From owner-freebsd-stable  Fri Aug  3 13:56: 7 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id C3D0C37B401; Fri,  3 Aug 2001 13:55:44 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.4/8.11.4) with SMTP id f73Ktff09835;
	Fri, 3 Aug 2001 16:55:41 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Fri, 3 Aug 2001 16:55:41 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: arch@FreeBSD.org
Cc: stable@FreeBSD.org, re@FreeBSD.org
Subject: Re: Further tweaks to sysinstall to take into account inetd changes
In-Reply-To: <Pine.NEB.3.96L.1010803163223.7308Y-100000@fledge.watson.org>
Message-ID: <Pine.NEB.3.96L.1010803165501.7308Z-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


Someone kindly pointed out that the patch I included lacked some content.
Try below.

Index: config.c
===================================================================
RCS file: /spare/freebsd/ncvs/src/usr.sbin/sysinstall/config.c,v
retrieving revision 1.185
diff -u -r1.185 config.c
--- config.c	2001/08/02 03:53:36	1.185
+++ config.c	2001/08/03 20:26:28
@@ -487,52 +487,22 @@
     return DITEM_SUCCESS;
 }
 
-/* Use the most fascist security settings */
+/* Use the most extreme security settings */
 int
-configSecurityFascist(dialogMenuItem *self)
+configSecurityExtreme(dialogMenuItem *self)
 {
     WINDOW *w = savescr();
 
-    variable_set2("inetd_enable", "NO", 1);
-    variable_set2("portmap_enable", "NO", 1);
+    variable_set2("nfs_server_enable", "NO", 1);
     variable_set2("sendmail_enable", "NO", 1);
     variable_set2("sshd_enable", "NO", 1);
-    variable_set2("nfs_server_enable", "NO", 1);
     variable_set2("kern_securelevel_enable", "YES", 1);
     variable_set2("kern_securelevel", "2", 1);
-    /* More fascist stuff should go here */
 
     if (self)
 	msgConfirm("Extreme security settings have been selected.\n\n"
-	    "This means that all \"popular\" network services and\n"
-	    "mechanisms like inetd(8) have been DISABLED by default.\n\n"
-	    "PLEASE NOTE that this still does not save you from having\n"
-	    "to properly secure your system in other ways or exercise\n"
-	    "due diligence in your administration, this simply picks\n"
-	    "a more secure set of out-of-box defaults to start with.\n\n"
-	    "To change any of these settings later, edit /etc/rc.conf");
-
-    restorescr(w);
-    return DITEM_SUCCESS;
-}
-
-int
-configSecurityHigh(dialogMenuItem *self)
-{
-    WINDOW *w = savescr();
-
-    variable_set2("inetd_enable", "NO", 1);
-    variable_set2("sendmail_enable", "YES", 1);
-    variable_set2("sshd_enable", "YES", 1);
-    variable_set2("portmap_enable", "NO", 1);
-    variable_set2("nfs_server_enable", "NO", 1);
-    variable_set2("kern_securelevel_enable", "YES", 1);
-    variable_set2("kern_securelevel", "1", 1);
-
-    if (self)
-	msgConfirm("High security settings have been selected.\n\n"
-	    "This means that most \"popular\" network services and\n"
-	    "mechanisms like inetd(8) have been DISABLED by default.\n\n"
+	    "Sendmail, SSHd, and NFS services have been disabled, and\n"
+	    "securelevels have been enabled.\n"
 	    "PLEASE NOTE that this still does not save you from having\n"
 	    "to properly secure your system in other ways or exercise\n"
 	    "due diligence in your administration, this simply picks\n"
@@ -543,54 +513,23 @@
     return DITEM_SUCCESS;
 }
 
-int
 configSecurityModerate(dialogMenuItem *self)
 {
     WINDOW *w = savescr();
 
-    variable_set2("inetd_enable", "YES", 1);
-    if (!variable_cmp("nfs_client_enable", "YES") ||
-	!variable_cmp("nfs_server_enable", "YES"))
-    	variable_set2("portmap_enable", "YES", 1);
-    if (!variable_cmp("nfs_server_enable", "YES"))
-	variable_set2("nfs_reserved_port_only", "YES", 1);
+    variable_set2("nfs_reserved_port_only", "YES", 1);
     variable_set2("sendmail_enable", "YES", 1);
     variable_set2("sshd_enable", "YES", 1);
     variable_set2("kern_securelevel_enable", "NO", 1);
 
