From owner-freebsd-security  Tue Jan 23 18:30:06 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id SAA09042
          for security-outgoing; Tue, 23 Jan 1996 18:30:06 -0800 (PST)
Received: from fire.stf.org.sg (jseng@fire.stf.org.sg [137.132.19.134])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id SAA08992
          for <security@FreeBSD.ORG>; Tue, 23 Jan 1996 18:30:02 -0800 (PST)
Received: (from jseng@localhost) by fire.stf.org.sg (8.6.12/8.6.9) id KAA18920; Wed, 24 Jan 1996 10:39:42 +0800
Date: Wed, 24 Jan 1996 10:39:41 +0800 (SGT)
From: James Seng <jseng@stf.org.sg>
To: Nathan Lawson <nlawson@statler.csc.calpoly.edu>
cc: Petri Helenius <pete@sms.fi>, security@FreeBSD.ORG
Subject: Re: Ownership of files/tcp_wrappers port
In-Reply-To: <199601232010.MAA11051@statler.csc.calpoly.edu>
Message-ID: <Pine.BSD/.3.91.960124102507.18795C-100000@fire.stf.org.sg>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

On Tue, 23 Jan 1996, Nathan Lawson wrote:
> denies.  That way, all you get originally is increased logging, and you can
> add the RFC931 and PARANOID options to the /etc/hosts.allow files _without_
> recompiling (if you should desire).

Ah great. Lets get Wieste and see if he has that time to hack it in? *8P

Before we get over paranoid over security, lets us remember that the 
primary aim of a base distribution is to provide an dynamic system, of 
course minus the security bugs. So far, all of us agree that tcpd is a 
great tool. The problem is that should it go into the bindist just 
because slackware does so too?

I wish to remind all of us here that there is a few dozen of ways tcpd 
could be installed, each site adopting to their need. You could put in a 
"generic" tcpd into /usr/libexec but if it is not properly installed, it is 
almost as good as useless. In fact, i believe it would drive a false 
sense of security ("Hey, dont worry..i got tcpd install by default!") into 
some people which could be worst.

Now perhaps it is time to sit down and let the core member of FreeBSD to 
think about what they are trying to archive. Are they trying to provide a 
dynamic un*x or are they trying to provide a secure C2 system (ok C2 is too 
much *8)? 

IMHO, so long the base code is clean and no loopholes exist, it should 
be good enough. Lets not blob the bindist further unneccessary...

Just a thought...maybe they could add a new section, say "SECURITY TOOLS"
in sysinstall whereby all security tools like tcpd, tiger, cops, tripwire etc
could be installed...? It would be nice to have all these but i think not 
all people would want it....

-James Seng (jseng@stf.org.sg)