Hi Ola. Sorry for that ultra long delay.
On Tue, 2009-01-20 at 07:23 +0100, Ola Lundqvist wrote: > Yes I know that this one is annoying and I know that you can configure > things in a proper way. However the intention with the harden-* suite is that > you will get a more hardened system without the need to make special > configurations manually. My idea is the following: Even on servers it is nowadays not so uncommon that you have fam running and on desktops anyway. A user probably have set up portmap correctly, but still cannot install harden-servers. While portmap will stay in secure/loopback-only mode, harden-servers will stay uninstalled. And thus the user might easily install one of the other packages that harden-servers conflicts with, and which is really an "evil" package. You see both ways have their disadvantage, but personally I'd consider it better not to conflict with portmap and let the user install it in order to "secure" him from the other packages and solve the portmap problem like described below: > However I appriciate your feedback on this and if I or someone else find a > very good solution to this, I will happily apply a good patch. Well the only way I can think of right now is, that package adds some test to debconf that checks whether portmap is bound to the loopback device. Such a test might be even added as cronjob (perhaps weekly or even daily) in order to notify the user when he installs portmap after harden-servers or later changes the portmap config. If that cronjob finds a non-loopback setting it might even deactivate portmap. Thanks, Chris.
smime.p7s
Description: S/MIME cryptographic signature
