Date: Fri, 22 Sep 2000 08:10:42 -0400 From: Drew Derbyshire <ahd@kew.com> To: freebsd-security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! Message-ID: <39CB4C42.1A59669C@kew.com>
next in thread | raw e-mail | index | archive | help
> Neil Blakey-Milner wrote:
> Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST
> PEOPLE WANT THEM THAT WAY?
Did you take a survey?
> Most people who install FreeBSD just want telnet, mail, and NFS to work,
Most people also want a secure system. Don't even get me started about
rlogin/rsh being on by default in /etc/inetd.conf.
IMHO, many people wouldn't know NFS if it bit them in the nose.
If an NFS startup is enabled and the associated required portmap server is
not, then a improved RC script can override the setting and start portmap
automatically (with a suitable nasty warning to console and/or log).
Turning in portmap by default because someone MAY want NFS is not suitable.
> they don't want to spend hours agonizing over the configuration of every
> single computer they install. They rely on firewalls, prayer, or abject
> cluelessness to secure their systems, and that's just fine.
God looks after fools and small children. Despise appearances, naive
system admins don't officially qualify for "fool" status, so the OS
developers need to step in for God.
Like others, I would prefer mail was left disabled or prompted for:
1. Mail running behind a firewall normally has to be reconfigured to work
properly to see the enterprise mail relay.
2. Mail running on a firewall normally has be reconfigured to work
properly to allow mail from the machines behind it.
Note that "prompted" for would including putting up the the current "enable
network components" screen.
In summary, if the install is going to prompt for network services, it
needs to prompt consistently. Prompting for many of the services and not
others makes one feel like that the job is done, and it's not.
-ahd-
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39CB4C42.1A59669C>