From owner-freebsd-security  Sat Sep 30 14:43:37 2000
Delivered-To: freebsd-security@freebsd.org
Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17])
	by hub.freebsd.org (Postfix) with ESMTP id 699FF37B502
	for <security@freebsd.org>; Sat, 30 Sep 2000 14:43:33 -0700 (PDT)
Received: from roman (helo=localhost)
	by jamus.xpert.com with local-esmtp (Exim 3.12 #5)
	id 13fUPg-0007ks-00; Sat, 30 Sep 2000 23:43:20 +0200
Date: Sat, 30 Sep 2000 23:43:20 +0200 (IST)
From: Roman Shterenzon <roman@xpert.com>
To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
Cc: Adam Laurie <adam@algroup.co.uk>, security@FreeBSD.ORG
Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) 
In-Reply-To: <200009301404.e8UE4xU64460@cwsys.cwsent.com>
Message-ID: <Pine.LNX.4.10.10009302338320.29650-100000@jamus.xpert.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 30 Sep 2000, Cy Schubert - ITSD Open Systems Group wrote:

> I propose that just as we have RESTRICTED for ports, we could do 
> similar things with insecure applications.  As a matter of fact we 
> already do, e.g. NO_BIND, NO_LPR, NO_SENDMAIL, NOGAMES and NOUUCP.  We 
> could have additional NO_insecure_application definitions in make.conf.
> 
> Instead, we could comment out in inetd.conf services that the community 
> has decided are insecure and have the administrator uncomment the 
> services he/she wishes to use.
> 
> In short, the only conclusion that I can come to that would keep most 
> everyone happy, and even then some will bitch and complain, is that the 
> use of options in make.conf and in sysinstall should satisfy both 
> camps.  Be prepared for those who will argue that they don't want to go 
> through a million options before installing FreeBSD.  My answer to them 
> is that we can't have our cake and eat it too and to have options is 
> the closest thing we come to having our cake and eating it too.
Still, I think the default should be "insecure" install, since most
machines are firewalled.
Let the OpenBSD guys stick to paranoya. If one wants to install an
internet host, the "default-secure" install won't suffice anyway, so why
annoy all other people which don't need the security?

--Roman Shterenzon, UNIX System Administrator and Consultant
[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message