Quoth Rainer Heilke on Fri, Mar 17, 2006 at 08:22:43AM -0800: > If I can jump in here (and I'm sure someone will correct me if I'm > wrong), Solaris 10 is meant to be more secure out of the box. That > "out of the box" implies the default operating mode, which is > multi-user. So, at the multi-user milestone, leave insecure services > like telnetd and ftpd off. The "all" milestone, to me, means exactly > that. When I go to milestone "all", I want *everything* to run (for > whatever reason), and security is now taking second-seat to > accessibility and functionality.
That's not how it works. svcadm milestone functionality exists to implement the Solaris 9 notion of runlevels. If an administrator doesn't want ftpd to run for security reasons, then he should use disable the ftp service, in which case it won't run with any svcadm milestone setting. Making most services disabled out-of-the-box is the goal of a different project. It doesn't seem to be public, but it should hit Nevada soon. > By booting to multi-user and running the svcadm enable <fmri>, you are > adding that service to the multi-user milestone. Next time you boot up > to multi-user, that service will get started again. That's not true. The only way make services run in svcadm milestone settings other than "all" is by making the milestone service in question depend on the service, directly or indirectly. > Just to be clear, just because a service doesn't have any dependencies > does NOT mean that you want to just go ahead and have the service > running. Just because it is warm outside doesn't mean you want the > front door left wide open when you're in the back yard. Right. Whether you enabled the service means that you want to have the service running. The dependencies just control when it starts. David
