From owner-freebsd-security  Sat Apr 18 09:15:34 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA05723
          for freebsd-security-outgoing; Sat, 18 Apr 1998 09:15:34 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from uriela.in-berlin.de (uriela.in-berlin.de [192.109.42.147])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA05687
          for <freebsd-security@FreeBSD.ORG>; Sat, 18 Apr 1998 16:15:25 GMT
          (envelope-from nortobor.nostromo.in-berlin.de!ripley@never.mind.de)
Received: by uriela.in-berlin.de (/\oo/\ Smail3.1.29.1 #29.8)
	from never.never.mind.de (193.101.72.4)  with smtp
	id m0yQaGs-000LuAC; Sat, 18 Apr 98 18:15 MET DST
Received: by never.never.mind.de (linux Smail3.1.28.1 #1)
	id m0yQaGq-000ExyC; Sat, 18 Apr 98 18:15 MET DST
Received: (from ripley@localhost)
	by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id WAA06535;
	Fri, 17 Apr 1998 22:40:15 +0200 (CEST)
	(envelope-from ripley)
Message-ID: <19980417224014.65058@nostromo.in-berlin.de>
Date: Fri, 17 Apr 1998 22:40:14 +0200
From: "H. Eckert" <ripley@nostromo.in-berlin.de>
To: freebsd-security@FreeBSD.ORG
Subject: Re: kernel permissions
References: <E0yPx1m-0005qz-00@set.spradley.tmi.net> <199804162302.BAA15315@ocean.campus.luth.se>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.84e
In-Reply-To: <199804162302.BAA15315@ocean.campus.luth.se>; from Mikael Karpberg on Fri, Apr 17, 1998 at 01:02:22AM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Fri, Apr 17, 1998 at 01:02:22AM +0200, Mikael Karpberg wrote:
> It's easy to forget to frob all the 1000 small knobs that "you can frob
> on YOUR machine if you want it secure". It's however quite easy to remember
> to chmod it when you or one of your users gets annoyed at not being able to
> read it. It annoys you the first time, but you su, chmod, and exit. Nothing
> more to it. You simply will not forget to, because it will not let you.

I agree that the "1000 small knobs" of customization is something
to be avoided.  So let's think on how we can centralize this kind
of stuff in a friendly way so a concerned admin can easily browse
through a security setup to have lots of knobs activated by doing
something like "network=secure" in the config file.  Think of the
/etc/rc.conf that handles a lot of things.
If we can have a friendly frontend program as has already been
suggested that's even better.

Greetings,
				Ripley
-- 
http://www.in-berlin.de/User/nostromo/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message