Date: Wed, 22 Feb 2017 23:18:03 +0300 From: Slawa Olhovchenkov <slw@zxy.spb.ru> To: Conrad Meyer <cem@freebsd.org> Cc: =?utf-8?Q?Bart=C5=82omiej?= Rutkowski <robak@freebsd.org>, src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r314036 - head/usr.sbin/bsdinstall/scripts Message-ID: <20170222201803.GV6035@zxy.spb.ru> In-Reply-To: <CAG6CVpW=QbTwC%2BkRx4K2WJ5GJsA72_ZHZpOMrJs9BTw5q1KX7A@mail.gmail.com> References: <201702210937.v1L9bY6V093836@repo.freebsd.org> <28a4cf5e-2edd-3e30-9ecd-817f886e9ea3@FreeBSD.org> <20170221144002.GA87822@FreeBSD.org> <CAGFrfxaoQccZAt%2BRowF2eH5TS0poJUojhHMe=JFfutwoabhBDQ@mail.gmail.com> <20170222112335.GA29481@ymer.vnode.se> <CAG6CVpXhEStzrORrOEgpdZ_8p%2BNN8WL_ob18D2927Mkp2CS36A@mail.gmail.com> <20170222180541.GG15630@zxy.spb.ru> <CAG6CVpW=QbTwC%2BkRx4K2WJ5GJsA72_ZHZpOMrJs9BTw5q1KX7A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 22, 2017 at 10:13:41AM -0800, Conrad Meyer wrote: > On Wed, Feb 22, 2017 at 10:05 AM, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote: > > On Wed, Feb 22, 2017 at 08:11:14AM -0800, Conrad Meyer wrote: > > > >> On Wed, Feb 22, 2017 at 3:23 AM, Joel Dahl <joel@vnode.se> wrote: > >> > On Wed, Feb 22, 2017 at 07:56:52AM +0000, Bartłomiej Rutkowski wrote: > >> >> I strongly believe we should, by default, ship as secured and hardened as > >> >> possible in order to improve overall security of new users installations. > >> >> Power users will and do change the OS as they please, they most likely > >> >> don't use bsdinstall in first place, so they're not affected in any way. > >> > > >> > Sorry, I strongly disagree with that. I'm most likely a "power user" and I use > >> > bsdinstall. > >> > >> Ditto. I'm also unfamiliar enough with the installer to trip on this > >> kind of thing. Slawa's proposed "disable all" option would be fine. > > > > My english not enought fluent for more explicate proposal, from my > > point most of this options do hardened in only limited cases, for > > other cases same options do system more un-hardened by force working > > as root. Some have unevident effects (/tmp cleaning, for example). > > Yep. I am not concerned about disabling sendmail or remote syslog by > default, though. Also, what mean by 'disabling remote syslog'? As I know syslogd by default don't collect remote messages and need -a options. May be this is about -s options? How many -s? Not clean.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170222201803.GV6035>