diff options
| author | jkh <jkh@FreeBSD.org> | 2000-09-22 19:12:41 +0000 |
|---|---|---|
| committer | jkh <jkh@FreeBSD.org> | 2000-09-22 19:12:41 +0000 |
| commit | 1d5791834188f4872379d9f3af9934ae88455a9c (patch) | |
| tree | 7d3037e28744bff5587f32726ae4a3a814c0e84c | |
| parent | 067fa527a356f7771212aad77f42e4444d578a2a (diff) | |
| download | FreeBSD-src-1d5791834188f4872379d9f3af9934ae88455a9c.zip FreeBSD-src-1d5791834188f4872379d9f3af9934ae88455a9c.tar.gz | |
One whack at the idea of having "security profiles" which select the
appropriate(?) defaults for "low", "medium" and "high" security
environments. Medium is basically what we currently have with a little
seat-belt tightening where it made sense. Low is the same as medium but
without the tightening. High is positively fascist with nothing turned
on by default and an automatic call to 911 if it can find a modem.
| -rw-r--r-- | release/sysinstall/config.c | 93 | ||||
| -rw-r--r-- | release/sysinstall/dispatch.c | 1 | ||||
| -rw-r--r-- | release/sysinstall/dist.c | 50 | ||||
| -rw-r--r-- | release/sysinstall/install.c | 15 | ||||
| -rw-r--r-- | release/sysinstall/menus.c | 244 | ||||
| -rw-r--r-- | release/sysinstall/sysinstall.h | 7 | ||||
| -rw-r--r-- | usr.sbin/sade/config.c | 93 | ||||
| -rw-r--r-- | usr.sbin/sade/dispatch.c | 1 | ||||
| -rw-r--r-- | usr.sbin/sade/install.c | 15 | ||||
| -rw-r--r-- | usr.sbin/sade/menus.c | 244 | ||||
| -rw-r--r-- | usr.sbin/sade/sade.h | 7 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/config.c | 93 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/dispatch.c | 1 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/dist.c | 50 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/install.c | 15 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/menus.c | 244 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/sysinstall.h | 7 |
17 files changed, 685 insertions, 495 deletions
diff --git a/release/sysinstall/config.c b/release/sysinstall/config.c index 8ce295b..cf37e94 100644 --- a/release/sysinstall/config.c +++ b/release/sysinstall/config.c @@ -388,10 +388,6 @@ configRC_conf(void) fprintf(rcSite, "# This file now contains just the overrides from /etc/defaults/rc.conf\n"); fprintf(rcSite, "# please make all changes to this file.\n\n"); fprintf(rcSite, "# Enable network daemons for user convenience.\n"); - fprintf(rcSite, "inetd_enable=\"YES\"\n"); - fprintf(rcSite, "portmap_enable=\"YES\"\n"); - fprintf(rcSite, "sendmail_enable=\"YES\"\n"); - fprintf(rcSite, "sshd_enable=\"YES\"\n"); } /* Now do variable substitutions */ @@ -470,6 +466,95 @@ configLinux(dialogMenuItem *self) return i; } +int +configSecurityProfile(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + dialog_clear_norefresh(); + dmenuOpenSimple(&MenuSecurityProfile, FALSE); + restorescr(w); + return DITEM_SUCCESS; +} + +/* Use the most fascist security settings */ +int +configSecurityFascist(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); + /* More fascist stuff should go here */ + + msgConfirm("High security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a more secure set of out-of-box defaults to start with.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityModerate(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Moderate security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for a comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you and\n" + "you know exactly what you are doing, select the high\n" + "high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityLiberal(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Liberal security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for the most comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you, select\n" + "the medium security profile or, if you know exactly what you\n" + "are doing, the high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + static void write_root_xprofile(char *str) { diff --git a/release/sysinstall/dispatch.c b/release/sysinstall/dispatch.c index 0b388b4..cd64bf0 100644 --- a/release/sysinstall/dispatch.c +++ b/release/sysinstall/dispatch.c @@ -73,7 +73,6 @@ static struct _word { { "distSetXUser", distSetXUser }, { "distSetMinimum", distSetMinimum }, { "distSetEverything", distSetEverything }, - { "distSetCRYPTO", distSetCRYPTO }, { "distSetSrc", distSetSrc }, { "distSetXF86", distSetXF86 }, { "distExtractAll", distExtractAll }, diff --git a/release/sysinstall/dist.c b/release/sysinstall/dist.c index 61974c8d..e70f446 100644 --- a/release/sysinstall/dist.c +++ b/release/sysinstall/dist.c @@ -197,7 +197,6 @@ static Distribution XF86FontDistTable[] = { { NULL }, }; -static int distMaybeSetCRYPTO(dialogMenuItem *self); static int distMaybeSetPorts(dialogMenuItem *self); static void @@ -211,7 +210,7 @@ distVerifyFlags(void) Dists |= DIST_CRYPTO; } else if ((Dists & DIST_CRYPTO) && !CRYPTODists) - CRYPTODists |= DIST_CRYPTO_CRYPTO; + CRYPTODists |= DIST_CRYPTO_ALL; if (XF86Dists & DIST_XF86_SET) XF86ServerDists |= DIST_XF86_SERVER_VGA16; if (XF86ServerDists) @@ -291,7 +290,9 @@ distSetDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -315,7 +316,7 @@ distSetKernDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_SYS; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -338,7 +339,7 @@ distSetUser(dialogMenuItem *self) distReset(NULL); Dists = _DIST_USER; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -369,50 +370,15 @@ distSetEverything(dialogMenuItem *self) Dists = DIST_ALL | DIST_XF86; SrcDists = DIST_SRC_ALL; + CRYPTODists = DIST_CRYPTO_ALL; XF86Dists = DIST_XF86_ALL; XF86ServerDists = DIST_XF86_SERVER_ALL; XF86FontDists = DIST_XF86_FONTS_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } -int -distSetCRYPTO(dialogMenuItem *self) -{ - int i; - - dialog_clear_norefresh(); - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - else - i = DITEM_SUCCESS; - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - -static int -distMaybeSetCRYPTO(dialogMenuItem *self) -{ - int i = DITEM_SUCCESS | DITEM_REDRAW; - - dialog_clear_norefresh(); - if (!msgYesNo("Do you wish to install cryptographic software?\n\n" - "If you choose No, FreeBSD will use an MD5-based password scheme which,\n" - "while more secure, is not interoperable with the traditional\n" - "DES-based passwords used on other Unix systems.\n\n" - "Note that the international crypto distribution has a better\n" - "implementation of the RSA algorithm, which is patented in the U.S.\n" - "If you are in the USA, use crypto + the rsaref port/package\n.")) { - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - } - - dialog_clear_norefresh(); - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - static int distMaybeSetPorts(dialogMenuItem *self) { diff --git a/release/sysinstall/install.c b/release/sysinstall/install.c index 67399ca..cc53f3e 100644 --- a/release/sysinstall/install.c +++ b/release/sysinstall/install.c @@ -472,6 +472,9 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); } @@ -560,10 +563,12 @@ nodisks: "between interfaces)?")) variable_set2("gateway_enable", "YES", 1); + dialog_clear_norefresh(); if (msgYesNo("Do you want to grant only normal users FTP access to this\n" "host (e.g. no anonymous FTP connections)?")) configAnonFTP(self); + dialog_clear_norefresh(); if (!msgYesNo("Do you want to configure this machine as an NFS server?")) configNFSServer(self); @@ -571,6 +576,13 @@ nodisks: if (!msgYesNo("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); + if (msgYesNo("Do you want to select a default security profile for\n" + "this host (\"medium\" security being the default)?")) + configSecurityProfile(self); + else + configSecurityModerate(self); + + dialog_clear_norefresh(); if (!msgYesNo("Would you like to customize your system console settings?")) dmenuOpenSimple(&MenuSyscons, FALSE); @@ -632,6 +644,9 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/release/sysinstall/menus.c b/release/sysinstall/menus.c index eee9959..b07008d 100644 --- a/release/sysinstall/menus.c +++ b/release/sysinstall/menus.c @@ -42,6 +42,8 @@ setSrc(dialogMenuItem *self) { Dists |= DIST_SRC; SrcDists = DIST_SRC_ALL; + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -50,22 +52,8 @@ clearSrc(dialogMenuItem *self) { Dists &= ~DIST_SRC; SrcDists = 0; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -setCRYPTO(dialogMenuItem *self) -{ - Dists |= DIST_CRYPTO; - CRYPTODists = DIST_CRYPTO_ALL; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -clearCRYPTO(dialogMenuItem *self) -{ - Dists &= ~DIST_CRYPTO; - CRYPTODists = 0; + CRYPTODists &= ~(DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -121,10 +109,10 @@ clearX11Fonts(dialogMenuItem *self) #define _IS_SET(dist, set) (((dist) & (set)) == (set)) #define IS_DEVELOPER(dist, extra) (_IS_SET(dist, _DIST_DEVELOPER | extra) || \ - _IS_SET(dist, _DIST_DEVELOPER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_DEVELOPER | extra)) #define IS_USER(dist, extra) (_IS_SET(dist, _DIST_USER | extra) || \ - _IS_SET(dist, _DIST_USER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_USER | extra)) static int checkDistDeveloper(dialogMenuItem *self) @@ -171,19 +159,14 @@ checkDistMinimum(dialogMenuItem *self) static int checkDistEverything(dialogMenuItem *self) { - return Dists == DIST_ALL && _IS_SET(SrcDists, DIST_SRC_ALL) && \ + return Dists == DIST_ALL && CRYPTODists == DIST_CRYPTO_ALL && \ + _IS_SET(SrcDists, DIST_SRC_ALL) && \ _IS_SET(XF86Dists, DIST_XF86_ALL) && \ _IS_SET(XF86ServerDists, DIST_XF86_SERVER_ALL) && \ _IS_SET(XF86FontDists, DIST_XF86_FONTS_ALL); } static int -CRYPTOFlagCheck(dialogMenuItem *item) -{ - return CRYPTODists; -} - -static int srcFlagCheck(dialogMenuItem *item) { return SrcDists; @@ -225,7 +208,6 @@ DMenu MenuIndex = { { " Disklabel", "The disk Label editor", NULL, diskLabelEditor }, { " Dists, All", "Root of the distribution tree.", NULL, dmenuSubmenu, NULL, &MenuDistributions }, { " Dists, Basic", "Basic FreeBSD distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSubDistributions }, - { " Dists, CRYPTO", "Encryption distribution menu.", NULL, dmenuSubmenu, NULL, &MenuCRYPTODistributions }, { " Dists, Developer", "Select developer's distribution.", checkDistDeveloper, distSetDeveloper }, { " Dists, Src", "Src distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSrcDistributions }, { " Dists, X Developer", "Select X developer's distribution.", checkDistXDeveloper, distSetXDeveloper }, @@ -275,6 +257,7 @@ DMenu MenuIndex = { { " PCNFSD", "Run authentication server for PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, { " Root Password", "Set the system manager's password.", NULL, dmenuSystemCommand, NULL, "passwd root" }, { " Router", "Select routing daemon (default: routed)", NULL, configRouter, NULL, "router_enable" }, + { " Security", "Select a default system security profile.", NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Syscons", "The system console configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSyscons }, { " Syscons, Font", "The console screen font.", NULL, dmenuSubmenu, NULL, &MenuSysconsFont }, { " Syscons, Keymap", "The console keymap configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSysconsKeymap }, @@ -425,70 +408,6 @@ DMenu MenuMouse = { { NULL } }, }; -DMenu MenuXF86Config = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the XFree86 configuration tool you want to use.", -#ifdef __alpha__ - "Due to problems with the VGA16 server right now, only the\n" - "text-mode configuration tool (xf86config) is currently supported.", -#else - "The first tool, XF86Setup, is fully graphical and requires the\n" - "VGA16 server in order to work (should have been selected by\n" - "default, but if you de-selected it then you won't be able to\n" - "use this fancy setup tool). The second tool, xf86config, is\n" - "a more simplistic shell-script based tool and less friendly to\n" - "new users, but it may work in situations where the fancier one\n" - "does not.", -#endif - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, -#ifdef __alpha__ - { "2 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, -#else - { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, - { "3 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, - { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, -#endif - { "D XDesktop", "X already set up, just do desktop configuration.", - NULL, dmenuSubmenu, NULL, &MenuXDesktops }, - { NULL } }, -}; - -DMenu MenuXDesktops = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the default X desktop to use.", - "By default, XFree86 comes with a fairly vanilla desktop which\n" - "is based around the twm(1) window manager and does not offer\n" - "much in the way of features. It does have the advantage of\n" - "being a standard part of X so you don't need to load anything\n" - "extra in order to use it. If, however, you have access to a\n" - "reasonably full packages collection on your installation media,\n" - "you can choose any one of the following desktops as alternatives.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, - { "2 KDE", "The K Desktop Environment.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, - { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, - { "4 GNOME + Enlightenment","GNOME + The E window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, - { "5 Afterstep", "The Afterstep window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, - { "6 Windowmaker", "The Windowmaker window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, - { "7 fvwm2", "The fvwm2 window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, - { NULL } }, -}; - DMenu MenuMediaCDROM = { DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, "Choose a CDROM type", @@ -844,8 +763,17 @@ DMenu MenuSubDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_COMPAT3X }, #endif #endif - { " CRYPTO", "Encryption code - NOT FOR EXPORT!", - CRYPTOFlagCheck,distSetCRYPTO }, + { " crypto", "Basic encryption services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, +#if __FreeBSD__ <= 3 + { " krb", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, +#else + { " krb4", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, + { " krb5", "Kerberos5 authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, +#endif { " dict", "Spelling checker dictionary files", dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_DICT }, { " doc", "Miscellaneous FreeBSD online docs", @@ -871,43 +799,6 @@ DMenu MenuSubDistributions = { { NULL } }, }; -DMenu MenuCRYPTODistributions = { - DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, - "Select the encryption facilities you wish to install.", - "Please check off any special encryption distributions\n" - "you would like to install. Please note that these services are NOT FOR\n" - "EXPORT from the United States. For information on non-U.S. FTP\n" - "distributions of this software, please consult the release notes.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { "All", "Select all of the below", - NULL, setCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { "Reset", "Reset all of the below", - NULL, clearCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { " crypto", "Basic encryption services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, -#if __FreeBSD__ <= 3 - { " krb", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, -#else - { " krb4", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, - { " krb5", "Kerberos5 authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, -#endif - { " skrb4", "Sources for KerberosIV", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, - { " skrb5", "Sources for Kerberos5", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, - { " ssecure", "BSD encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, - { " scrypto", "Contributed encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, - { NULL } }, -}; - DMenu MenuSrcDistributions = { DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, "Select the sub-components of src you wish to install.", @@ -943,8 +834,16 @@ DMenu MenuSrcDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_BIN }, { " sbin", "/usr/src/sbin (system binaries)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SBIN }, + { " scrypto", "/usr/src/crypto (contrib encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, { " share", "/usr/src/share (documents and shared files)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SHARE }, + { " skrb4", "/usr/src/kerberosIV (sources for KerberosIV)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, + { " skrb5", "/usr/src/kerberos5 (sources for Kerberos5)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, + { " ssecure", "/usr/src/secure (BSD encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, { " sys", "/usr/src/sys (FreeBSD kernel)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SYS }, { " tools", "/usr/src/tools (miscellaneous tools)", @@ -956,6 +855,70 @@ DMenu MenuSrcDistributions = { { NULL } }, }; +DMenu MenuXF86Config = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the XFree86 configuration tool you want to use.", +#ifdef __alpha__ + "Due to problems with the VGA16 server right now, only the\n" + "text-mode configuration tool (xf86config) is currently supported.", +#else + "The first tool, XF86Setup, is fully graphical and requires the\n" + "VGA16 server in order to work (should have been selected by\n" + "default, but if you de-selected it then you won't be able to\n" + "use this fancy setup tool). The second tool, xf86config, is\n" + "a more simplistic shell-script based tool and less friendly to\n" + "new users, but it may work in situations where the fancier one\n" + "does not.", +#endif + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, +#ifdef __alpha__ + { "2 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, +#else + { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, + { "3 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, + { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, +#endif + { "D XDesktop", "X already set up, just do desktop configuration.", + NULL, dmenuSubmenu, NULL, &MenuXDesktops }, + { NULL } }, +}; + +DMenu MenuXDesktops = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the default X desktop to use.", + "By default, XFree86 comes with a fairly vanilla desktop which\n" + "is based around the twm(1) window manager and does not offer\n" + "much in the way of features. It does have the advantage of\n" + "being a standard part of X so you don't need to load anything\n" + "extra in order to use it. If, however, you have access to a\n" + "reasonably full packages collection on your installation media,\n" + "you can choose any one of the following desktops as alternatives.", + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, + { "2 KDE", "The K Desktop Environment.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, + { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, + { "4 GNOME + Enlightenment","GNOME + The E window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, + { "5 Afterstep", "The Afterstep window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, + { "6 Windowmaker", "The Windowmaker window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, + { "7 fvwm2", "The fvwm2 window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, + { NULL } }, +}; + DMenu MenuXF86Select = { DMENU_NORMAL_TYPE, "XFree86 3.3.6 Distribution", @@ -1254,6 +1217,8 @@ DMenu MenuConfigure = { NULL, dmenuSubmenu, NULL, &MenuMouse, NULL }, { " Networking", "Configure additional network services", NULL, dmenuSubmenu, NULL, &MenuNetworking }, + { " Security", "Select default system security profile", + NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Startup", "Configure system startup options", NULL, dmenuSubmenu, NULL, &MenuStartup }, { " Options", "View/Set various installation options", @@ -1340,6 +1305,8 @@ DMenu MenuNetworking = { dmenuVarCheck, configAnonFTP, NULL, "anon_ftp" }, { " Gateway", "This machine will route packets between interfaces", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" }, + { " inetd", "This machine wants to run the inet daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" }, { " NFS client", "This machine will be an NFS client", dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" }, { " NFS server", "This machine will be an NFS server", @@ -1348,6 +1315,8 @@ DMenu MenuNetworking = { dmenuVarCheck, dmenuSubmenu, NULL, &MenuNTP, '[', 'X', ']', "ntpdate_enable=YES" }, { " PCNFSD", "Run authentication server for clients with PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, + { " portmap", "This machine wants to run the portmapper daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "portmap_enable=YES" }, { " Routed", "Select routing daemon (default: routed)", dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", @@ -1369,7 +1338,7 @@ DMenu MenuNTP = { "close to you to have your system time synchronized accordingly.", "These are the primary open-access NTP servers", NULL, - { { "None", "No ntp server", + { { "None", "No NTP server", dmenuVarsCheck, dmenuSetVariables, NULL, "ntpdate_enable=NO,ntpdate_flags=none" }, { "Other", "Select a site not on this list", @@ -1625,6 +1594,21 @@ DMenu MenuUsermgmt = { { NULL } }, }; +DMenu MenuSecurityProfile = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Default system security profile", + "Each item in this list will set what it considers to\n" + "be \"appropriate\" values in that category for various\n" + "security-related knobs in /etc/rc.conf.", + "Select a canned security profile.", + NULL, + { { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate }, + { "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal }, + { "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate }, + { "High", "Very restrictive security settings.", NULL, configSecurityFascist }, + { NULL } }, +}; + DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/release/sysinstall/sysinstall.h b/release/sysinstall/sysinstall.h index d44b8cb..5049470 100644 --- a/release/sysinstall/sysinstall.h +++ b/release/sysinstall/sysinstall.h @@ -375,6 +375,7 @@ extern DMenu MenuMediaFTP; /* FTP media menu */ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ +extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ extern DMenu MenuSyscons; /* System console configuration menu */ extern DMenu MenuSysconsFont; /* System console font configuration menu */ @@ -387,7 +388,6 @@ extern DMenu MenuInstallCustom; /* Custom Installation menu */ extern DMenu MenuDistributions; /* Distribution menu */ extern DMenu MenuDiskDevices; /* Disk type devices */ extern DMenu MenuSubDistributions; /* Custom distribution menu */ -extern DMenu MenuCRYPTODistributions;/* Encryption distribution menu */ extern DMenu MenuSrcDistributions; /* Source distribution menu */ extern DMenu MenuXF86; /* XFree86 main menu */ extern DMenu MenuXF86Select; /* XFree86 distribution selection menu */ @@ -443,6 +443,10 @@ extern int configRouter(dialogMenuItem *self); extern int configPCNFSD(dialogMenuItem *self); extern int configNFSServer(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); +extern int configSecurityProfile(dialogMenuItem *self); +extern int configSecurityFascist(dialogMenuItem *self); +extern int configSecurityModerate(dialogMenuItem *self); +extern int configSecurityLiberal(dialogMenuItem *self); /* crc.c */ extern int crc(int, unsigned long *, unsigned long *); @@ -496,7 +500,6 @@ extern int distSetUser(dialogMenuItem *self); extern int distSetXUser(dialogMenuItem *self); extern int distSetMinimum(dialogMenuItem *self); extern int distSetEverything(dialogMenuItem *self); -extern int distSetCRYPTO(dialogMenuItem *self); extern int distSetSrc(dialogMenuItem *self); extern int distSetXF86(dialogMenuItem *self); extern int distExtractAll(dialogMenuItem *self); diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c index 8ce295b..cf37e94 100644 --- a/usr.sbin/sade/config.c +++ b/usr.sbin/sade/config.c @@ -388,10 +388,6 @@ configRC_conf(void) fprintf(rcSite, "# This file now contains just the overrides from /etc/defaults/rc.conf\n"); fprintf(rcSite, "# please make all changes to this file.\n\n"); fprintf(rcSite, "# Enable network daemons for user convenience.