Date: Mon, 9 Oct 2000 11:18:54 +0000 From: Tony Finch <dot@dotat.at> To: John Baldwin <jhb@FreeBSD.org> Cc: Doug Barton <DougB@gorean.org>, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org, Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl>, Warner Losh <imp@village.org>, Matt Dillon <dillon@earth.backplane.com>, Jordan Hubbard <jkh@winston.osd.bsdi.com> Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20001009111854.D35547@hand.dotat.at> In-Reply-To: <200010090605.XAA03201@john.baldwin.cx> References: <39E15630.7B4A8FE6@gorean.org> <200010090605.XAA03201@john.baldwin.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
John Baldwin <jhb@FreeBSD.org> wrote:
>On 09-Oct-00 Doug Barton wrote:
>>
>> However, isn't all of this moot in light of the planned (existing?)
>> options to sysinstall to specify exactly what to enable? My personal
>> feeling is that _everything_ should be off by default (in
>> /etc/defaults/rc.conf) and the user should pick specifically what to
>> enable.
>
>Err, inetd _is_ off by default in /etc/defaults/rc.conf. UTSL. The
>discussion here is how to handle /etc/inetd.conf.
I haven't used sysinstall for a while so I hadn't until now looked at
the new stuff for setting the network services that run by default.
I think there should be an option for sshd *only*, possibly with
`sendmail -q30m` (i.e. mail service without an smtp listener) -- i.e.
what I would consider a normal initial setup. I gather from various
threads on this topic that other people like this colour of bike shed
too.
Gosh, a patch...
Tony.
--
en oeccget g mtcaa f.a.n.finch
v spdlkishrhtewe y dot@dotat.at
eatp o v eiti i d. fanf@covalent.net
Index: config.c
===================================================================
RCS file: /home/ncvs/src/release/sysinstall/config.c,v
retrieving revision 1.156.2.6
diff -u -r1.156.2.6 config.c
--- config.c 2000/09/24 06:55:55 1.156.2.6
+++ config.c 2000/10/09 11:17:30
@@ -507,6 +507,32 @@
}
int
+configSecurityNormal(dialogMenuItem *self)
+{
+ WINDOW *w = savescr();
+
+ variable_set2("inetd_enable", "NO", 1);
+ variable_set2("sendmail_enable", "YES", 1);
+ variable_set2("sendmail_flags", "-q30m", 1);
+ variable_set2("sshd_enable", "YES", 1);
+ variable_set2("portmap_enable", "NO", 1);
+ variable_set2("nfs_server_enable", "NO", 1);
+
+ if (self)
+ msgConfirm("Safe security settings have been selected.\n\n"
+ "This means that most \"popular\" network services and\n"
+ "mechanisms like inetd(8) have been DISABLED by default.\n\n"
+ "PLEASE NOTE that this still does not save you from having\n"
+ "to properly secure your system in other ways or exercise\n"
+ "due diligence in your administration, this simply picks\n"
+ "a more secure set of out-of-box defaults to start with.\n\n"
+ "To change any of these settings later, edit /etc/rc.conf");
+
+ restorescr(w);
+ return DITEM_SUCCESS;
+}
+
+int
configSecurityModerate(dialogMenuItem *self)
{
WINDOW *w = savescr();
Index: menus.c
===================================================================
RCS file: /home/ncvs/src/release/sysinstall/menus.c,v
retrieving revision 1.252.2.20
diff -u -r1.252.2.20 menus.c
--- menus.c 2000/10/03 10:22:52 1.252.2.20
+++ menus.c 2000/10/09 11:08:50
@@ -1607,6 +1607,7 @@
{ { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate },
{ "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal },
{ "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate },
+ { "Safe", "Minimal network services.", NULL, configSecurityNormal },
{ "High", "Very restrictive security settings.", NULL, configSecurityFascist },
{ NULL } },
};
Index: sysinstall.h
===================================================================
RCS file: /home/ncvs/src/release/sysinstall/sysinstall.h,v
retrieving revision 1.186.2.10
diff -u -r1.186.2.10 sysinstall.h
--- sysinstall.h 2000/09/25 20:23:06 1.186.2.10
+++ sysinstall.h 2000/10/09 11:09:19
@@ -446,6 +446,7 @@
extern int configWriteRC_conf(dialogMenuItem *self);
extern int configSecurityProfile(dialogMenuItem *self);
extern int configSecurityFascist(dialogMenuItem *self);
+extern int configSecurityNormal(dialogMenuItem *self);
extern int configSecurityModerate(dialogMenuItem *self);
extern int configSecurityLiberal(dialogMenuItem *self);
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001009111854.D35547>