| 1 |
On Mon, Dec 11, 2017 at 4:03 PM, Alan Mackenzie <acm@×××.de> wrote: |
| 2 |
> On Mon, Dec 11, 2017 at 18:56:15 +0000, Neil Bothwick wrote: |
| 3 |
|
| 4 |
|
| 5 |
>> This may come as a surprise to some, but some things you hear on |
| 6 |
>> t'internet are not true... |
| 7 |
>> |
| 8 |
>> For example, the http server is there to allow access to logs from |
| 9 |
>> another machine without needing to grant SSH access. It is not enabled by |
| 10 |
>> default. |
| 11 |
> |
| 12 |
> OK. But it's still there taking up RAM, and (more importantly) makes a |
| 13 |
> systemd system a broader target for attacks. Whether a system has an |
| 14 |
> http server (or, for that matter, an SSH server), for whatever purpose, |
| 15 |
> should be for the system administrator to decide. I suspect this isn't |
| 16 |
> the case for systemd's http server. |
| 17 |
> |
| 18 |
> In any case, I don't want an http server on my system: I have no http to |
| 19 |
> serve. I installed sshd as one of the first things on my new system, to |
| 20 |
> facilitate the transfer of files to it (and, probably, reading logs from |
| 21 |
> it remotely). |
| 22 |
|
| 23 |
I don't use systemd on Gentoo but I assume that there's a USE flag for |
| 24 |
the http server, because, in binary distributions, this http server's |
| 25 |
in a standalone package - "systemd-journal-remote" on Ubuntu and |
| 26 |
"systemd-journal-gateway" on RHEL and clones. |
| 27 |
|
| 28 |
|
| 29 |
> I don't want a binary logging daemon either: that means having to learn |
| 30 |
> a special purpose utility to be able to read its logs, and, in general, |
| 31 |
> not being able to read that log from a remote machine. |
| 32 |
|
| 33 |
You can set "Storage=none" and "ForwardToSyslog=yes" in |
| 34 |
"/etc/systemd/journald.conf", install and enable rsyslog and you won't |
| 35 |
have binary logs when running systemd. |
Archives