\n"); - fprintf(rcSite, "inetd_enable=\"YES\"\n"); - fprintf(rcSite, "portmap_enable=\"YES\"\n"); - fprintf(rcSite, "sendmail_enable=\"YES\"\n"); - fprintf(rcSite, "sshd_enable=\"YES\"\n"); } /* Now do variable substitutions */ @@ -470,6 +466,95 @@ configLinux(dialogMenuItem *self) return i; } +int +configSecurityProfile(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + dialog_clear_norefresh(); + dmenuOpenSimple(&MenuSecurityProfile, FALSE); + restorescr(w); + return DITEM_SUCCESS; +} + +/* Use the most fascist security settings */ +int +configSecurityFascist(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); + /* More fascist stuff should go here */ + + msgConfirm("High security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a more secure set of out-of-box defaults to start with.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityModerate(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Moderate security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for a comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you and\n" + "you know exactly what you are doing, select the high\n" + "high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityLiberal(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Liberal security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for the most comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you, select\n" + "the medium security profile or, if you know exactly what you\n" + "are doing, the high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + static void write_root_xprofile(char *str) { diff --git a/usr.sbin/sade/dispatch.c b/usr.sbin/sade/dispatch.c index 0b388b4..cd64bf0 100644 --- a/usr.sbin/sade/dispatch.c +++ b/usr.sbin/sade/dispatch.c @@ -73,7 +73,6 @@ static struct _word { { "distSetXUser", distSetXUser }, { "distSetMinimum", distSetMinimum }, { "distSetEverything", distSetEverything }, - { "distSetCRYPTO", distSetCRYPTO }, { "distSetSrc", distSetSrc }, { "distSetXF86", distSetXF86 }, { "distExtractAll", distExtractAll }, diff --git a/usr.sbin/sade/install.c b/usr.sbin/sade/install.c index 67399ca..cc53f3e 100644 --- a/usr.sbin/sade/install.c +++ b/usr.sbin/sade/install.c @@ -472,6 +472,9 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); } @@ -560,10 +563,12 @@ nodisks: "between interfaces)?")) variable_set2("gateway_enable", "YES", 1); + dialog_clear_norefresh(); if (msgYesNo("Do you want to grant only normal users FTP access to this\n" "host (e.g. no anonymous FTP connections)?")) configAnonFTP(self); + dialog_clear_norefresh(); if (!msgYesNo("Do you want to configure this machine as an NFS server?")) configNFSServer(self); @@ -571,6 +576,13 @@ nodisks: if (!msgYesNo("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); + if (msgYesNo("Do you want to select a default security profile for\n" + "this host (\"medium\" security being the default)?")) + configSecurityProfile(self); + else + configSecurityModerate(self); + + dialog_clear_norefresh(); if (!msgYesNo("Would you like to customize your system console settings?")) dmenuOpenSimple(&MenuSyscons, FALSE); @@ -632,6 +644,9 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/usr.sbin/sade/menus.c b/usr.sbin/sade/menus.c index eee9959..b07008d 100644 --- a/usr.sbin/sade/menus.c +++ b/usr.sbin/sade/menus.c @@ -42,6 +42,8 @@ setSrc(dialogMenuItem *self) { Dists |= DIST_SRC; SrcDists = DIST_SRC_ALL; + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -50,22 +52,8 @@ clearSrc(dialogMenuItem *self) { Dists &= ~DIST_SRC; SrcDists = 0; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -setCRYPTO(dialogMenuItem *self) -{ - Dists |= DIST_CRYPTO; - CRYPTODists = DIST_CRYPTO_ALL; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -clearCRYPTO(dialogMenuItem *self) -{ - Dists &= ~DIST_CRYPTO; - CRYPTODists = 0; + CRYPTODists &= ~(DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -121,10 +109,10 @@ clearX11Fonts(dialogMenuItem *self) #define _IS_SET(dist, set) (((dist) & (set)) == (set)) #define IS_DEVELOPER(dist, extra) (_IS_SET(dist, _DIST_DEVELOPER | extra) || \ - _IS_SET(dist, _DIST_DEVELOPER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_DEVELOPER | extra)) #define IS_USER(dist, extra) (_IS_SET(dist, _DIST_USER | extra) || \ - _IS_SET(dist, _DIST_USER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_USER | extra)) static int checkDistDeveloper(dialogMenuItem *self) @@ -171,19 +159,14 @@ checkDistMinimum(dialogMenuItem *self) static int checkDistEverything(dialogMenuItem *self) { - return Dists == DIST_ALL && _IS_SET(SrcDists, DIST_SRC_ALL) && \ + return Dists == DIST_ALL && CRYPTODists == DIST_CRYPTO_ALL && \ + _IS_SET(SrcDists, DIST_SRC_ALL) && \ _IS_SET(XF86Dists, DIST_XF86_ALL) && \ _IS_SET(XF86ServerDists, DIST_XF86_SERVER_ALL) && \ _IS_SET(XF86FontDists, DIST_XF86_FONTS_ALL); } static int -CRYPTOFlagCheck(dialogMenuItem *item) -{ - return CRYPTODists; -} - -static int srcFlagCheck(dialogMenuItem *item) { return SrcDists; @@ -225,7 +208,6 @@ DMenu MenuIndex = { { " Disklabel", "The disk Label editor", NULL, diskLabelEditor }, { " Dists, All", "Root of the distribution tree.", NULL, dmenuSubmenu, NULL, &MenuDistributions }, { " Dists, Basic", "Basic FreeBSD distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSubDistributions }, - { " Dists, CRYPTO", "Encryption distribution menu.", NULL, dmenuSubmenu, NULL, &MenuCRYPTODistributions }, { " Dists, Developer", "Select developer's distribution.", checkDistDeveloper, distSetDeveloper }, { " Dists, Src", "Src distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSrcDistributions }, { " Dists, X Developer", "Select X developer's distribution.", checkDistXDeveloper, distSetXDeveloper }, @@ -275,6 +257,7 @@ DMenu MenuIndex = { { " PCNFSD", "Run authentication server for PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, { " Root Password", "Set the system manager's password.", NULL, dmenuSystemCommand, NULL, "passwd root" }, { " Router", "Select routing daemon (default: routed)", NULL, configRouter, NULL, "router_enable" }, + { " Security", "Select a default system security profile.", NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Syscons", "The system console configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSyscons }, { " Syscons, Font", "The console screen font.", NULL, dmenuSubmenu, NULL, &MenuSysconsFont }, { " Syscons, Keymap", "The console keymap configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSysconsKeymap }, @@ -425,70 +408,6 @@ DMenu MenuMouse = { { NULL } }, }; -DMenu MenuXF86Config = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the XFree86 configuration tool you want to use.", -#ifdef __alpha__ - "Due to problems with the VGA16 server right now, only the\n" - "text-mode configuration tool (xf86config) is currently supported.", -#else - "The first tool, XF86Setup, is fully graphical and requires the\n" - "VGA16 server in order to work (should have been selected by\n" - "default, but if you de-selected it then you won't be able to\n" - "use this fancy setup tool). The second tool, xf86config, is\n" - "a more simplistic shell-script based tool and less friendly to\n" - "new users, but it may work in situations where the fancier one\n" - "does not.", -#endif - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, -#ifdef __alpha__ - { "2 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, -#else - { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, - { "3 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, - { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, -#endif - { "D XDesktop", "X already set up, just do desktop configuration.", - NULL, dmenuSubmenu, NULL, &MenuXDesktops }, - { NULL } }, -}; - -DMenu MenuXDesktops = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the default X desktop to use.", - "By default, XFree86 comes with a fairly vanilla desktop which\n" - "is based around the twm(1) window manager and does not offer\n" - "much in the way of features. It does have the advantage of\n" - "being a standard part of X so you don't need to load anything\n" - "extra in order to use it. If, however, you have access to a\n" - "reasonably full packages collection on your installation media,\n" - "you can choose any one of the following desktops as alternatives.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, - { "2 KDE", "The K Desktop Environment.