From owner-freebsd-security Wed Aug 15 10:45: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 39E7737B407 for ; Wed, 15 Aug 2001 10:44:59 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7FHinf13455; Wed, 15 Aug 2001 13:44:49 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 15 Aug 2001 13:44:48 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Steven Ames Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf In-Reply-To: <006601c125b0$625d7b90$28d90c42@eservoffice.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 15 Aug 2001, Steven Ames wrote: > > I am not completely sure if this is a good idea or not, but I'd through it > in. > > How about having two menu options here, after offering to edit inetd.conf: > > for `experts' (manual editing) and for `beginners' (menu-driven > > configuration). > > 'sysinstall' already has a 'Security' menu under post configuration. > Couldn't we just install from a fixed set of 2-3 different inetd.conf > files? > > i.e. if the user selects 'moderate [default]' install > src/etc/inetd.conf.moderate into /etc. If they select 'extreme' install > the inetd.conf that has everything turned off. > > This is a short-term hackish solution but I believe it would suffice > until we get a GUI up where we can select 'yes'/'no' for every line in > the inetd.conf and have the ability to add in new lines. Good project > for someone... the 'inetd editor'. One of the problems with this solution is that sites frequently modify their inetd.conf to add services, such as pop or imap, and that if they ran sysinstall to select a template, they would risk squashing their current install. I agree with your thoughts on a menu-driven editor, but doing that properly relies on having a machine-parsable file format that supports in-band disabling of services. My feeling was that our current file format didn't lend itself to that, and as such I went with the current "spit the user a text editor" over implementing one before 4.4-RELEASE. If someone would like to write an editor that understands the syntax and semantics of inetd.conf, they should feel free. However, it needs to handle the cases where users have custom comments (etc) properly, and be able to handle the full scope of valid inetd.conf files, not just the set of files it could possibly generate. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message