HUGE security concern! - Level: wtf???

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
Escobar523
Posts: 1
Joined: Mon Apr 26, 2021 8:31 am

HUGE security concern! - Level: wtf???

Post by Escobar523 »

I just installed the latest Virtualbox VM and discovered something that i allmost couldnt believe.
After the usual setting locales and timezone, i installed nginx and a few other programms (openjdk, python).
I explicit just choose nginx, not any kind of php. I also didnt choose to start nginx automaticly or at reboot.
After finishing that installation and a reboot, i saw at the login that php7.3-fpm is installed and running, also nginx is running.
I thought it might be not a bug, just a feature and try to stop and disable both php and nginx. But with every reboot booth services r running!
I eaven deleted the nginx.service file, same result! How is that possible?
How can a service be still active after sudo stoped and deactivated them? How many services run unintended cause of that?
User avatar
Joulinar
Posts: 5666
Joined: Sat Nov 16, 2019 12:49 am

Re: HUGE security concern! - Level: wtf???

Post by Joulinar »

Hi,

this is working as intended I would say.

Each software you install via dietpi-software will be started automatically. Furthermore these services will be set to [DietPi controlled. Means DietPi is taking care to start the service during boot. This can be changed using dietpi-services. Just select nginx service and set option Include/Exclude to excluded. This way you should be able to run systemctl disable nginx.service and nginx should stay inactive on reboot.

Yes PHP will be installed along with a web server as it is needed in most cases to be able to run web applications. The installation is not hidden. It's clearly sown during install process. If you don't need PHP, it can be simple uninstall using dietpi-software.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 3254
Joined: Sat Nov 18, 2017 6:21 pm

Re: HUGE security concern! - Level: wtf???

Post by MichaIng »

With webserver installs, PHP is included indeed. I always wanted to change that, but the config code would need a larger rework. I'd be happy for contributions.

But that should be clear, as the menu even only allows to select whole stacks: webserver + database + PHP, and a webserver alone would require you to run the CLI? And the output of the install process informs you very transparently about the dependencies that are installed along with your selection/CLI input.

I aim to make those install options independant from each other, but it may take a while until I find time. Until then I suggest apt install nginx-light for standalone webserver installs.

DietPi-Servives starts all non-masked and non-excluded services at boot, at a late boot stage in defined order. systemctl disable <name> does not prevent that. Run dietpi-services, select the service you don't want to have started automatically and select Include/Exclude.

But also this service start-up should be shown transparently on boot?

Same here: I aim to switch to a systemd-initiated service start at boot, hence controllable by enable/disable. But that requires to define all ordering in the systemd units, hence a larger task as well.

When you remove the systemd unit and reboot the system, the service cannot start. But it will still run until you reboot or systemctl stop it manually. Which systemd unit/file started the service can be checked via:

Code: Select all

systemctl status nginx
Post Reply