On Sat, 2005-06-25 at 01:50, Denis Solovyov wrote: > No any problems. Just want to control all config files by myself, not by > updater. After linux installation admin usually inspects all config > files in /etc and if they are suitable he leaves them unmodified. > Unmodified config means proper config.
I would say an unmodified configuration file is an UNUSED configuration file. Even if the default configuration is proper, it would be wise to add a comment to it saying it was reviewed by who on what date, and no changes were necessary. Nevertheless, configurations often go with the version of the software being installed. If there have been no changes to the configuration file for version 1, then it stands to reason that the new default for version 2 is also acceptable -- AND fully compatible with version 2, which version 1 may not be. Sometimes, a security upgrade could ONLY be a change of a default value in a configuration file. Consider the options UsePrivilegeSeparation or X11Forwarding in /etc/ssh/sshd_config. If you never changed these options (and thus the file), you most likely don't care what they are set to, and someone else, who presumably knows more about the software or security than you do, thought it wise to change the default -- you didn't care and your system ended up more secure as a result of the upgrade. If you have customized those options, and an .rpmnew file is created, you know you need to merge changes. If you have not customized, then an alteration in how the software works from what you are expected/customized to is a tipoff that something changed (most likely for the better). So while you have been relying on X11Forwarding defaulting on on, and now it's off after a default change because of the upgrade, there's no better time to learn about the -X option. And you're now aware of the security implications (or at least given the chance to learn about them). (although the openssh config files may be a bad example; I can never remember if the commented out portions are the defaults (and that's why they are commented out, as it is unnecessary to set a value to it's default) or if you want to change the default you just uncomment the line (so the commented out values are the inverse of the defaults, so it's easy to change). additionally, if the openssh team determined that UsePrivilegeSeparation should default to on, will they change the code to change the built-in default or just change the suggested value of the configuration file?) > So, dear swup, please make > *.rpmnew for me and do not touch configs which I've already inspected! Using actual file CONTENT (through a hash value) to determine if a file's CONTENT has changed is the only reliable way to determine if the content has changed (this seems, uh, obvious). As such, change the content to mark that you've "inspected" it. > Just as an option maybe. And I will decice by myself later if I need to > change one default to another. :-) You can do that now if you mark the configuration file as "customized" or "acceptable" by changing the content. I think the current method is a reasonable default that fits 99% of the cases. _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
