From 22cf2e08379b20eca11f56c57716870da8d0cd55 Mon Sep 17 00:00:00 2001
From: unman <unman@thirdeyesecurity.org>
Date: Thu, 9 Feb 2017 20:29:54 +0000
Subject: [PATCH] Add note on services in Debian templates and install problems

Closes QubesOS/qubes-issues/2621
---
 managing-os/templates/debian.md | 42 ++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/managing-os/templates/debian.md b/managing-os/templates/debian.md
index 8fd458d3..8530d7fb 100644
--- a/managing-os/templates/debian.md
+++ b/managing-os/templates/debian.md
@@ -12,9 +12,9 @@ redirect_from:
 Debian template(s)
 ===============
 
-If you like to use Debian Linux distribution in your AppVMs, you can install one of available Debian templates.
+If you would like to use Debian Linux distribution in your qubes, you can install one of the available Debian templates.
 
-Updates for this template are provided by ITL and are signed by this key:
+Updates for these templates are provided by ITL and are signed by this key:
 
     pub   4096R/47FD92FA 2014-07-27
           Key fingerprint = 2D43 E932 54EE EA7C B31B  6A77 5E58 18AB 47FD 92FA
@@ -28,7 +28,7 @@ which is also integrity-protected using signed git tags.
 Install
 -------
 
-It can be installed via the following command:
+Templates can be installed with the following command:
 
 Debian 7 (wheezy) - old stable:
 
@@ -54,6 +54,42 @@ reboot should "just work."
 Known issues
 ------------
 
+###Starting services
+
+
+The Debian way (generally) is to start daemons if they are installed.
+This means that if you install (say) ssh-server in a template, *all* the qubes that use that template will run a ssh server when they start. (They will, naturally, all have the same server key.) This may not be what you want.
+
+So be very careful when installing software in Templates - if the daemon spawns outbound connections then there is a serious security risk.
+
+In general, a reasonable approach would be, (using ssh as example):
+- Install the ssh service.
+- systemctl stop ssh
+- systemctl disable ssh
+- systemctl mask ssh
+- Close down template
+
+Now the ssh service will **NOT** start in qubes based on this template.
+
+Where you **DO** want the service to run, put this in /rw/config/rc.local:
+
+    systemctl unmask ssh
+    systemctl start ssh
+
+Don't forget to make the file executable.
+
+
+###Unattended Upgrades
+
+Some users have noticed that on upgrading to Stretch, the unattended-upgrade package is installed.
+
+This package is pulled in as part of a Recommend chain, and can be purged.
+
+The lesson is that you should carefully look at what is being installed to your system, particularly if you run dist-upgrade. 
+
+
+###Contributing
+
 If you want to help in improving the template, feel free to [contribute](/wiki/ContributingHowto).
 
 More information