From owner-freebsd-hackers@FreeBSD.ORG Wed May 2 14:00:52 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9935D106566B; Wed, 2 May 2012 14:00:52 +0000 (UTC) (envelope-from gkeramidas@gmail.com) Received: from mail-lb0-f182.google.com (mail-lb0-f182.google.com [209.85.217.182]) by mx1.freebsd.org (Postfix) with ESMTP id B8CB98FC08; Wed, 2 May 2012 14:00:48 +0000 (UTC) Received: by lbon10 with SMTP id n10so621992lbo.13 for ; Wed, 02 May 2012 07:00:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Gc2NJmLtEMpSTo2RDwFaDsi/HjEtLejW9Db/violGiA=; b=THj1KWfgoNz23FWXIMbfwYDYdDZ6JM0MFaRCPRM9W0eBSUpMlliqvcKLC79UtkfNsL a/riNQzQBqN8yPs2iXhMw/8J0w0RT/A/pGIRtsDiyJOLPBclEgvS9CiLes6R0zBI+Cem FSgeAF/88bUwgUQ7I04/+d/lVL7XDp4wdPGMOHhA7b0DLh2r5mk2ECvPDRHLNGXfa7ST ffvHN3HRBKKO61VKxyOtK3d8qykTWb6no7kSnvsYmmB4k/ipoB6fVJw8/nEUlsZN9czA oSWqF6JKpX62dH228FjCJHYPIWqTDr8rV85FdYtcIUM5FIYLzO02uf3stjFTj375xXSp bw6Q== MIME-Version: 1.0 Received: by 10.112.47.161 with SMTP id e1mr15027526lbn.42.1335967247723; Wed, 02 May 2012 07:00:47 -0700 (PDT) Sender: gkeramidas@gmail.com Received: by 10.152.131.37 with HTTP; Wed, 2 May 2012 07:00:47 -0700 (PDT) In-Reply-To: <4FA12980.6080101@cs.stonybrook.edu> References: <20120427203117.GA2055@gizmo.acns.msu.edu> <4FA12980.6080101@cs.stonybrook.edu> Date: Wed, 2 May 2012 16:00:47 +0200 X-Google-Sender-Auth: pf332jMeeRRfPx_7dszXgcgOluA Message-ID: From: Giorgos Keramidas To: Richard Yao Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Jerry McAllister , freebsd-hackers@freebsd.org, Mehmet Erol Sanliturk , Andy@freebsd.org, Wojciech Puchar , Young Subject: Re: Ways to promote FreeBSD? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 May 2012 14:00:52 -0000 On Wed, May 2, 2012 at 2:33 PM, Richard Yao wrote: >On 05/02/12 04:55, Giorgos Keramidas wrote: >> Judging from the amount of effort it takes to "harden" a system >> that already starts a thousand services (typical "desktop Linux" >> scenario these days), and the number of times I've seen this >> sort of customization cause even more headaches, I'd say this >> is a slightly exaggerated statement. > > You might be thinking of SELinux, which is not the only option for > hardening. Not really, no. I was referring to the practice of starting a gazillion services by default, including dbus, avahi, ftp and http services, file sharing components, and all the rest of the stuff that is now commonly installed as part of a "Linux desktop". SELinux is indeed one form of hardening, but I wasn't referring specifically to it; exactly the opposite, in fact. >> You are right that a "plain user" does not care about why their >> CD-ROM is not accessible after installation, but there are two >> different ways to approach this: >> >> - Install and enable everything by default, hoping that nothing >> =C2=A0 bad happens when an unused service is exploitable. >> - Install a minimal system and build from there. >> >> Most Linux distributions pick the first option. _Some_ Linux >> distributions pick the second option (e.g. Gentoo). > > You might be thinking of Gentoo Linux, rather than Gentoo. The term > Gentoo also covers Gentoo/FreeBSD and Gentoo Prefix. Gentoo/FreeBSD > replaces the Linux kernel and GNU userland with FreeBSD while Gentoo > Prefix provides a userland package manager to UNIX-compatible systems: Gentoo Linux is what I was talking about. It's one of the distributions that does lean towards the "install only what is necessary" side of the spectrum. The main point is not whether Gentoo/Linux or Gentoo/BSD is the best color for the particular bikeshed though. It was that one _has_ the option both with Linux and BSD as a base to implement both types of installations. Hardening can be either an install-time property or an after-effect. It's really not OS-dependent at all.