Date: Thu, 30 May 2002 17:45:10 +0200 From: "Daniel Blankensteiner" <db@traceroute.dk> To: <freebsd-arch@freebsd.org> Subject: FreeBSD daemon configurations redesign Message-ID: <030001c207f0$fb79e390$6800a8c0@rafter>
next in thread | raw e-mail | index | archive | help
Hi all
I was just wondering, if we could start all over again, would we
design FreeBSD exactly the same way?
I mean by making the system more logical organized/structured and thereby
more
well-arranged, this should lead to a more easy to configure and thereby
more secure system, without reducing the power and opportunities
of the system. I am talking about giving daemons special treatment.
I know you are working on pulling the port and base system apart, but please
hear me out.
Let's take an example:
All services/daemons config files are in:
/etc/daemons/
and here you have:
/ftp
/ftp/users //Users whom may not login
/ftp/chroot //Users whom is chroot'ed
/ftp/hosts
/ftp/commands //commands which we don't want the user to have access
to (maybe like "syst")
/ftp/answer //Decide the text to the answers the server give the
client
/ftp/conf //The config file
Let us look at 2 of the files:
/etc/daemons/ftp/conf
#The FTP config file
Allow_anonymous_access="n"
Log_anonymous_transfers="n"
Ftp_log_file="/var/log/ftpd"
Log_connection_fail="y"
Log_connections_success="y"
Log_command_get="n"
Log_command_put="y" //This way you can log the commands you want
and so on........
#end
/etc/daemons/ftp/answer
#The FreeBSD ftp answer file
Gretting_message="Welcome the FreeBSD's FTP server" //no need for
/ect/ftpwelcome
When_logged_in="You are now logged in your home dir" //no need for
/ect/ftpmodt
Answer_command_syst="Windows NT ;-P" //replies with that text, when the
client send that command
Answer_command_error="Say what?"
#end
Almost the same with fx pop3
/pop3
/pop3/answer
/pop3/users
/pop3/commands
/pop3/conf
and so on.
Or maybe also a user access file, to control all the login services:
/ect/daemons/login.conf
This file is "like" /etc/login.conf, meaning you can set permissions for a
group,
user or default, telling the system where the user may login.
The file should look like this:
#Please "x" those services where the users may login
default:
POP3=""
Imap="X"
ssh_password="X"
ssh_key="x"
ssh_sftp="x"
telnet=""
ftp=""
Next come permissions for special users or groups, centralized
control, making the system more easy to configure and more secure.
May also a
/ect/daemons/statup
Here you can "X" all the services you want to start at boot time.
I know you do this in /etc/rc.* and /usr/local/etc/rc.d/*.sh
But regarding daemons this should for security reasons, only
be done from /ect/daemons/statup
A main daemons log file?
/etc/daemons/log
But it is probably better to use /etc/daemons/"TheService"/conf
We should learn from other system like solaris, linux and especially
the Hurd, even though I think FreeBSD is the best system in the world,
there should always be room for new thinking. E.g. should all daemons
run as a special user (which only control that service) in jail, I know that
the way FreeBSD is now,
this is not possible, but then we have to make it possible.
Anyway, this is just what I think could make FreeBSD a better
system, so this is not a well thought out plan ready to implemented *G* :-)
I have a lot of ideas how logging, daemons and configuration, can become
more centralized and
thereby more easy to run, but I am just a user so I have no power regarding
FreeBSD's
development and design..but maybe you also think this is the way to go?
br
db
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?030001c207f0$fb79e390$6800a8c0>