Re: *** HEADS UP *** rc.conf changes (security)
Hopefully sysinstall will be smarter about writing these overrides than it is about writing the "USA_RESIDENT=NO" override to /etc/make.conf. It doesn't do that anymore. - Jordan To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
*** HEADS UP *** rc.conf changes (security)
After discussion with obrien, jhb, and dwithe (and non-protests from the other committers present), I'm changing the defaults for remote services in /etc/defaults/rc.conf to the least dangerous configuration, and making sysinstall write out overrides for the variables to their former default values in /etc/rc.conf upon install. This means that anybody upgrading /etc/defaults/rc.conf needs to add the following lines to rc.conf if they want to have the same setup afterwards (unless the variables already are set, of course): # Enable network daemons for user convenience. inetd_enable="YES" portmap_enable="YES" sendmail_enable="YES" (Heads up is over - more change detail below.) This change might seem a little counterintuitive (given that /etc/defaults/ are for defaults, after all) but seems to be the best compromise for both getting the functionality jkh wants (freshly installed boxes have active daemons, so users don't feel they have a lot of extra hassle to get things up and working like they are used to on other Unixen), and give FreeBSD a default secure config, meaning the insecurities stand out. I assume those of us that do new installs without using sysinstall know FreeBSD well enough to be able to handle turning those daemons on again if we want them ;) BTW: Keep me in the Cc: list, please - I am not subscribed to -current (or any other FreeBSD mailing list) at the moment. Eivind. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: *** HEADS UP *** rc.conf changes (security)
At 12:41 AM +0200 7/29/00, Eivind Eklund wrote: After discussion with obrien, jhb, and dwithe (and non-protests from the other committers present), I'm changing the defaults for remote services in /etc/defaults/rc.conf to the least dangerous configuration, and making sysinstall write out overrides for the variables to their former default values in /etc/rc.conf upon install. Hopefully sysinstall will be smarter about writing these overrides than it is about writing the "USA_RESIDENT=NO" override to /etc/make.conf. --- Garance Alistair Drosehn = [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Institute To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: *** HEADS UP *** rc.conf changes (security)
Garance A Drosihn wrote: At 12:41 AM +0200 7/29/00, Eivind Eklund wrote: After discussion with obrien, jhb, and dwithe (and non-protests from the other committers present), I'm changing the defaults for remote services in /etc/defaults/rc.conf to the least dangerous configuration, and making sysinstall write out overrides for the variables to their former default values in /etc/rc.conf upon install. Hopefully sysinstall will be smarter about writing these overrides than it is about writing the "USA_RESIDENT=NO" override to /etc/make.conf. It is. It only writes these variables out when it creats an /etc/rc.conf file from scratch because one doesn't exist. Normally this only happens during the install. -- John Baldwin [EMAIL PROTECTED] -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.cslab.vt.edu/~jobaldwi/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: *** HEADS UP *** rc.conf changes (security)
Eivind Eklund wrote: This change might seem a little counterintuitive (given that /etc/defaults/ are for defaults, after all) but seems to be the best compromise for both getting the functionality jkh wants (freshly installed boxes have active daemons, so users don't feel they have a lot of extra hassle to get things up and working like they are used to on other Unixen), and give FreeBSD a default secure config, meaning the insecurities stand out. FWIW, I totally support this change. Personally, I think the default for everything should be "off," and the admin should be required to enable the services he needs. Eivind, it's good to see you, even semi-active. :) Doug To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message