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, - { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, - { "4 GNOME + Enlightenment","GNOME + The E window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, - { "5 Afterstep", "The Afterstep window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, - { "6 Windowmaker", "The Windowmaker window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, - { "7 fvwm2", "The fvwm2 window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, - { NULL } }, -}; - DMenu MenuMediaCDROM = { DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, "Choose a CDROM type", @@ -844,8 +763,17 @@ DMenu MenuSubDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_COMPAT3X }, #endif #endif - { " CRYPTO", "Encryption code - NOT FOR EXPORT!", - CRYPTOFlagCheck,distSetCRYPTO }, + { " crypto", "Basic encryption services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, +#if __FreeBSD__ <= 3 + { " krb", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, +#else + { " krb4", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, + { " krb5", "Kerberos5 authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, +#endif { " dict", "Spelling checker dictionary files", dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_DICT }, { " doc", "Miscellaneous FreeBSD online docs", @@ -871,43 +799,6 @@ DMenu MenuSubDistributions = { { NULL } }, }; -DMenu MenuCRYPTODistributions = { - DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, - "Select the encryption facilities you wish to install.", - "Please check off any special encryption distributions\n" - "you would like to install. Please note that these services are NOT FOR\n" - "EXPORT from the United States. For information on non-U.S. FTP\n" - "distributions of this software, please consult the release notes.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { "All", "Select all of the below", - NULL, setCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { "Reset", "Reset all of the below", - NULL, clearCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { " crypto", "Basic encryption services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, -#if __FreeBSD__ <= 3 - { " krb", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, -#else - { " krb4", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, - { " krb5", "Kerberos5 authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, -#endif - { " skrb4", "Sources for KerberosIV", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, - { " skrb5", "Sources for Kerberos5", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, - { " ssecure", "BSD encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, - { " scrypto", "Contributed encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, - { NULL } }, -}; - DMenu MenuSrcDistributions = { DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, "Select the sub-components of src you wish to install.", @@ -943,8 +834,16 @@ DMenu MenuSrcDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_BIN }, { " sbin", "/usr/src/sbin (system binaries)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SBIN }, + { " scrypto", "/usr/src/crypto (contrib encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, { " share", "/usr/src/share (documents and shared files)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SHARE }, + { " skrb4", "/usr/src/kerberosIV (sources for KerberosIV)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, + { " skrb5", "/usr/src/kerberos5 (sources for Kerberos5)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, + { " ssecure", "/usr/src/secure (BSD encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, { " sys", "/usr/src/sys (FreeBSD kernel)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SYS }, { " tools", "/usr/src/tools (miscellaneous tools)", @@ -956,6 +855,70 @@ DMenu MenuSrcDistributions = { { NULL } }, }; +DMenu MenuXF86Config = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the XFree86 configuration tool you want to use.", +#ifdef __alpha__ + "Due to problems with the VGA16 server right now, only the\n" + "text-mode configuration tool (xf86config) is currently supported.", +#else + "The first tool, XF86Setup, is fully graphical and requires the\n" + "VGA16 server in order to work (should have been selected by\n" + "default, but if you de-selected it then you won't be able to\n" + "use this fancy setup tool). The second tool, xf86config, is\n" + "a more simplistic shell-script based tool and less friendly to\n" + "new users, but it may work in situations where the fancier one\n" + "does not.", +#endif + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, +#ifdef __alpha__ + { "2 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, +#else + { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, + { "3 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, + { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, +#endif + { "D XDesktop", "X already set up, just do desktop configuration.", + NULL, dmenuSubmenu, NULL, &MenuXDesktops }, + { NULL } }, +}; + +DMenu MenuXDesktops = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the default X desktop to use.", + "By default, XFree86 comes with a fairly vanilla desktop which\n" + "is based around the twm(1) window manager and does not offer\n" + "much in the way of features. It does have the advantage of\n" + "being a standard part of X so you don't need to load anything\n" + "extra in order to use it. If, however, you have access to a\n" + "reasonably full packages collection on your installation media,\n" + "you can choose any one of the following desktops as alternatives.", + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, + { "2 KDE", "The K Desktop Environment.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, + { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, + { "4 GNOME + Enlightenment","GNOME + The E window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, + { "5 Afterstep", "The Afterstep window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, + { "6 Windowmaker", "The Windowmaker window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, + { "7 fvwm2", "The fvwm2 window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, + { NULL } }, +}; + DMenu MenuXF86Select = { DMENU_NORMAL_TYPE, "XFree86 3.3.6 Distribution", @@ -1254,6 +1217,8 @@ DMenu MenuConfigure = { NULL, dmenuSubmenu, NULL, &MenuMouse, NULL }, { " Networking", "Configure additional network services", NULL, dmenuSubmenu, NULL, &MenuNetworking }, + { " Security", "Select default system security profile", + NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Startup", "Configure system startup options", NULL, dmenuSubmenu, NULL, &MenuStartup }, { " Options", "View/Set various installation options", @@ -1340,6 +1305,8 @@ DMenu MenuNetworking = { dmenuVarCheck, configAnonFTP, NULL, "anon_ftp" }, { " Gateway", "This machine will route packets between interfaces", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" }, + { " inetd", "This machine wants to run the inet daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" }, { " NFS client", "This machine will be an NFS client", dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" }, { " NFS server", "This machine will be an NFS server", @@ -1348,6 +1315,8 @@ DMenu MenuNetworking = { dmenuVarCheck, dmenuSubmenu, NULL, &MenuNTP, '[', 'X', ']', "ntpdate_enable=YES" }, { " PCNFSD", "Run authentication server for clients with PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, + { " portmap", "This machine wants to run the portmapper daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "portmap_enable=YES" }, { " Routed", "Select routing daemon (default: routed)", dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", @@ -1369,7 +1338,7 @@ DMenu MenuNTP = { "close to you to have your system time synchronized accordingly.", "These are the primary open-access NTP servers", NULL, - { { "None", "No ntp server", + { { "None", "No NTP server", dmenuVarsCheck, dmenuSetVariables, NULL, "ntpdate_enable=NO,ntpdate_flags=none" }, { "Other", "Select a site not on this list", @@ -1625,6 +1594,21 @@ DMenu MenuUsermgmt = { { NULL } }, }; +DMenu MenuSecurityProfile = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Default system security profile", + "Each item in this list will set what it considers to\n" + "be \"appropriate\" values in that category for various\n" + "security-related knobs in /etc/rc.conf.", + "Select a canned security profile.", + NULL, + { { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate }, + { "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal }, + { "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate }, + { "High", "Very restrictive security settings.", NULL, configSecurityFascist }, + { NULL } }, +}; + DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/usr.sbin/sade/sade.h b/usr.sbin/sade/sade.h index d44b8cb..5049470 100644 --- a/usr.sbin/sade/sade.h +++ b/usr.sbin/sade/sade.h @@ -375,6 +375,7 @@ extern DMenu MenuMediaFTP; /* FTP media menu */ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ +extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ extern DMenu MenuSyscons; /* System console configuration menu */ extern DMenu MenuSysconsFont; /* System console font configuration menu */ @@ -387,7 +388,6 @@ extern DMenu MenuInstallCustom; /* Custom Installation menu */ extern DMenu MenuDistributions; /* Distribution menu */ extern DMenu MenuDiskDevices; /* Disk type devices */ extern DMenu MenuSubDistributions; /* Custom distribution menu */ -extern DMenu MenuCRYPTODistributions;/* Encryption distribution menu */ extern DMenu MenuSrcDistributions; /* Source distribution menu */ extern DMenu MenuXF86; /* XFree86 main menu */ extern DMenu MenuXF86Select; /* XFree86 distribution selection menu */ @@ -443,6 +443,10 @@ extern int configRouter(dialogMenuItem *self); extern int configPCNFSD(dialogMenuItem *self); extern int configNFSServer(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); +extern int configSecurityProfile(dialogMenuItem *self); +extern int configSecurityFascist(dialogMenuItem *self); +extern int configSecurityModerate(dialogMenuItem *self); +extern int configSecurityLiberal(dialogMenuItem *self); /* crc.c */ extern int crc(int, unsigned long *, unsigned long *); @@ -496,7 +500,6 @@ extern int distSetUser(dialogMenuItem *self); extern int distSetXUser(dialogMenuItem *self); extern int distSetMinimum(dialogMenuItem *self); extern int distSetEverything(dialogMenuItem *self); -extern int distSetCRYPTO(dialogMenuItem *self); extern int distSetSrc(dialogMenuItem *self); extern int distSetXF86(dialogMenuItem *self); extern int distExtractAll(dialogMenuItem *self); diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c index 8ce295b..cf37e94 100644 --- a/usr.sbin/sysinstall/config.c +++ b/usr.sbin/sysinstall/config.c @@ -388,10 +388,6 @@ configRC_conf(void) fprintf(rcSite, "# This file now contains just the overrides from /etc/defaults/rc.conf\n"); fprintf(rcSite, "# please make all changes to this file.\n\n"); fprintf(rcSite, "# Enable network daemons for user convenience.\n"); - fprintf(rcSite, "inetd_enable=\"YES\"\n"); - fprintf(rcSite, "portmap_enable=\"YES\"\n"); - fprintf(rcSite, "sendmail_enable=\"YES\"\n"); - fprintf(rcSite, "sshd_enable=\"YES\"\n"); } /* Now do variable substitutions */ @@ -470,6 +466,95 @@ configLinux(dialogMenuItem *self) return i; } +int +configSecurityProfile(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + dialog_clear_norefresh(); + dmenuOpenSimple(&MenuSecurityProfile, FALSE); + restorescr(w); + return DITEM_SUCCESS; +} + +/* Use the most fascist security settings */ +int +configSecurityFascist(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); + /* More fascist stuff should go here */ + + msgConfirm("High security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a more secure set of out-of-box defaults to start with.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityModerate(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Moderate security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for a comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you and\n" + "you know exactly what you are doing, select the high\n" + "high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityLiberal(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Liberal security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for the most comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you, select\n" + "the medium security profile or, if you know exactly what you\n" + "are doing, the high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + static void write_root_xprofile(char *str) { diff --git a/usr.sbin/sysinstall/dispatch.c b/usr.sbin/sysinstall/dispatch.c index 0b388b4..cd64bf0 100644 --- a/usr.sbin/sysinstall/dispatch.c +++ b/usr.sbin/sysinstall/dispatch.c @@ -73,7 +73,6 @@ static struct _word { { "distSetXUser", distSetXUser }, { "distSetMinimum", distSetMinimum }, { "distSetEverything", distSetEverything }, - { "distSetCRYPTO", distSetCRYPTO }, { "distSetSrc", distSetSrc }, { "distSetXF86", distSetXF86 }, { "distExtractAll", distExtractAll }, diff --git a/usr.sbin/sysinstall/dist.c b/usr.sbin/sysinstall/dist.c index 61974c8d..e70f446 100644 --- a/usr.sbin/sysinstall/dist.c +++ b/usr.sbin/sysinstall/dist.c @@ -197,7 +197,6 @@ static Distribution XF86FontDistTable[] = { { NULL }, }; -static int distMaybeSetCRYPTO(dialogMenuItem *self); static int distMaybeSetPorts(dialogMenuItem *self); static void @@ -211,7 +210,7 @@ distVerifyFlags(void) Dists |= DIST_CRYPTO; } else if ((Dists & DIST_CRYPTO) && !CRYPTODists) - CRYPTODists |= DIST_CRYPTO_CRYPTO; + CRYPTODists |= DIST_CRYPTO_ALL; if (XF86Dists & DIST_XF86_SET) XF86ServerDists |= DIST_XF86_SERVER_VGA16; if (XF86ServerDists) @@ -291,7 +290,9 @@ distSetDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -315,7 +316,7 @@ distSetKernDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_SYS; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -338,7 +339,7 @@ distSetUser(dialogMenuItem *self) distReset(NULL); Dists = _DIST_USER; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -369,50 +370,15 @@ distSetEverything(dialogMenuItem *self) Dists = DIST_ALL | DIST_XF86; SrcDists = DIST_SRC_ALL; + CRYPTODists = DIST_CRYPTO_ALL; XF86Dists = DIST_XF86_ALL; XF86ServerDists = DIST_XF86_SERVER_ALL; XF86FontDists = DIST_XF86_FONTS_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } -int -distSetCRYPTO(dialogMenuItem *self) -{ - int i; - - dialog_clear_norefresh(); - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - else - i = DITEM_SUCCESS; - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - -static int -distMaybeSetCRYPTO(dialogMenuItem *self) -{ - int i = DITEM_SUCCESS | DITEM_REDRAW; - - dialog_clear_norefresh(); - if (!msgYesNo("Do you wish to install cryptographic software?\n\n" - "If you choose No, FreeBSD will use an MD5-based password scheme which,\n" - "while more secure, is not interoperable with the traditional\n" - "DES-based passwords used on other Unix systems.\n\n" - "Note that the international crypto distribution has a better\n" - "implementation of the RSA algorithm, which is patented in the U.S.