Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Aug 2001 11:44:27 +0100
From:      Ceri <ceri@techsupport.co.uk>
To:        Robert Watson <rwatson@FreeBSD.ORG>
Cc:        Gavin Grabias <gaving@enter.net>, security@FreeBSD.ORG
Subject:   Re: cvs commit: src/etc inetd.conf
Message-ID:  <20010816114427.D9234@cartman.techsupport.co.uk>
In-Reply-To: <Pine.NEB.3.96L.1010815153204.81642Q-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Wed, Aug 15, 2001 at 03:32:57PM -0400
References:  <Pine.LNX.4.33.0108151331340.27240-100000@grabes2.enter.net> <Pine.NEB.3.96L.1010815153204.81642Q-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Aug 15, 2001 at 03:32:57PM -0400, Robert Watson said:
> On Wed, 15 Aug 2001, Gavin Grabias wrote:
> 
> > > Good point, but thats a little different.  Warning those who care
> > > (subscribers of the list) about security advisories is MUCH different
> > > than making the OS mute because a percentage of the installers can't
> > > figure out (or don't know that they SHOULD figure out) how to turn off
> > > sendmail, telnet, etc.  It just won't save the experienced users any
> > > time to have them disabled, and it won't stop the 'clueless' from being
> > > just that.
> > 
> > Security is starting to sound like a bug instead of a feature for
> > FreeBSD.  We are arguing about whether users can use a text editor to
> > edit their inetd.conf.  The secure approach would be to disable all
> > services by default.  If the user wants "features" make him/her read
> > about them and educate themselves.  Then they can make the decision as
> > to whether they want the service enabled. 
> 
> This is what FreeBSD 4.4 does with the inetd network services.  There's an
> on-going debate about how best to handle this WRT sendmail, as local mail
> delivery is required for some internal base system functionality (vi
> recovery files, cron'd events, etc).

Would there be any mileage in doing things the NetBSD way ?

From NetBSD's rc.conf(5) :

     rc_configured   If this is not set to `YES' then the system will drop
                     into single-user mode during boot.

This makes pretty damn sure that if you haven't configured your system
it's not on the network.  Might be a bit tougher for the first time user,
but something like OpenBSD's afterboot(8) might help there.

Just an idea,

Ceri

-- 
I probably wouldn't like you. Really.
I really probably wouldn't like you.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816114427.D9234>