From owner-freebsd-security Fri Sep 22 23:25:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 838BF37B424 for ; Fri, 22 Sep 2000 23:25:46 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13ciBW-0000Sn-00; Fri, 22 Sep 2000 23:49:14 -0600 Message-ID: <39CC445A.5A7C0D07@softweyr.com> Date: Fri, 22 Sep 2000 23:49:14 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: nbm@mithrandr.moria.org, security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: watsso special about freeBSD?) References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > > At 04:40 PM 9/21/2000, Wes Peters wrote: > > >Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE > >WANT THEM THAT WAY? Most people who install FreeBSD just want telnet, mail, > >and NFS to work, > > IMHO: > > Telnet is dangerous and should be disabled now that SSH is in common use > and is not encumbered by patents. sshd should be on unless the user > asks for it not to be. (He or she should still be asked.) > > Mail should be an option that defaults to "on" but lets the user ask that > it not be activated at install time. Many of us like to reconfigure before > turning it on. And others will be using FreeBSD as a workstation and will > be using an e-mail client.... Sendmail doesn't need to be running. > > As for NFS: I would take issue with the assertion that most people > want it on. Also, last time I checked the default install of FreeSBD > turned on /sbin/portmap even if the user explicitly asks for no NFS! > This is unnecessary and is a security breach just waiting to happen. I don't disagree with you on any of these points except the idea of cramming them down the throat of average FreeBSD users. > >they don't want to spend hours agonizing over the configuration > >of every single computer they install. > > I wind up spending hours agonizing over the configuration of every > FreeBSD install I do, because I have to turn off many of the defaults > which could potentially compromise security or waste resources. If you don't simply generate a set of patches and apply them, that's your fault. Most of these can be disabled by simply appending the proper "NO" lines to /etc/rc.conf. > >They rely on firewalls, prayer, or > >abject cluelessness to secure their systems, and that's just fine. > > Windows users do that. FreeBSD users should have it better. No, they shouldn't, unless they really want it. Let them make their own decisions. We're developing their operating system, not wiping their noses and asses. > >Have you considered using OpenBSD? It does install with a more secure (i.e. > >"doesn't work for most people") configuration out of the box. > > I have not only considered it -- I've used it quite a bit. On the table > next to me are machines with the latest releases of FreeBSD, NetBSD, > and OpenBSD. Me too. Well, my NetBSD machine is a bit out of date, but I've ftp'd the latest 1.5 candidate and am hoping for some time to install it someday soon. They all have their warts and beauties, but FreeBSD aims to be the most useful to the largest number of people out of the box. If it doesn't meet your exact needs, that doesn't make it in any way unsuitable for the average unwashed masses. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message