I first looked into this 4 years ago and finally figured it out 2 years ago ;-)
https://forum.openwrt.org/viewtopic.php?pid=189700#p189700

There is no built-in way to keep those services installed but disabled.
But there is a go-around that is used e.g. by luci-app-miniupnpd for miniupnpd:
https://github.com/openwrt/luci/blob/master/applications/luci-app-upnp/root/etc/uci-defaults/luci-upnp

Create an uci-defaults script in /etc/uci-defaults and disable the unwanted
services there.
Include that script as a custom file in the firmware flash, in
<buildroot>/files/etc/uci-defaults

uci-defaults scripts are run early in the first boot after flash, so the
script will disable the services early.
Normally uci-defaults scripts are deleted after a succesful run, but by
setting a non-zero return value you can preserve the scripts even for further
boots to maintain the disabling behaviour even if the user enables the
service and reboots.

uci-defaults scripts are difficult to see in a live system as the directory
/etc/uci-defaults is empty, but you can find the scripts in
/rom/etc/uci-defaults:
***@OpenWrt:~# ls /etc/uci-defaults/
***@OpenWrt:~# ls /rom/etc/uci-defaults/
00_uhttpd_ubus 10-fstab luci-ddns
01_leds 10_migrate-shadow luci-sqm
...

Docs at: http://wiki.openwrt.org/doc/uci#defaults

maybe: disabled services are stored during sysupgrade in
e.g. /lib/upgrade/keep.d/services_disabled

and this file will be read line by line during firstboot/uci-defaults
(and services diabled again) and the file is then deleted.

bye, bastian

I have solved this (or something similar) in my builds with an additional
AUTOENABLE flags in init scripts.

IMHO except for critical services (like network...) other packages should
not be automatically enabled when installed since they probably need to be
configured first anyway.
For instance, installing something like openswan (or including it in
firmware image because ipsec modules are quite large) should not load entire
ipsec stack by default because it might not be configured or used anyway.

The modified init script looks like:

--- a/packages/net/openswan/files/ipsec.init
+++ b/packages/net/openswan/files/ipsec.init
@@ -31,6 +31,7 @@
# KLIPS is the kernel half of it, Pluto is the user-level management
daemon.

START=60
+AUTOENABLE=no
EXTRA_COMMANDS=status
EXTRA_HELP=" status Show the status of the service"

Now, since my list of packages is fairly static, I have only explicitly
disabled AUTOENABLE for services I don't want starting by default (like
ipsec) - AUTOENABLE defaults to 'yes' if not present in the init script.
In contrast, using something like this in OpenWRT, there might be a list of
services that should always be enabled by default with the rest needing to
be manually enabled by the administrator (thus defaulting AUTOENABLE to
'no'). You could build customized images with dropbear and firewall services
having AUTOENABLE=no.

This idea solves:
- no unneeded services started after fresh firmware install (before being
configured)
- backups (every service that has been configured is also explicitly
enabled with symlink in /overlay)
- sysupgrade (if /overlay/etc/rc.d is preserved)

My current patches are against AA, if this idea seems acceptable I can
prepare something for CC or trunk...

Regards,
Saso Slavicic