     if (self)
 	msgConfirm("Moderate security settings have been selected.\n\n"
-	    "This means that most \"popular\" network services and\n"
-	    "mechanisms like inetd(8) have been enabled by default\n"
-	    "for a comfortable user experience but with possible\n"
-	    "trade-offs in system security.  If this bothers you and\n"
-	    "you know exactly what you are doing, select one of the\n"
-	    "other security profiles instead.\n\n"
-	    "To change any of these settings later, edit /etc/rc.conf");
-
-    restorescr(w);
-    return DITEM_SUCCESS;
-}
-
-int
-configSecurityLiberal(dialogMenuItem *self)
-{
-    WINDOW *w = savescr();
-
-    variable_set2("inetd_enable", "YES", 1);
-    variable_set2("portmap_enable", "YES", 1);
-    variable_set2("sendmail_enable", "YES", 1);
-    variable_set2("sshd_enable", "YES", 1);
-    variable_set2("kern_securelevel_enable", "NO", 1);
-
-    if (self)
-	msgConfirm("Liberal security settings have been selected.\n\n"
-	    "This means that most \"popular\" network services and\n"
-	    "mechanisms like inetd(8) have been enabled by default\n"
-	    "for the most comfortable user experience but with possible\n"
-	    "trade-offs in system security.  If this bothers you and\n"
-	    "you know exactly what you are doing, select one of the\n"
-	    "other security profiles instead.\n\n"
+	    "Sendmail and SSHd have been enabled, securelevels are\n"
+	    "disabled, and NFS server settings have been left intact.\n"
+            "PLEASE NOTE that this still does not save you from having\n"
+            "to properly secure your system in other ways or exercise\n"
+            "due diligence in your administration, this simply picks\n"
+            "a standard set of out-of-box defaults to start with.\n\n"
 	    "To change any of these settings later, edit /etc/rc.conf");
 
     restorescr(w);
Index: menus.c
===================================================================
RCS file: /spare/freebsd/ncvs/src/usr.sbin/sysinstall/menus.c,v
retrieving revision 1.312
diff -u -r1.312 menus.c
--- menus.c	2001/08/02 03:53:36	1.312
+++ menus.c	2001/08/03 20:24:36
@@ -1673,10 +1673,8 @@
     "Select a canned security profile - F1 for help",
     "security",						/* help file */
     { { "X Exit",	"Exit this menu (returning to previous)", NULL, configSecurityModerate },
-      { "Low",		"Fairly wide-open (little) security.", NULL, configSecurityLiberal },
       { "Medium",	"Moderate security settings [DEFAULT].", NULL, configSecurityModerate },
-      { "High",		"Fairly safe security settings.", NULL, configSecurityHigh },
-      { "Extreme",	"Very restrictive security settings.", NULL, configSecurityFascist },
+      { "Extreme",	"Very restrictive security settings.", NULL, configSecurityExtreme },
       { NULL } },
 };
 
Index: sysinstall.h
===================================================================
RCS file: /spare/freebsd/ncvs/src/usr.sbin/sysinstall/sysinstall.h,v
retrieving revision 1.211
diff -u -r1.211 sysinstall.h
--- sysinstall.h	2001/08/02 03:53:36	1.211
+++ sysinstall.h	2001/08/03 20:17:47
@@ -451,10 +451,8 @@
 extern int	configNFSServer(dialogMenuItem *self);
 extern int	configWriteRC_conf(dialogMenuItem *self);
 extern int	configSecurityProfile(dialogMenuItem *self);
-extern int	configSecurityFascist(dialogMenuItem *self);
-extern int	configSecurityHigh(dialogMenuItem *self);
+extern int	configSecurityExtreme(dialogMenuItem *self);
 extern int	configSecurityModerate(dialogMenuItem *self);
-extern int	configSecurityLiberal(dialogMenuItem *self);
 extern int	configTTYs(dialogMenuItem *self);
 
 /* crc.c */
Index: help/security.hlp
===================================================================
RCS file: /spare/freebsd/ncvs/src/usr.sbin/sysinstall/help/security.hlp,v
retrieving revision 1.2
diff -u -r1.2 security.hlp
--- help/security.hlp	2001/03/11 23:47:12	1.2
+++ help/security.hlp	2001/08/03 20:23:55
@@ -3,19 +3,14 @@
 which services are enabled (or disabled) by each of the canned security
 profiles:
 
-               Extreme        High           Medium         Low
-               -------        ----           --------       ---
-inetd          NO             NO             YES            YES
-sendmail       NO             YES            YES            YES
-sshd           NO             YES            YES            YES
-portmap        NO             NO             *              YES
-nfs_server     NO             NO             **             ***
-securelevel    YES (2)        YES (1)        NO             NO
+               Extreme        Medium
+               -------        ------
+nfs_server     NO             *
+sendmail       NO             YES
+sshd           NO             YES
+securelevel    YES (2)        NO
 
 
 NOTES:
-*   Portmap is enabled if the machine has been configured as either an NFS
-    client or an NFS server earlier in the installation process.
-**  If the machine has been configured as an NFS server, NFS will only run
-    on a reserved port.
-*** No changes are made to the NFS configuration.
+*  If the machine has been configured as an NFS server, NFS will only run
+   on a reserved port.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message