From owner-freebsd-security Sun Nov 21 16:42:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from isr4033.urh.uiuc.edu (isr4033.urh.uiuc.edu [130.126.208.49]) by hub.freebsd.org (Postfix) with SMTP id 243EC14C20 for ; Sun, 21 Nov 1999 16:42:48 -0800 (PST) (envelope-from ftobin@uiuc.edu) Received: (qmail 19778 invoked by uid 1000); 22 Nov 1999 00:42:47 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 22 Nov 1999 00:42:47 -0000 Date: Sun, 21 Nov 1999 18:42:47 -0600 (CST) From: Frank Tobin X-Sender: ftobin@isr4033.urh.uiuc.edu To: FreeBSD-security Mailing List Subject: RE: Disabling FTP (was Re: Why not sandbox BIND?) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD, at 15:45 on Sun, 21 Nov 1999, wrote: > I disagree, partly anyway, I think it IS important to disable any and all > potential security risks AND have the documentation tell them how to turn > them on and what the implications of that would be. Better docs? You bet, > great idea. Blurb in the MOTD? Sure, sounds great! Security has always been > one of the best things about FreeBSD, lets not screw it up by enabling > things that can compromise that. We don't have new users install BIND 8.1.2 > and TELL them to patch to P5, we just compile 8.2.2-P5 on install instead. > Why would we enable the holes and just tell them to disable them? The bind example is not a good one, as there is not a difference in functionality; the primary point that I think that the person you were replying to was that new users need functionality instead a non-functionality in their new box. They expecting certain things to be there when they install a box, such as telnetd, ftpd, and sendmail. These daemon's are not holes, as you state; they are access points. I feel the best solution overall is to make this an option upon install. Something in the likes of "enable standard internet services?", with a blurb _there_ about the implications of choosing/not choosing the option. -- Frank Tobin http://www.neverending.org/~ftobin/ "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message