o Expand the text describing the Security options menu.

o Move nfs_reserved_port_only out of security profiles (where it was
  set somewhat improperly) to the Security options menu directly.
  Previously, the variable was set to true for Moderate, but not for
  Extreme, which is at best inconsistent.
o Update the Security Profiles help file to remove reference to the
  NFS reserved port.

o Note that the kernel currently defaults the sysctl to '0', but
  sysinstall has changed it to '1' as a default as of late; however,
  rc.conf sets the value to NO as the default.  This change brings
  them relatively into sync.

Sponsored by:	DARPA, NAI Labs

5 files changed, 12 insertions, 10 deletions

diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c
index cf68adb..fcf0d03 100644
--- a/usr.sbin/sade/config.c
+++ b/usr.sbin/sade/config.c
@@ -532,7 +532,6 @@ configSecurityModerate(dialogMenuItem *self)
 {
     WINDOW *w = savescr();
 
-    variable_set2("nfs_reserved_port_only", "YES", 1);
     variable_set2("sendmail_enable", "YES", 1);
     variable_set2("sshd_enable", "YES", 1);
     variable_set2("kern_securelevel_enable", "NO", 1);
diff --git a/usr.sbin/sade/menus.c b/usr.sbin/sade/menus.c
index 3e18789..bfbb317 100644
--- a/usr.sbin/sade/menus.c
+++ b/usr.sbin/sade/menus.c
@@ -2083,7 +2083,10 @@ DMenu MenuSecurity = {
     DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS,
     "System Security Options Menu",
     "This menu allows you to configure aspects of the operating systme\n"
-    "policy.\n",
+    "policy.  If configured improperly, these settings may result in\n"
+    "substantially impaired system operation.  Please read the system\n"
+    "documentation carefully before modifying these settings.  Many\n"
+    "settings will take affect only following a system reboot.",
     "Configure system security options",
     NULL,
     { { "X Exit",      "Exit this menu (returning to previous)",
@@ -2092,6 +2095,8 @@ DMenu MenuSecurity = {
 	NULL, configSecurityProfile },
       { " LOMAC",         "Use Low Watermark Mandatory Access Control at boot",
 	dmenuVarCheck,  dmenuToggleVariable, NULL, "lomac_enable=YES" },
+      { " NFS port",	"Require that the NFS clients used reserved ports",
+	dmenuVarCheck,  dmenuToggleVariable, NULL, "nfs_reserved_port_only=YES" },
       { NULL } },
 };
 
diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c
index cf68adb..fcf0d03 100644
--- a/usr.sbin/sysinstall/config.c
+++ b/usr.sbin/sysinstall/config.c
@@ -532,7 +532,6 @@ configSecurityModerate(dialogMenuItem *self)
 {
     WINDOW *w = savescr();
 
-    variable_set2("nfs_reserved_port_only", "YES", 1);
     variable_set2("sendmail_enable", "YES", 1);
     variable_set2("sshd_enable", "YES", 1);
     variable_set2("kern_securelevel_enable", "NO", 1);
diff --git a/usr.sbin/sysinstall/help/security.hlp b/usr.sbin/sysinstall/help/security.hlp
index ee172ff..33e52e2 100644
--- a/usr.sbin/sysinstall/help/security.hlp
+++ b/usr.sbin/sysinstall/help/security.hlp
@@ -5,12 +5,6 @@ profiles:
 
                Extreme        Medium
                -------        ------
-nfs_server     NO             *
 sendmail       NO             YES
 sshd           NO             YES
 securelevel    YES (2)        NO
-
-
-NOTES:
-*  If the machine has been configured as an NFS server, NFS will only run
-   on a reserved port.
diff --git a/usr.sbin/sysinstall/menus.c b/usr.sbin/sysinstall/menus.c
index 3e18789..bfbb317 100644
--- a/usr.sbin/sysinstall/menus.c
+++ b/usr.sbin/sysinstall/menus.c
@@ -2083,7 +2083,10 @@ DMenu MenuSecurity = {
     DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS,
     "System Security Options Menu",
     "This menu allows you to configure aspects of the operating systme\n"
-    "policy.\n",
+    "policy.  If configured improperly, these settings may result in\n"
+    "substantially impaired system operation.  Please read the system\n"
+    "documentation carefully before modifying these settings.  Many\n"
+    "settings will take affect only following a system reboot.",
     "Configure system security options",
     NULL,
     { { "X Exit",      "Exit this menu (returning to previous)",
@@ -2092,6 +2095,8 @@ DMenu MenuSecurity = {
 	NULL, configSecurityProfile },
       { " LOMAC",         "Use Low Watermark Mandatory Access Control at boot",
 	dmenuVarCheck,  dmenuToggleVariable, NULL, "lomac_enable=YES" },
+      { " NFS port",	"Require that the NFS clients used reserved ports",
+	dmenuVarCheck,  dmenuToggleVariable, NULL, "nfs_reserved_port_only=YES" },
       { NULL } },
 };