From owner-freebsd-security  Thu Sep 21 22:39:53 2000
Delivered-To: freebsd-security@freebsd.org
Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220])
	by hub.freebsd.org (Postfix) with ESMTP id 7610937B423
	for <security@freebsd.org>; Thu, 21 Sep 2000 22:39:46 -0700 (PDT)
Received: from localhost
	([127.0.0.1] helo=softweyr.com ident=Fools trust ident!)
	by homer.softweyr.com with esmtp (Exim 3.16 #1)
	id 13cF0f-0000RF-00; Thu, 21 Sep 2000 16:40:05 -0600
Message-ID: <39CA8E45.7DA45048@softweyr.com>
Date: Thu, 21 Sep 2000 16:40:05 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: nbm@mithrandr.moria.org
Cc: Brett Glass <brett@lariat.org>, security@freebsd.org
Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so 
 special about freeBSD?)
References: <99016.969437392@winston.osd.bsdi.com> <cjclark@reflexnet.net> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Neil Blakey-Milner wrote:
> 
> [ Cc trimmed, advocacy,chat -> security ]
> 
> On Thu 2000-09-21 (11:38), Brett Glass wrote:
> > >>From a review of /etc/defaults/rc.conf, 5.0-CURRENT has turned off the
> > >three biggies that I didn't like the default YES,
> > >
> > >  inetd_enable="NO"
> > >  sendmail_enable="NO"
> > >  portmap_enable="NO"
> >
> > But rc.conf turns them on!
> >
> > >But I assume /stand/sysinstall will ask if these should be turned on.
> > >This is good.
> >
> > It still leaves all of these on WITHOUT ASKING.
> 
> I have an idea.  Why don't you submit a patch that'll make sysinstall
> ask about them, instead of using those scary capital letters and
> exclamation marks that make it sound like you're incredibly shocked over
> all this, on inappropriate mailing lists?

Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE
WANT THEM THAT WAY?  Most people who install FreeBSD just want telnet, mail,
and NFS to work, they don't want to spend hours agonizing over the configuration
of every single computer they install.  They rely on firewalls, prayer, or
abject cluelessness to secure their systems, and that's just fine.

Have you considered using OpenBSD?  It does install with a more secure (i.e.
"doesn't work for most people") configuration out of the box.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message