Univention Bugzilla – Bug 45823
univention-server-$role packages strictly depend on too many services
Last modified: 2021-02-15 16:54:18 CET
A lot of our univention-* packages do have reverse dependencies that go up to univention-server-$role. Because of this, it is not possible to cleanly uninstall some packages without also uninstalling almost all univention-* packages. Example: A customer wanted to uninstall nfs-kernel-server and nfs-common because of security regulations (no NFS allowed). But: univention-server-master depends on -> univention-role-server-common depends on -> univention-nfs-server depends on -> nfs-kernel-server This way, uninstalling nfs-kernel-server will also uninstall univention-server-master, which will break the server. This is not about NFS, the same is true for e.g. "heimdal-servers", "nagios-nrpe-server" and "openbsd-inetd". We should consider changing the dependencies so uninstalling those (optional) components would become possible.
As this problem should not be just treated as a simple feature request I am changing the bug report as a security problem. There is a recommendation from BSI BUND to close openly accessible Portmapper services (https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/CERT-Bund/CERT-Reports/HOWTOs/Open-Portmapper-Services/open-Portmapper-services_node.html) It is currently not possible to follow the advise above without eliminating essential UCS-services. It it also not adviseable to rely on a packet-filter to filter those ports because it may not work or can be dsiabled by accident. Installing NFS by default may have been necessary in the past. It is hard to believe that every UCS-role will need it nowadays.
Bugs tagged as "Security Issue" should have CVSS scores. I've marked it as Bug group "Security" instead. For cifs Bug #39259 shows how we can do this. I guess we can use the same (Recommends instead of Depends) here.
Same thing here Bug 47939 I guess.
(In reply to Arvid Requate from comment #2) > For cifs Bug #39259 shows how we can do this. I guess > we can use the same (Recommends instead of Depends) here. Our mechanism to calculate "maintained" currently only follows "Depends", so make sure to add "Recommends" to the "trigger list" to keep them maintained - or even the "DVD task list" to also keep them on the DVD to still get them installed by default.