\n" - "If you are in the USA, use crypto + the rsaref port/package\n.")) { - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - } - - dialog_clear_norefresh(); - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - static int distMaybeSetPorts(dialogMenuItem *self) { diff --git a/usr.sbin/sysinstall/install.c b/usr.sbin/sysinstall/install.c index 67399ca..cc53f3e 100644 --- a/usr.sbin/sysinstall/install.c +++ b/usr.sbin/sysinstall/install.c @@ -472,6 +472,9 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); } @@ -560,10 +563,12 @@ nodisks: "between interfaces)?")) variable_set2("gateway_enable", "YES", 1); + dialog_clear_norefresh(); if (msgYesNo("Do you want to grant only normal users FTP access to this\n" "host (e.g. no anonymous FTP connections)?")) configAnonFTP(self); + dialog_clear_norefresh(); if (!msgYesNo("Do you want to configure this machine as an NFS server?")) configNFSServer(self); @@ -571,6 +576,13 @@ nodisks: if (!msgYesNo("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); + if (msgYesNo("Do you want to select a default security profile for\n" + "this host (\"medium\" security being the default)?")) + configSecurityProfile(self); + else + configSecurityModerate(self); + + dialog_clear_norefresh(); if (!msgYesNo("Would you like to customize your system console settings?")) dmenuOpenSimple(&MenuSyscons, FALSE); @@ -632,6 +644,9 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/usr.sbin/sysinstall/menus.c b/usr.sbin/sysinstall/menus.c index eee9959..b07008d 100644 --- a/usr.sbin/sysinstall/menus.c +++ b/usr.sbin/sysinstall/menus.c @@ -42,6 +42,8 @@ setSrc(dialogMenuItem *self) { Dists |= DIST_SRC; SrcDists = DIST_SRC_ALL; + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -50,22 +52,8 @@ clearSrc(dialogMenuItem *self) { Dists &= ~DIST_SRC; SrcDists = 0; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -setCRYPTO(dialogMenuItem *self) -{ - Dists |= DIST_CRYPTO; - CRYPTODists = DIST_CRYPTO_ALL; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -clearCRYPTO(dialogMenuItem *self) -{ - Dists &= ~DIST_CRYPTO; - CRYPTODists = 0; + CRYPTODists &= ~(DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -121,10 +109,10 @@ clearX11Fonts(dialogMenuItem *self) #define _IS_SET(dist, set) (((dist) & (set)) == (set)) #define IS_DEVELOPER(dist, extra) (_IS_SET(dist, _DIST_DEVELOPER | extra) || \ - _IS_SET(dist, _DIST_DEVELOPER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_DEVELOPER | extra)) #define IS_USER(dist, extra) (_IS_SET(dist, _DIST_USER | extra) || \ - _IS_SET(dist, _DIST_USER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_USER | extra)) static int checkDistDeveloper(dialogMenuItem *self) @@ -171,19 +159,14 @@ checkDistMinimum(dialogMenuItem *self) static int checkDistEverything(dialogMenuItem *self) { - return Dists == DIST_ALL && _IS_SET(SrcDists, DIST_SRC_ALL) && \ + return Dists == DIST_ALL && CRYPTODists == DIST_CRYPTO_ALL && \ + _IS_SET(SrcDists, DIST_SRC_ALL) && \ _IS_SET(XF86Dists, DIST_XF86_ALL) && \ _IS_SET(XF86ServerDists, DIST_XF86_SERVER_ALL) && \ _IS_SET(XF86FontDists, DIST_XF86_FONTS_ALL); } static int -CRYPTOFlagCheck(dialogMenuItem *item) -{ - return CRYPTODists; -} - -static int srcFlagCheck(dialogMenuItem *item) { return SrcDists; @@ -225,7 +208,6 @@ DMenu MenuIndex = { { " Disklabel", "The disk Label editor", NULL, diskLabelEditor }, { " Dists, All", "Root of the distribution tree.", NULL, dmenuSubmenu, NULL, &MenuDistributions }, { " Dists, Basic", "Basic FreeBSD distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSubDistributions }, - { " Dists, CRYPTO", "Encryption distribution menu.", NULL, dmenuSubmenu, NULL, &MenuCRYPTODistributions }, { " Dists, Developer", "Select developer's distribution.", checkDistDeveloper, distSetDeveloper }, { " Dists, Src", "Src distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSrcDistributions }, { " Dists, X Developer", "Select X developer's distribution.", checkDistXDeveloper, distSetXDeveloper }, @@ -275,6 +257,7 @@ DMenu MenuIndex = { { " PCNFSD", "Run authentication server for PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, { " Root Password", "Set the system manager's password.", NULL, dmenuSystemCommand, NULL, "passwd root" }, { " Router", "Select routing daemon (default: routed)", NULL, configRouter, NULL, "router_enable" }, + { " Security", "Select a default system security profile.", NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Syscons", "The system console configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSyscons }, { " Syscons, Font", "The console screen font.", NULL, dmenuSubmenu, NULL, &MenuSysconsFont }, { " Syscons, Keymap", "The console keymap configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSysconsKeymap }, @@ -425,70 +408,6 @@ DMenu MenuMouse = { { NULL } }, }; -DMenu MenuXF86Config = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the XFree86 configuration tool you want to use.", -#ifdef __alpha__ - "Due to problems with the VGA16 server right now, only the\n" - "text-mode configuration tool (xf86config) is currently supported.", -#else - "The first tool, XF86Setup, is fully graphical and requires the\n" - "VGA16 server in order to work (should have been selected by\n" - "default, but if you de-selected it then you won't be able to\n" - "use this fancy setup tool). The second tool, xf86config, is\n" - "a more simplistic shell-script based tool and less friendly to\n" - "new users, but it may work in situations where the fancier one\n" - "does not.", -#endif - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, -#ifdef __alpha__ - { "2 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, -#else - { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, - { "3 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, - { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, -#endif - { "D XDesktop", "X already set up, just do desktop configuration.", - NULL, dmenuSubmenu, NULL, &MenuXDesktops }, - { NULL } }, -}; - -DMenu MenuXDesktops = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the default X desktop to use.", - "By default, XFree86 comes with a fairly vanilla desktop which\n" - "is based around the twm(1) window manager and does not offer\n" - "much in the way of features. It does have the advantage of\n" - "being a standard part of X so you don't need to load anything\n" - "extra in order to use it. If, however, you have access to a\n" - "reasonably full packages collection on your installation media,\n" - "you can choose any one of the following desktops as alternatives.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, - { "2 KDE", "The K Desktop Environment.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, - { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, - { "4 GNOME + Enlightenment","GNOME + The E window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, - { "5 Afterstep", "The Afterstep window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, - { "6 Windowmaker", "The Windowmaker window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, - { "7 fvwm2", "The fvwm2 window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, - { NULL } }, -}; - DMenu MenuMediaCDROM = { DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, "Choose a CDROM type", @@ -844,8 +763,17 @@ DMenu MenuSubDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_COMPAT3X }, #endif #endif - { " CRYPTO", "Encryption code - NOT FOR EXPORT!", - CRYPTOFlagCheck,distSetCRYPTO }, + { " crypto", "Basic encryption services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, +#if __FreeBSD__ <= 3 + { " krb", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, +#else + { " krb4", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, + { " krb5", "Kerberos5 authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, +#endif { " dict", "Spelling checker dictionary files", dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_DICT }, { " doc", "Miscellaneous FreeBSD online docs", @@ -871,43 +799,6 @@ DMenu MenuSubDistributions = { { NULL } }, }; -DMenu MenuCRYPTODistributions = { - DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, - "Select the encryption facilities you wish to install.", - "Please check off any special encryption distributions\n" - "you would like to install. Please note that these services are NOT FOR\n" - "EXPORT from the United States. For information on non-U.S. FTP\n" - "distributions of this software, please consult the release notes.