libbonobo2-0 > libbonobo2-common libbonoboui2-0 libbonoboui2-common libcaca0 > libcamel1.2-10 libcdio6 libcdparanoia0 libcpufreq0 libcucul0 > libcupsimage2 libdaemon0 libdbus-1-3 libdbus-glib-1-2 libdv4 > libebook1.2-9 libecal1.2-7 libedata-book1.2-2 libedata-cal1.2-6 > libedataserver1.2-9 libedataserverui1.2-8 libeel2-2.18 libeel2-data > libegroupwise1.2-13 libenchant1c2a libesd0 libexif12 libfam0 libflac8 > libgail-common libgail18 libgconf2-4 libgconf2.0-cil libgksu2-0 > libglade2.0-cil libglib2.0-cil libgmime-2.0-2 libgmime2.2-cil > libgnome-desktop-2 libgnome-keyring0 libgnome-media0 libgnome-menu2 > libgnome-vfs2.0-cil libgnome-window-settings1 libgnome2-0 > libgnome2-common libgnome2.0-cil libgnomecanvas2-0 libgnomecanvas2-common > libgnomecups1.0-1 libgnomekbd-common libgnomekbd1 libgnomekbdui1 > libgnomeprint2.2-0 libgnomeprint2.2-data libgnomeprintui2.2-0 > libgnomeprintui2.2-common libgnomeui-0 libgnomeui-common libgnomevfs2-0 > libgnomevfs2-common libgnomevfs2-extra libgstreamer-plugins-base0.10-0 > libgstreamer0.10-0 libgtk2.0-cil libgtkhtml2.0-cil libgtkhtml3.8-15 > libgtksourceview-common libgtksourceview1.0-0 libgtop2-7 libgtop2-common > libgucharmap6 libhal-storage1 libhal1 libhunspell-1.1-0 libidl0 > libiec61883-0 libjasper1 liblcms1 libmagick9 libmetacity0 > libmono-cairo1.0-cil libmono-corlib1.0-cil libmono-corlib2.0-cil > libmono-data-tds2.0-cil libmono-security2.0-cil libmono-sharpzip2.84-cil > libmono-system-data2.0-cil libmono-system-web2.0-cil > libmono-system1.0-cil libmono-system2.0-cil libmono0 libmono2.0-cil > libmozjs0d libnautilus-burn4 libnautilus-extension1 > libndesk-dbus-glib1.0-cil libndesk-dbus1.0-cil libnotify1 libnspr4-0d > libnss-mdns libnss3-0d libogg0 liboil0.3 liborbit2 libpanel-applet2-0 > libpci2 libpoppler1 libraw1394-8 librsvg2.0-cil libscrollkeeper0 libsexy2 > libshout3 libslab0 libslp1 libsmbclient libsmbios1 libsoup2.2-8 libspeex1 > libstartup-notification0 libsysfs2 libtag1c2a libtheora0 > libtotem-plparser1 libtrackerclient0 libvisual-0.4-0 > libvisual-0.4-plugins libvorbis0a libvorbisenc2 libvorbisfile3 > libwavpack1 libwnck-common libwnck18 libxklavier11 libxml2-utils libxres1 > libxslt1.1 libxul-common libxul0d menu-xdg metacity metacity-common > mono-common mono-gac mono-jit mono-runtime nautilus nautilus-cd-burner > nautilus-data notification-daemon openssl oss-compat pciutils > poppler-utils portmap powermgmt-base python-beagle python-cairo > python-dbus python-fpconst python-glade2 python-gmenu python-gnome2 > python-gnome2-desktop python-gobject python-gtk2 python-gtk2-doc > python-libxml2 python-numeric python-pyorbit python-soappy python-support > samba-common scrollkeeper sgml-data shared-mime-info smbclient ssl-cert > sudo tomboy wodim xsltproc yelp > 0 packages upgraded, 258 newly installed, 0 to remove and 0 not upgraded. > Need to get 139MB of archives. After unpacking 484MB will be used. > The following packages have unmet dependencies: > harden-servers: Conflicts: portmap but 6.0-4 is to be installed. > Resolving dependencies... > The following actions will resolve these dependencies: > > Remove the following packages: > harden-servers > > Score is 121 > > Accept this solution? [Y/n/q/?] q > Abandoning all efforts to resolve these dependencies. > Abort. > $ aptitude -s install --without-recommends galeon > Reading package lists... > Building dependency tree... > Reading state information... > Reading extended state information... > Initializing package states... > Reading task descriptions... > Building tag database... > The following NEW packages will be automatically installed: > dbus dbus-x11 esound-common galeon-common gconf2 gconf2-common > gnome-keyring gnome-mime-data libart-2.0-2 libaudiofile0 libavahi-client3 > libavahi-common-data libavahi-common3 libavahi-glib1 libbonobo2-0 > libbonobo2-common libbonoboui2-0 libbonoboui2-common libdbus-1-3 > libdbus-glib-1-2 libesd0 libfam0 libgconf2-4 libgnome-desktop-2 > libgnome-keyring0 libgnome2-0 libgnome2-common libgnomecanvas2-0 > libgnomecanvas2-common libgnomeui-0 libgnomeui-common libgnomevfs2-0 > libgnomevfs2-common libhal-storage1 libhal1 libidl0 libmozjs0d > libnspr4-0d libnss3-0d liborbit2 libstartup-notification0 libxul-common > libxul0d shared-mime-info > The following NEW packages will be installed: > dbus dbus-x11 esound-common galeon galeon-common gconf2 gconf2-common > gnome-keyring gnome-mime-data libart-2.0-2 libaudiofile0 libavahi-client3 > libavahi-common-data libavahi-common3 libavahi-glib1 libbonobo2-0 > libbonobo2-common libbonoboui2-0 libbonoboui2-common libdbus-1-3 > libdbus-glib-1-2 libesd0 libfam0 libgconf2-4 libgnome-desktop-2 > libgnome-keyring0 libgnome2-0 libgnome2-common libgnomecanvas2-0 > libgnomecanvas2-common libgnomeui-0 libgnomeui-common libgnomevfs2-0 > libgnomevfs2-common libhal-storage1 libhal1 libidl0 libmozjs0d > libnspr4-0d libnss3-0d liborbit2 libstartup-notification0 libxul-common > libxul0d shared-mime-info > The following packages are RECOMMENDED but will NOT be installed: > esound-clients fam gnome-control-center gnome-icon-theme gnome-mount > iso-codes libgnomevfs2-extra scrollkeeper yelp > 0 packages upgraded, 45 newly installed, 0 to remove and 0 not upgraded. > Need to get 23.5MB of archives. After unpacking 82.9MB will be used. > Do you want to continue? [Y/n/?] Y > Would download/install/remove packages. > > > > -- System Information: > Debian Release: lenny/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.21-2-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages harden-servers depends on: > ii debconf [debconf-2.0] 1.5.14 Debian configuration management > sy > > harden-servers recommends no packages. > > -- debconf information: > harden-servers/vncserver: > harden-servers/inetd: > harden-servers/plaintext: > > > -- --------------------- Ola Lundqvist --------------------------- / [EMAIL PROTECTED] Annebergsslingan 37 \ | [EMAIL PROTECTED] 654 65 KARLSTAD | | http://opalsys.net/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
