From owner-freebsd-security  Thu Aug 16  3:43:56 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cartman.techsupport.co.uk (cabletel1.cableol.net [194.168.3.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id 684E037B40A; Thu, 16 Aug 2001 03:43:46 -0700 (PDT)
	(envelope-from ceri@techsupport.co.uk)
Received: from ceri by cartman.techsupport.co.uk with local (Exim 3.31 #1)
	id 15XKdX-0008Pu-00; Thu, 16 Aug 2001 11:44:27 +0100
Date: Thu, 16 Aug 2001 11:44:27 +0100
From: Ceri <ceri@techsupport.co.uk>
To: Robert Watson <rwatson@FreeBSD.ORG>
Cc: Gavin Grabias <gaving@enter.net>, security@FreeBSD.ORG
Subject: Re: cvs commit: src/etc inetd.conf
Message-ID: <20010816114427.D9234@cartman.techsupport.co.uk>
References: <Pine.LNX.4.33.0108151331340.27240-100000@grabes2.enter.net> <Pine.NEB.3.96L.1010815153204.81642Q-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.NEB.3.96L.1010815153204.81642Q-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Wed, Aug 15, 2001 at 03:32:57PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, Aug 15, 2001 at 03:32:57PM -0400, Robert Watson said:
> On Wed, 15 Aug 2001, Gavin Grabias wrote:
> 
> > > Good point, but thats a little different.  Warning those who care
> > > (subscribers of the list) about security advisories is MUCH different
> > > than making the OS mute because a percentage of the installers can't
> > > figure out (or don't know that they SHOULD figure out) how to turn off
> > > sendmail, telnet, etc.  It just won't save the experienced users any
> > > time to have them disabled, and it won't stop the 'clueless' from being
> > > just that.
> > 
> > Security is starting to sound like a bug instead of a feature for
> > FreeBSD.  We are arguing about whether users can use a text editor to
> > edit their inetd.conf.  The secure approach would be to disable all
> > services by default.  If the user wants "features" make him/her read
> > about them and educate themselves.  Then they can make the decision as
> > to whether they want the service enabled. 
> 
> This is what FreeBSD 4.4 does with the inetd network services.  There's an
> on-going debate about how best to handle this WRT sendmail, as local mail
> delivery is required for some internal base system functionality (vi
> recovery files, cron'd events, etc).

Would there be any mileage in doing things the NetBSD way ?

From NetBSD's rc.conf(5) :

     rc_configured   If this is not set to `YES' then the system will drop
                     into single-user mode during boot.

This makes pretty damn sure that if you haven't configured your system
it's not on the network.  Might be a bit tougher for the first time user,
but something like OpenBSD's afterboot(8) might help there.

Just an idea,

Ceri

-- 
I probably wouldn't like you. Really.
I really probably wouldn't like you.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message