> Quoth Rainer Heilke on Fri, Mar 17, 2006 at > 08:22:43AM -0800: > > If I can jump in here (and I'm sure someone will > correct me if I'm > > wrong), Solaris 10 is meant to be more secure out > of the box. That > > "out of the box" implies the default operating > mode, which is > > multi-user. So, at the multi-user milestone, leave > insecure services > > like telnetd and ftpd off. The "all" milestone, to > me, means exactly > > that. When I go to milestone "all", I want > *everything* to run (for > > whatever reason), and security is now taking > second-seat to > > accessibility and functionality. > > That's not how it works. svcadm milestone > functionality exists to > implement the Solaris 9 notion of runlevels.
OK, I knew that milestones were meant to "emulate" (not a great word, I know) the old run levels concept, but maybe that didn't come out clear in my post. Sorry. I was trying to address the various services at each run level. See below. > If an > administrator > doesn't want ftpd to run for security reasons, then > he should use > disable the ftp service, in which case it won't run > with any svcadm > milestone setting. > > Making most services disabled out-of-the-box is the > goal of a different > project. It doesn't seem to be public, but it should > hit Nevada soon. Odd. I seem to remember reading that, by default, 10 was going to have a number of the "insecure" services turned off. Either I misread, or my memory is worse than I thought. My apologies. Maybe the item was just referring to the extra security features rolled in, like access to ipfilters and such? > > By booting to multi-user and running the svcadm > enable <fmri>, you are > > adding that service to the multi-user milestone. > Next time you boot up > > to multi-user, that service will get started again. > > That's not true. The only way make services run in > svcadm milestone > settings other than "all" is by making the milestone > service in question > depend on the service, directly or indirectly. I think I may have phrased my comment badly, making it sound like I had it backwards. In order to add a service to a milestone, that milestone must now be dependant on the service. (Not the other way around, where the service depends on the milestone. Is that more accurate?) > David See, I knew someone could correct me! :-) Thanks, David. Rainer This message posted from opensolaris.org
