From owner-cvs-all  Mon Oct  9  4:19:35 2000
Delivered-To: cvs-all@freebsd.org
Received: from hand.dotat.at (hand.dotat.at [212.240.134.135])
	by hub.freebsd.org (Postfix) with ESMTP
	id A722A37B502; Mon,  9 Oct 2000 04:19:28 -0700 (PDT)
Received: from fanf by hand.dotat.at with local (Exim 3.15 #3)
	id 13iaxK-000G7v-00; Mon, 09 Oct 2000 11:18:54 +0000
Date: Mon, 9 Oct 2000 11:18:54 +0000
From: Tony Finch <dot@dotat.at>
To: John Baldwin <jhb@FreeBSD.org>
Cc: Doug Barton <DougB@gorean.org>, cvs-all@FreeBSD.org,
	cvs-committers@FreeBSD.org,
	Jeroen Ruigrok van der Werven <jruigrok@via-net-works.nl>,
	Warner Losh <imp@village.org>,
	Matt Dillon <dillon@earth.backplane.com>,
	Jordan Hubbard <jkh@winston.osd.bsdi.com>
Subject: Re: cvs commit: src/etc inetd.conf
Message-ID: <20001009111854.D35547@hand.dotat.at>
References: <39E15630.7B4A8FE6@gorean.org> <200010090605.XAA03201@john.baldwin.cx>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <200010090605.XAA03201@john.baldwin.cx>
Organization: Covalent Technologies, Inc
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

John Baldwin <jhb@FreeBSD.org> wrote:
>On 09-Oct-00 Doug Barton wrote:
>> 
>>       However, isn't all of this moot in light of the planned (existing?)
>> options to sysinstall to specify exactly what to enable? My personal
>> feeling is that _everything_ should be off by default (in
>> /etc/defaults/rc.conf) and the user should pick specifically what to
>> enable. 
>
>Err, inetd _is_ off by default in /etc/defaults/rc.conf.  UTSL.  The
>discussion here is how to handle /etc/inetd.conf.

I haven't used sysinstall for a while so I hadn't until now looked at
the new stuff for setting the network services that run by default.

I think there should be an option for sshd *only*, possibly with
`sendmail -q30m` (i.e. mail service without an smtp listener) -- i.e.
what I would consider a normal initial setup. I gather from various
threads on this topic that other people like this colour of bike shed
too.

Gosh, a patch...

Tony.
-- 
en oeccget g mtcaa    f.a.n.finch
v spdlkishrhtewe y    dot@dotat.at
eatp o v eiti i d.    fanf@covalent.net



Index: config.c
===================================================================
RCS file: /home/ncvs/src/release/sysinstall/config.c,v
retrieving revision 1.156.2.6
diff -u -r1.156.2.6 config.c
--- config.c	2000/09/24 06:55:55	1.156.2.6
+++ config.c	2000/10/09 11:17:30
@@ -507,6 +507,32 @@
 }
 
 int
+configSecurityNormal(dialogMenuItem *self)
+{
+    WINDOW *w = savescr();
+
+    variable_set2("inetd_enable", "NO", 1);
+    variable_set2("sendmail_enable", "YES", 1);
+    variable_set2("sendmail_flags", "-q30m", 1);
+    variable_set2("sshd_enable", "YES", 1);
+    variable_set2("portmap_enable", "NO", 1);
+    variable_set2("nfs_server_enable", "NO", 1);
+
+    if (self)
+	msgConfirm("Safe security settings have been selected.\n\n"
+	    "This means that most \"popular\" network services and\n"
+	    "mechanisms like inetd(8) have been DISABLED by default.\n\n"
+	    "PLEASE NOTE that this still does not save you from having\n"
+	    "to properly secure your system in other ways or exercise\n"
+	    "due diligence in your administration, this simply picks\n"
+	    "a more secure set of out-of-box defaults to start with.\n\n"
+	    "To change any of these settings later, edit /etc/rc.conf");
+
+    restorescr(w);
+    return DITEM_SUCCESS;
+}
+
+int
 configSecurityModerate(dialogMenuItem *self)
 {
     WINDOW *w = savescr();
Index: menus.c
===================================================================
RCS file: /home/ncvs/src/release/sysinstall/menus.c,v
retrieving revision 1.252.2.20
diff -u -r1.252.2.20 menus.c
--- menus.c	2000/10/03 10:22:52	1.252.2.20
+++ menus.c	2000/10/09 11:08:50
@@ -1607,6 +1607,7 @@
     { { "X Exit",	"Exit this menu (returning to previous)", NULL, configSecurityModerate },
       { "Low",		"Fairly wide-open (little) security.", NULL, configSecurityLiberal },
       { "Medium",	"Moderate security settings [DEFAULT].", NULL, configSecurityModerate },
+      { "Safe",		"Minimal network services.", NULL, configSecurityNormal },
       { "High",		"Very restrictive security settings.", NULL, configSecurityFascist },
       { NULL } },
 };
Index: sysinstall.h
===================================================================
RCS file: /home/ncvs/src/release/sysinstall/sysinstall.h,v
retrieving revision 1.186.2.10
diff -u -r1.186.2.10 sysinstall.h
--- sysinstall.h	2000/09/25 20:23:06	1.186.2.10
+++ sysinstall.h	2000/10/09 11:09:19
@@ -446,6 +446,7 @@
 extern int	configWriteRC_conf(dialogMenuItem *self);
 extern int	configSecurityProfile(dialogMenuItem *self);
 extern int	configSecurityFascist(dialogMenuItem *self);
+extern int	configSecurityNormal(dialogMenuItem *self);
 extern int	configSecurityModerate(dialogMenuItem *self);
 extern int	configSecurityLiberal(dialogMenuItem *self);
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message