From owner-freebsd-hackers@FreeBSD.ORG Wed May 2 12:33:24 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17EF11065676 for ; Wed, 2 May 2012 12:33:24 +0000 (UTC) (envelope-from ryao@cs.stonybrook.edu) Received: from edge2.cs.stonybrook.edu (edge2.cs.stonybrook.edu [130.245.9.211]) by mx1.freebsd.org (Postfix) with ESMTP id AC0A28FC0C for ; Wed, 2 May 2012 12:33:23 +0000 (UTC) Received: from HUBCAS1.cs.stonybrook.edu (130.245.9.206) by edge2.cs.stonybrook.edu (130.245.9.211) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 2 May 2012 08:34:20 -0400 Received: from [192.168.1.2] (72.89.250.133) by hubcas1.cs.stonybrook.edu (130.245.9.212) with Microsoft SMTP Server (TLS) id 14.1.323.3; Wed, 2 May 2012 08:33:23 -0400 Message-ID: <4FA12980.6080101@cs.stonybrook.edu> Date: Wed, 2 May 2012 08:33:04 -0400 From: Richard Yao User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120430 Thunderbird/10.0.4 MIME-Version: 1.0 To: Giorgos Keramidas References: <20120427203117.GA2055@gizmo.acns.msu.edu> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigCD3CD4780B23C213F7499218" X-Originating-IP: [72.89.250.133] Cc: Jerry McAllister , freebsd-hackers@freebsd.org, Mehmet Erol Sanliturk , Andy, Wojciech Puchar , Young Subject: Re: Ways to promote FreeBSD? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2012 12:33:24 -0000 --------------enigCD3CD4780B23C213F7499218 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 05/02/12 04:55, Giorgos Keramidas wrote: > On Fri, Apr 27, 2012 at 11:18 PM, Mehmet Erol Sanliturk > wrote: >> Another point is that server installers are highly educated with respe= ct to >> desktop installers and their numbers are small with respect to desktop= >> users . >> >> For them , it is very easy to "harden" FreeBSD after installation if e= ver >> it is needed , because during installation , it is a simple question t= o ask >> : >> >> Will this be used as a Server ? >=20 > Judging from the amount of effort it takes to "harden" a system > that already starts a thousand services (typical "desktop Linux" > scenario these days), and the number of times I've seen this > sort of customization cause even more headaches, I'd say this > is a slightly exaggerated statement. You might be thinking of SELinux, which is not the only option for hardening. The Gentoo Hardened project offers multiple options for hardening, of which SELinux is only one: http://www.gentoo.org/proj/en/hardened/ http://www.gentoo.org/proj/en/hardened/primer.xml The PaX/GrSecurity patchset for Linux provides strong ASLR to the both the kernel and userland. To my knowledge, the only BSD that supports ASLR is OpenBSD. > You are right that a "plain user" does not care about why their > CD-ROM is not accessible after installation, but there are two > different ways to approach this: >=20 > - Install and enable everything by default, hoping that nothing > bad happens when an unused service is exploitable. > - Install a minimal system and build from there. >=20 > Most Linux distributions pick the first option. _Some_ Linux > distributions pick the second option (e.g. Gentoo). You might be thinking of Gentoo Linux, rather than Gentoo. The term Gentoo also covers Gentoo/FreeBSD and Gentoo Prefix. Gentoo/FreeBSD replaces the Linux kernel and GNU userland with FreeBSD while Gentoo Prefix provides a userland package manager to UNIX-compatible systems: http://www.gentoo.org/proj/en/gentoo-alt/bsd/fbsd/index.xml http://www.gentoo.org/proj/en/gentoo-alt/prefix/ Neither Gentoo/FreeBSD nor Gentoo Prefix are Linux distributions, so it would be better to refer to Gentoo Linux when talking about the Gentoo Linux distribution. Also, Gentoo's minimalist design is not a form of hardening provided by the Gentoo Hardened project. Most Gentoo Hardened users would not consider it to be hardening. --------------enigCD3CD4780B23C213F7499218 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPoSmDAAoJELFAT5FmjZuEefUQALy9+3wNB0vzUeVHh4P9pWkc Xr/Ff6Hci3EB4/tRgyVH8e+cchpBOrpltlAaknDjRtzigdQISAzJO/J/CzjPuowO BfF+l+Nt7F40+YKolTLrXmlRCV2BZawxurCLMrEotoO10BFKxVb/r1GwrJjPt74p WdosqbSQkoVvNgQ235SNVib0lwh2ZrnesUurzKqAuUZbh2fSXUIJO8f+VQkV6gGq BX6ADJbCZIrpKkyo5MPs9y2sYTJaUXTHK5HLho4ZNajrQh9ued8sIwTH3mjriIs3 FhNURoFjQkahnHgiPEvirN+9l99XPaqhO9toSIRDsLeAKIXlRbT6SMli2cBWqRbP E428hS0J9CPVcxhJKnxL+FTxnuADPEjGvNwsHLJrfBX6OpMN1RThEC56YAzAxHM+ 9n2I171KblsLhpEajepkUW3FK5OBueLtCJ3i8EIzUPDF76HmOMHzYaX+Vg4X99ln d58yu64RBTAA27jtEJSa+MeeL5Pt7gQTeU/FflkNdQCoKdF8fB5Q1+ui43Toqqtb iAzVJcohbGFbu+EDuiaM7bNhQO5O3GqucQ0nXCF3SCizLrEh7iNvJt4gSSAP6zxu sEWH/aCO67M1gosQCnmDfMYGA3L+758cFpAaVlhJW/jFP+fuVr44BZBDgfQ8IZSu u9FN2a5VxVgpB0B6j7SQ =eZpa -----END PGP SIGNATURE----- --------------enigCD3CD4780B23C213F7499218--