TurnKey Linux Virtual Appliance Library

Dev Question: Preferred way to disable service (confconsole) from running at boot?

Jeremy's picture

I am currently working on a prototype TKL Lucid Client Core  TKLPatch and am seeking the preferred way to disable confconsole from autostarting (so it doesn't interfere with the GUI at boot).

For now I'm using

update-rc.d confconsole disable

to disable it and

update-rc.d confconsole enable

to re-enable it. It all works no problem. Well, actually for interest sake it does complain that

update-rc.d: warning: /etc/init.d/confconsole missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>

But that's obviously non-critical as it doesn't seem to effect anything.

Despite the fact that it works nicely, as I'm a Linux newb I thought it may be best to see what others think, especially Liraz &/or Alon. Is there a better, or preferred way?

Ultimately it might be nice to include these commands in a script that disables x/enables confconsole and enables confconsole/disables x. Something easy to remember for useage scanarios where users wish to easily enable and disable the GUI.

That seems to be the best way

I missed your post about the TKL Client. Looks interesting, looking forward to see how it would work...

Liraz Siri's picture

update-rc.d is the recommended method

According to the Debian Policy Manual which is a good source for information on how stuff is supposed to work in Debian/Ubuntu. Don't take it too literally though. It's for packagers, not system integrators.

BTW the only "evil" alternative would be to manipulate files in /etc/rc*.d/ manually which works for sysvinit scripts but I'm not sure if it would work for upstart stuff.

disabling confconsole at startup

I'm a total Linux newb so forgive me if this has already been answered. 

 

I feel like the confconsole starting automatically is an obvious security risk if someone gains physical access to my TKL box (curring running LAMP). How do I disable the console from starting automatically at boot?

Jeremy's picture

If someone bad has physical access you're screwed!

IMO confconsole is not really a security risk. The only thing you can do is fiddle with networking and reboot. Both of these can pretty much still be done if you have physical access to the machine, even with confconsole disabled. Unplug LAN cable & press reset button!

If physical access to your machine is easy then it is tricky to have any real security at all (beyond basic password protection to avoid any casual damage - which confconsole doesn't sidestep - you still need to enter a username & password to do anything else). It takes all of about 2 minutes to change the root/Administrator password on a Linux/Windows machine (assuming you can boot from CD).

Bottom line - if you are concerned about people fiddling and want to secure your machine, physically secure it - don't worry about confconsole!

Personally I remove screen and keyboard anyway (run headless).

I'm with Jed on this one

Physical access is a higher security risk. But otoh, adding confconsole a password would be a nice feature. Xenserver has its console for changing ips, domain and starting/stoping vms, and is password protected. In a virtualized environment, you could gain access via VNC to the machine screen, and the risk would be there. 

A password for confconsole is not a total solution for security, but adds an extra layer.

My 2 cents...

Liraz Siri's picture

Thoughts on password protection for the confconsole

We actually considered requiring the user to login to access the confconsole and decided it against it. The main reason is that we don't want to complicate things for less savvy users. They're the ones who need our help the most so the defaults are designed to make things as easy as possible for them.

Advanced users that don't like this default can easily turn off the confconsole service like this:

/etc/init.d/confconsole stop
update-rc.d -f confconsole remove

As you both stated if the bad guy has physical access to your server it may be too late anyhow as they can physically power cycle the main and then drop into a root shell by adding the following options to your bootloader (e.g,. grub):

init=/bin/sh rw

figured it out

Okay, I guess I should of played around with this before posting this question. But I just used Webmin, clicked on bootup and shutdown, and there it was. Just clicked on confconsole and clicked on the disable on boot button. Seems to of accomplished what I was looking to do.

Jeremy's picture

Regarless of my post above

Glad you could acheive your aims. IMO Linux is great, hope you find TKL useful :)

OK, confconsole is working on raspi, as that seems productive

Now, anyone able to take the time to let me know how to get it to display before the system asks for login? Or should I do more homework?


Jeremy's picture

You'll want a couple of scripts I think...

Don't hold me to this RiK, but I think you'll want a couple of scripts (well at least one - it depends on how confconsole is set up and TBH I haven't played with it at all - other than above...). The first is the init script. It needs to go in the /etc/init.d/ dir. It may also need a script in /etc/defaults/ but that I'm not sure of...

The init script will need to be executable. And I think if you just run 'update-rc.d confconsole defaults' then it should autostart... But I could be wrong. If it's not working then you could try copying these from a working TKL appliance and copying them in and see what happens. (AFAIK it should be fine as scripts should still run fine, it's just binaries that won't work without compiling for the platform).

All makes sense

Ok, I can wrap my brain around all of this. Except, in the source, I didn't see anything to compile. I've got /etc/init.d/confconsole set and executeable. It looks for confconsole in /usr/bin I believe; I didn't see anything to compile or move there, so I touched /usr/bin/confconsole and told it to invoke python /path/to/confconsole.py.

Brilliant. I'll check the logs.

[Later] I think I see the problem. ifutils is being found. So I suspect pythonpath is not pointing do where the install doc said to put the .py files: /usr/lib/confconsole.

You're all clever and have judgement: should I make a new forum topic?


Jeremy's picture

There probably isn't anything to compile

Because it's just scripts they will run on anything (the python binary itself would need to be compiled for ARM, but the Debian devs take care of that for you).

Keep going here if you want. I think it's still relevant to the original thread.

Progress

Inithooks working without a cludge; raspian should borrow this instead or relying on defaults.

Confconsole is working, but it's awkward. I had to put the python dependencies in /usr/bin, which is wrong on at least two levels. I've tried permissions, i've tried other python folders in usr/lib, but no luck. I do want them where there the documents says they belong - /usr/lib/confconsole. But for now, it's not to be.

I'm still not sure of the wisdom of this project. It would help me to have core on the raspi, but I'm wrestling with whether it authentically helps anyone else.


Jeremy's picture

So do you have it running before login?

In the other thread you were saying that it runs but not until after login. Perhaps you need to have a manual fiddle in the /etc/rc.d dir. IIRC all the startup scripts are numbered in there, so you'll just need to reduce the leading number so it runs earlier... I think...

Disabling ConfConsole at Boot using WebMin

I use the Turnkey LAMP and it comes with WebMin.

I use the WebMin tool, http://YOUR_IP:12321/init/edit_action.cgi?0+confconsole to disable the confconsole from starting up at boot.  I set "Start at boot time" to "No".

I really like the WebMain interface.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)