Date: Mon, 14 Jan 2019 11:59:51 +1100 From: matthew green <m...@eterna.com.au> Message-ID: <10889.1547427...@splode.eterna.com.au>
| i don't agree with this. | | if we were going to make things easy for naive users I didn't say "easy" for naive users, I said "most useful". That might mean "suitably secure" rather than "simply works" and is a different discussion. One possibility here, might be to make configuration classes, like "laptop" "workstation" "server" (whatever we want) and have different default configurations for different system types, so while I certainly wouldn't let non-root be configuring my servers in any way at all, I don't really want to be root in order to configure my laptop (at least to decide which wireless SSID it should connect to, or when wireless should be disabled when I am on a plane). We could also have different security levels, "locked down", "adequate", "better than nothing", and "absent" and have different default configurations for those as well. And then it would be easy for sysint to ask the user which type of system this is (it would often be able to intuit a reasonable default from the config) and what level of security they want, and set those at the the same time it is setting rc_configured=YES. Aside from working out exactly what the values for the various configs should be for whatever different modes we create, all of this is trivial. kre