Today's sysadmin discovery:

rachelplusplus@tech.lgbt

Today's sysadmin discovery:

So, for all that I like Debian, one big sticking point I've had with it is that when you install a package which contains a system service, even if it was pulled in as a dependency of something else, that service gets auto-enabled, with a default configuration.

That has always felt like bad security practice to me, as it means any update can suddenly expose new services to the outside world without warning. It's also subtly broken my setup on at least two different occasions.

Fortunately, there is a way to change the default policy, so that new services only get enabled when you tell them to be:

https://manpages.debian.org/trixie/systemd/systemd.preset.5.en.html (example 1)

Definitely going to put that in my ansible configs!

amenonsen@flipping.rocks

@rachelplusplus The recommended way to do this used to be by creating a /usr/sbin/policy-rc.d with an exit status of 0 or 1 or something. This systemd.preset mechanism looks simpler and much more convenient to use. Thanks for the tip!

rachelplusplus@tech.lgbt

@amenonsen I did see that approach being mentioned on stackexchange, as well as in some documentation which seemed to date back to Debian 3 (!). I haven't tested whether that still works alongside the systemd mechanism, or if it was fully replaced.