From owner-freebsd-security  Fri Sep 22  8:57:29 2000
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 81B8037B424
	for <security@FreeBSD.ORG>; Fri, 22 Sep 2000 08:57:25 -0700 (PDT)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id IAA08276;
	Fri, 22 Sep 2000 08:55:30 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda08274; Fri Sep 22 08:55:27 2000
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id IAA16847;
	Fri, 22 Sep 2000 08:55:27 -0700 (PDT)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdy16845; Fri Sep 22 08:55:17 2000
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.0/8.9.1) id e8MFtGK11604;
	Fri, 22 Sep 2000 08:55:16 -0700 (PDT)
Message-Id: <200009221555.e8MFtGK11604@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdl11591; Fri Sep 22 15:54:34 2000
X-Mailer: exmh version 2.1.1 10/15/1999
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.1-RELEASE
X-Sender: cy
To: Neil Blakey-Milner <nbm@mithrandr.moria.org>
Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Brett Glass <brett@lariat.org>, Wes Peters <wes@softweyr.com>,
	security@FreeBSD.ORG
Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats 
 so special about freeBSD?)
In-reply-to: Your message of "Fri, 22 Sep 2000 16:57:25 +0200."
             <20000922165725.A30364@mithrandr.moria.org> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 22 Sep 2000 08:54:34 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <20000922165725.A30364@mithrandr.moria.org>, Neil 
Blakey-Milner writ
es:
> I don't think we want to make even more sysinstall hacks, as it is
> exceedingly complicated and time-consuming (especially according to Mr.
> Glass - hours of painstaking choices).
> 
> I think inetd_enable="YES"/"NO" is mostly sufficient.  Anything beyond
> that is the realm of the administrator.  Perhaps we can put your scripts
> in /usr/share/examples/inetd/, along with example configurations, like
> inetd.conf.rsh, inetd.conf.ftp, inetd.conf.full.  Then have a
> mostly-empty /etc/inetd.conf that isn't self-documenting, with ftp and
> commented out telnet and (internal) auth.

Thinking about it further, I don't think it really matters that much.  
Managing a heterogeneous environment, customisations have to be made 
anyhow -- at least on my part.  (I must have been on drugs over the 
past week to create such a ruckus on -arch over this issue.  I was 
definitely not thinking rationally.)

Ideally a post-install process (my awk script could be part of it) 
might be the best way to go.  If the process is generic enough it could 
be used anywhere.  Having said that, before anyone asks for patches, 
this has been on my todo list for a while now.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Team Leader, Sun/DEC Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message