Protip: systemctl disable: disable from launching at boot time. If you want to make sure a service cannot be started at all, what you want is systemctl mask.

e.g., if the (insecure) rsync daemon could be running at the moment, these three should have you covered:

sudo systemctl stop rsync
sudo systemctl disable rsync
sudo systemctl mask rsync

(PS. Yeah, you really shouldn’t be running the rsync daemon. And you don’t need it to use rsync over ssh.)

@aral there's also disable --now which is like disable && stop

@aral also you don't really need sudo, systemctl will ask you to authenticate via PAM which may actually be nicer than sudo

@bugaevc @aral why is it nicer? I know that sudo is way better than bare su. But how systemctl going through policykit (which depends on a JS engine) and PAM is better?

@AMDG2 @aral well first of all sudo is also working via PAM, IIUC. It gives you nice things as a user, such as being able to use your fingerprint sensor or your face/retina scanner hardware to authenticate. As a sysadmin, you can set up policies (not that I use this). You also get LDAP support.

Unlike sudo, systemctl actually ends up using a graphical fingerprint/password prompt, if one is available (if you're running it in a graphical session).

@bugaevc @aral yes sudo is working via Pam, so it gets the same features as systemctl when it comes to LDAP and it has a policy system with the sudoers file.

Then the real advantage is the desktop integration for me. Regarding the multiple factor authentication, is it supported from terminal? Is it something you saw implemented in practice?

@AMDG2 @aral yes, on my other laptop, I've always logged in / authorized actions via the fingerprint sensor, whether with graphical login (GDM), console login (login(1)), sudo, systemctl, ...

@bugaevc @aral did you had any configuration to do? I would like to replicate this on an old laptop.

@AMDG2 @aral I just went into GNOME Settings and configured a fingerprint for my user, and then it just worked everywhere. I don't have this on my current laptop sadly because the particular fingerprint sensor has no Linux drivers / libfprint support

@bugaevc @aral OK, thank you, what is your distro? I guess with my ArchLinux I will need some configuration.

@aral systemd systemctl tip:

enable, disable, and mask all accept "--now" to also apply the setting to the running system at the same time.

So, to mask rsync, it can be shortened to one command:

sudo systemctl mask --now rsync

@aral (Personally, I think systemd state and similar things, such as firewalld, shouldn't have a distinction between doing something and having it persist across reboots. It should all be in sync. Anyway…)

@aral this is a real thing you should be checking, some bad distros (*caugh* those with dpkg) will autostart services you should *never* run on an open network, like rpcbind

Sign in to participate in the conversation
Aral’s Mastodon

This is my personal Mastodon.