From owner-freebsd-questions  Thu Feb  5 11:06:21 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA08029
          for questions-outgoing; Thu, 5 Feb 1998 11:06:21 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA07998
          for <freebsd-questions@FreeBSD.ORG>; Thu, 5 Feb 1998 11:06:03 -0800 (PST)
          (envelope-from jal@42is.com)
Received: from goober (gigi.ThirdAge.com [204.74.82.169])
	by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id LAA12224;
	Thu, 5 Feb 1998 11:02:44 -0800 (PST)
Message-Id: <3.0.3.32.19980205110224.009f3820@colonel.42inc.com>
X-Sender: jal@colonel.42inc.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Thu, 05 Feb 1998 11:02:24 -0800
To: Doug White <dwhite@resnet.uoregon.edu>
From: Jamie Lawrence <jal@42is.com>
Subject: Re: minimalist /etc/services and /etc/inetd.conf Re: Security
Cc: freebsd-questions@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980204215806.16875G-100000@gdi.uoregon.edu>
References: <3.0.3.32.19980204134734.009944f0@colonel.42inc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG
X-To-Unsubscribe: mail to majordomo@FreeBSD.org "unsubscribe questions"


I didn't mean to spark a huge debate on this - I won't
publicly post on the topic after this. Feel free to
harangue me privately, should you feel really strongly
about my habit of editing /etc/services.

At 09:58 PM 2/4/98 -0800, you wrote:

>> "Don't play with /etc/services" seems like pretty general advice
>> not applicable in all (or perhaps even most) situations.
>
>OK, then why edit services?  It's a text database, nothing more.

For the same reason I remove  large chunks of /bin/*,  /sbin/*,
the man pages for what is gone, /etc/sendmail.cf, the kernel sources
after a recompile, etc. etc. etc.

What isn't there can't be used against the system. True, there might
not be any direct gains in security from removing man pages and
editing services, and I admit this particular case is perhaps just
an aesthetic issue. If a system is only firewalling or only serving
web pages, I want it to be only capable of that function (modulo
any administratively necessary functions, of course), and want
everything not associated with that function gone. "All that is not
permitted is forbidden", while admittedly bad social policy, is great
security. (I'm less harsh to machines that more people access.)

-j