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { "All", "Select all of the below", - NULL, setCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { "Reset", "Reset all of the below", - NULL, clearCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { " crypto", "Basic encryption services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, -#if __FreeBSD__ <= 3 - { " krb", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, -#else - { " krb4", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, - { " krb5", "Kerberos5 authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, -#endif - { " skrb4", "Sources for KerberosIV", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, - { " skrb5", "Sources for Kerberos5", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, - { " ssecure", "BSD encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, - { " scrypto", "Contributed encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, - { NULL } }, -}; - DMenu MenuSrcDistributions = { DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, "Select the sub-components of src you wish to install.", @@ -943,8 +834,16 @@ DMenu MenuSrcDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_BIN }, { " sbin", "/usr/src/sbin (system binaries)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SBIN }, + { " scrypto", "/usr/src/crypto (contrib encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, { " share", "/usr/src/share (documents and shared files)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SHARE }, + { " skrb4", "/usr/src/kerberosIV (sources for KerberosIV)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, + { " skrb5", "/usr/src/kerberos5 (sources for Kerberos5)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, + { " ssecure", "/usr/src/secure (BSD encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, { " sys", "/usr/src/sys (FreeBSD kernel)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SYS }, { " tools", "/usr/src/tools (miscellaneous tools)", @@ -956,6 +855,70 @@ DMenu MenuSrcDistributions = { { NULL } }, }; +DMenu MenuXF86Config = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the XFree86 configuration tool you want to use.", +#ifdef __alpha__ + "Due to problems with the VGA16 server right now, only the\n" + "text-mode configuration tool (xf86config) is currently supported.", +#else + "The first tool, XF86Setup, is fully graphical and requires the\n" + "VGA16 server in order to work (should have been selected by\n" + "default, but if you de-selected it then you won't be able to\n" + "use this fancy setup tool). The second tool, xf86config, is\n" + "a more simplistic shell-script based tool and less friendly to\n" + "new users, but it may work in situations where the fancier one\n" + "does not.", +#endif + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, +#ifdef __alpha__ + { "2 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, +#else + { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, + { "3 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, + { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, +#endif + { "D XDesktop", "X already set up, just do desktop configuration.", + NULL, dmenuSubmenu, NULL, &MenuXDesktops }, + { NULL } }, +}; + +DMenu MenuXDesktops = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the default X desktop to use.", + "By default, XFree86 comes with a fairly vanilla desktop which\n" + "is based around the twm(1) window manager and does not offer\n" + "much in the way of features. It does have the advantage of\n" + "being a standard part of X so you don't need to load anything\n" + "extra in order to use it. If, however, you have access to a\n" + "reasonably full packages collection on your installation media,\n" + "you can choose any one of the following desktops as alternatives.", + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, + { "2 KDE", "The K Desktop Environment.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, + { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, + { "4 GNOME + Enlightenment","GNOME + The E window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, + { "5 Afterstep", "The Afterstep window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, + { "6 Windowmaker", "The Windowmaker window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, + { "7 fvwm2", "The fvwm2 window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, + { NULL } }, +}; + DMenu MenuXF86Select = { DMENU_NORMAL_TYPE, "XFree86 3.3.6 Distribution", @@ -1254,6 +1217,8 @@ DMenu MenuConfigure = { NULL, dmenuSubmenu, NULL, &MenuMouse, NULL }, { " Networking", "Configure additional network services", NULL, dmenuSubmenu, NULL, &MenuNetworking }, + { " Security", "Select default system security profile", + NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Startup", "Configure system startup options", NULL, dmenuSubmenu, NULL, &MenuStartup }, { " Options", "View/Set various installation options", @@ -1340,6 +1305,8 @@ DMenu MenuNetworking = { dmenuVarCheck, configAnonFTP, NULL, "anon_ftp" }, { " Gateway", "This machine will route packets between interfaces", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" }, + { " inetd", "This machine wants to run the inet daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" }, { " NFS client", "This machine will be an NFS client", dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" }, { " NFS server", "This machine will be an NFS server", @@ -1348,6 +1315,8 @@ DMenu MenuNetworking = { dmenuVarCheck, dmenuSubmenu, NULL, &MenuNTP, '[', 'X', ']', "ntpdate_enable=YES" }, { " PCNFSD", "Run authentication server for clients with PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, + { " portmap", "This machine wants to run the portmapper daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "portmap_enable=YES" }, { " Routed", "Select routing daemon (default: routed)", dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", @@ -1369,7 +1338,7 @@ DMenu MenuNTP = { "close to you to have your system time synchronized accordingly.", "These are the primary open-access NTP servers", NULL, - { { "None", "No ntp server", + { { "None", "No NTP server", dmenuVarsCheck, dmenuSetVariables, NULL, "ntpdate_enable=NO,ntpdate_flags=none" }, { "Other", "Select a site not on this list", @@ -1625,6 +1594,21 @@ DMenu MenuUsermgmt = { { NULL } }, }; +DMenu MenuSecurityProfile = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Default system security profile", + "Each item in this list will set what it considers to\n" + "be \"appropriate\" values in that category for various\n" + "security-related knobs in /etc/rc.conf.", + "Select a canned security profile.", + NULL, + { { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate }, + { "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal }, + { "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate }, + { "High", "Very restrictive security settings.", NULL, configSecurityFascist }, + { NULL } }, +}; + DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/usr.sbin/sysinstall/sysinstall.h b/usr.sbin/sysinstall/sysinstall.h index d44b8cb..5049470 100644 --- a/usr.sbin/sysinstall/sysinstall.h +++ b/usr.sbin/sysinstall/sysinstall.h @@ -375,6 +375,7 @@ extern DMenu MenuMediaFTP; /* FTP media menu */ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ +extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ extern DMenu MenuSyscons; /* System console configuration menu */ extern DMenu MenuSysconsFont; /* System console font configuration menu */ @@ -387,7 +388,6 @@ extern DMenu MenuInstallCustom; /* Custom Installation menu */ extern DMenu MenuDistributions; /* Distribution menu */ extern DMenu MenuDiskDevices; /* Disk type devices */ extern DMenu MenuSubDistributions; /* Custom distribution menu */ -extern DMenu MenuCRYPTODistributions;/* Encryption distribution menu */ extern DMenu MenuSrcDistributions; /* Source distribution menu */ extern DMenu MenuXF86; /* XFree86 main menu */ extern DMenu MenuXF86Select; /* XFree86 distribution selection menu */ @@ -443,6 +443,10 @@ extern int configRouter(dialogMenuItem *self); extern int configPCNFSD(dialogMenuItem *self); extern int configNFSServer(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); +extern int configSecurityProfile(dialogMenuItem *self); +extern int configSecurityFascist(dialogMenuItem *self); +extern int configSecurityModerate(dialogMenuItem *self); +extern int configSecurityLiberal(dialogMenuItem *self); /* crc.c */ extern int crc(int, unsigned long *, unsigned long *); @@ -496,7 +500,6 @@ extern int distSetUser(dialogMenuItem *self); extern int distSetXUser(dialogMenuItem *self); extern int distSetMinimum(dialogMenuItem *self); extern int distSetEverything(dialogMenuItem *self); -extern int distSetCRYPTO(dialogMenuItem *self); extern int distSetSrc(dialogMenuItem *self); extern int distSetXF86(dialogMenuItem *self); extern int distExtractAll(dialogMenuItem *self); |
