Date: Fri, 22 Sep 2000 23:49:14 -0600 From: Wes Peters <wes@softweyr.com> To: Brett Glass <brett@lariat.org> Cc: nbm@mithrandr.moria.org, security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: watsso special about freeBSD?) Message-ID: <39CC445A.5A7C0D07@softweyr.com> References: <99016.969437392@winston.osd.bsdi.com> <cjclark@reflexnet.net> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <4.3.2.7.2.20000921182152.046d6ee0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote:
>
> At 04:40 PM 9/21/2000, Wes Peters wrote:
>
> >Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE
> >WANT THEM THAT WAY? Most people who install FreeBSD just want telnet, mail,
> >and NFS to work,
>
> IMHO:
>
> Telnet is dangerous and should be disabled now that SSH is in common use
> and is not encumbered by patents. sshd should be on unless the user
> asks for it not to be. (He or she should still be asked.)
>
> Mail should be an option that defaults to "on" but lets the user ask that
> it not be activated at install time. Many of us like to reconfigure before
> turning it on. And others will be using FreeBSD as a workstation and will
> be using an e-mail client.... Sendmail doesn't need to be running.
>
> As for NFS: I would take issue with the assertion that most people
> want it on. Also, last time I checked the default install of FreeSBD
> turned on /sbin/portmap even if the user explicitly asks for no NFS!
> This is unnecessary and is a security breach just waiting to happen.
I don't disagree with you on any of these points except the idea of cramming
them down the throat of average FreeBSD users.
> >they don't want to spend hours agonizing over the configuration
> >of every single computer they install.
>
> I wind up spending hours agonizing over the configuration of every
> FreeBSD install I do, because I have to turn off many of the defaults
> which could potentially compromise security or waste resources.
If you don't simply generate a set of patches and apply them, that's
your fault. Most of these can be disabled by simply appending the proper
"NO" lines to /etc/rc.conf.
> >They rely on firewalls, prayer, or
> >abject cluelessness to secure their systems, and that's just fine.
>
> Windows users do that. FreeBSD users should have it better.
No, they shouldn't, unless they really want it. Let them make their own
decisions. We're developing their operating system, not wiping their noses
and asses.
> >Have you considered using OpenBSD? It does install with a more secure (i.e.
> >"doesn't work for most people") configuration out of the box.
>
> I have not only considered it -- I've used it quite a bit. On the table
> next to me are machines with the latest releases of FreeBSD, NetBSD,
> and OpenBSD.
Me too. Well, my NetBSD machine is a bit out of date, but I've ftp'd the
latest 1.5 candidate and am hoping for some time to install it someday
soon. They all have their warts and beauties, but FreeBSD aims to be the
most useful to the largest number of people out of the box. If it doesn't
meet your exact needs, that doesn't make it in any way unsuitable for the
average unwashed masses.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39CC445A.5A7C0D07>