Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upDebian template: disable newly (all) installed services by default #2238
Comments
rootkovska
added
C: templates
P: major
task
labels
Aug 7, 2016
rootkovska
added this to the Release 4.0 milestone
Aug 7, 2016
rootkovska
added
the
security
label
Aug 7, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
andrewdavidwong
modified the milestones:
Release 4.0,
Release 4.1
Mar 31, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
rootkovska commentedAug 7, 2016
The role of a Qubes template is to offer software (i.e. a filesystem with installed software), not to run it!
It might break some security assumptions if all the software user intends to install in a template (which the user might want to use only on few of the AppVMs based on that software) was also made running in all the AppVMs based on that template.
While we do not allow for inter-VM networking between AppVM by default, neither to reach AppVM from the outside world (thanks to default DNAT-based routing), there still might be edge cases where enabling all services by default might have fatal consequences. E.g. a service that periodically fetches some data, then parses it (and subsequently gets exploited due to some bugs it might have).
AFAIU, the Debian policy of "enable services for all installed software" is in stark contrast with Fedora's default rule which says the opposite.