From owner-freebsd-stable  Tue Jul 31 22:21:24 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4])
	by hub.freebsd.org (Postfix) with SMTP id D6DED37B405
	for <stable@FreeBSD.org>; Tue, 31 Jul 2001 22:21:20 -0700 (PDT)
	(envelope-from scorpio@drkshdw.org)
Received: (qmail 9261 invoked by uid 85); 1 Aug 2001 05:21:12 -0000
Received: from scorpio@drkshdw.org by drkshdw.org with qmail-scanner-0.96 (uvscan: v4.1.40/v4149. . Clean. Processed in 0.26185 secs); 01 Aug 2001 05:21:12 -0000
Received: from localhost.isni.net (HELO localhost) (scorpio@127.0.0.1)
  by localhost.isni.net with SMTP; 1 Aug 2001 05:21:12 -0000
Date: Wed, 1 Aug 2001 01:21:12 -0400 (EDT)
From: Jeff Palmer <scorpio@drkshdw.org>
X-X-Sender:  <scorpio@jeff.isni.net>
To: Robert Watson <rwatson@FreeBSD.org>
Cc: <stable@FreeBSD.org>
Subject: Re: Patch to modify default inetd.conf, have sysinstall prompt to
 edit , inetd.conf
In-Reply-To: <Pine.NEB.3.96L.1010731233839.54921B-200000@fledge.watson.org>
Message-ID: <20010801010958.X9176-100000@jeff.isni.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

Pardon my newbieness..

Doesn't the 4.x branch have a dialog box at install time  asking you what
security model you'd prefer..   if you select high security,  'inetd'
itself is even disabed.. (Your own post showed the dialog)

In my opinion,  security is up to each individual administrator. They
should enable and disable all services based on their own needs. I rarely
see a machine with a competent admin,  running a nearly 100% default
install.

Also,  FreeBSD has been awesome at fixing security holes within minutes or
hours (and in extreme cases,  a day or two).  So the likelyhood of any
daemon being exploitable within the first 15 minutes of a fresh install
are pretty much zero.

Therefore,  it doesn't matter what services are enabled/disabled in
inetd.conf as most administrators edit that file within a few minutes of a
default install anyway.  The current model,  you edit it to close some
ports.   in the model you suggest,  you edit it to open some ports.
Either way,  it takes an entire 20 seconds (ok,  1 minute for the 'vi
newbie') to edit the file and HUP inetd.

I'd prefer to see people spending their time auditing the code,  so we can
be even more proactive about exploits and vulnerabilities than we
currently are,  rather than wasting time talking about services enabled in
inetd.



Just my two cents.  Feel free to CC: me unless it's a flame.
If it's a flame..  please add [FLAME] to the subject for the procmail
filters.


Jeff Palmer
scorpio@drkshdw.org





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message