From owner-freebsd-security  Wed Aug 15 21:27:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from omega.lovett.com (omega.lovett.com [209.249.90.123])
	by hub.freebsd.org (Postfix) with ESMTP
	id CBAC837B40D; Wed, 15 Aug 2001 21:27:36 -0700 (PDT)
	(envelope-from ade@lovett.com)
Received: from austin.lovett.com
	([66.25.157.243] helo=klendathu.lovett.com ident=ident)
	by omega.lovett.com with esmtp (Exim 3.31 #1)
	id 15XEka-000G6D-00; Wed, 15 Aug 2001 21:27:20 -0700
Received: from ade by klendathu.lovett.com with local (Exim 3.32 #1)
	id 15XEka-0003Jc-00; Wed, 15 Aug 2001 23:27:20 -0500
Date: Wed, 15 Aug 2001 23:27:20 -0500
From: Ade Lovett <ade@FreeBSD.org>
To: Robert Watson <rwatson@FreeBSD.ORG>
Cc: Igor Roshchin <str@giganda.komkon.org>, security@FreeBSD.ORG
Subject: Re: cvs commit: src/etc inetd.conf
Message-ID: <20010815232720.B10783@FreeBSD.org>
References: <200108151729.f7FHTKq11654@giganda.komkon.org> <Pine.NEB.3.96L.1010815133118.81642J-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.NEB.3.96L.1010815133118.81642J-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Wed, Aug 15, 2001 at 01:32:40PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Aug 15, 2001 at 01:32:40PM -0400, Robert Watson wrote:
> This is pretty much what I had in mind, but the problem I cited was that
> it's difficult for such an editor to read in inetd.conf in an effective
> way after the user has edited it once, because it's hard to tell which
> lines are "disabled services" and which are simply "comments".

Yes and no.  If a disabled service were to be marked with, for example:

	#DISABLED# ftp stream tcp blah..

this would make things considerably easier to determine which is purely
a comment, and which is a physical action to disable a service.

Of course, adding an on/off flag to inetd.conf for each service is
another option, but that has the annoying issue of violating POLA, since
our inetd.conf would look unlike any others.

-aDe

-- 
Ade Lovett, Austin, TX.			       ade@FreeBSD.org
FreeBSD: The Power to Serve		http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message