Date: Thu, 16 Aug 2001 11:44:27 +0100 From: Ceri <ceri@techsupport.co.uk> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: Gavin Grabias <gaving@enter.net>, security@FreeBSD.ORG Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <20010816114427.D9234@cartman.techsupport.co.uk> In-Reply-To: <Pine.NEB.3.96L.1010815153204.81642Q-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Wed, Aug 15, 2001 at 03:32:57PM -0400 References: <Pine.LNX.4.33.0108151331340.27240-100000@grabes2.enter.net> <Pine.NEB.3.96L.1010815153204.81642Q-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Aug 15, 2001 at 03:32:57PM -0400, Robert Watson said: > On Wed, 15 Aug 2001, Gavin Grabias wrote: > > > > Good point, but thats a little different. Warning those who care > > > (subscribers of the list) about security advisories is MUCH different > > > than making the OS mute because a percentage of the installers can't > > > figure out (or don't know that they SHOULD figure out) how to turn off > > > sendmail, telnet, etc. It just won't save the experienced users any > > > time to have them disabled, and it won't stop the 'clueless' from being > > > just that. > > > > Security is starting to sound like a bug instead of a feature for > > FreeBSD. We are arguing about whether users can use a text editor to > > edit their inetd.conf. The secure approach would be to disable all > > services by default. If the user wants "features" make him/her read > > about them and educate themselves. Then they can make the decision as > > to whether they want the service enabled. > > This is what FreeBSD 4.4 does with the inetd network services. There's an > on-going debate about how best to handle this WRT sendmail, as local mail > delivery is required for some internal base system functionality (vi > recovery files, cron'd events, etc). Would there be any mileage in doing things the NetBSD way ? From NetBSD's rc.conf(5) : rc_configured If this is not set to `YES' then the system will drop into single-user mode during boot. This makes pretty damn sure that if you haven't configured your system it's not on the network. Might be a bit tougher for the first time user, but something like OpenBSD's afterboot(8) might help there. Just an idea, Ceri -- I probably wouldn't like you. Really. I really probably wouldn't like you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010816114427.D9234>