diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-08-02 03:25:16 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-08-02 03:25:16 +0000 |
| commit | 1e1af75f40ca41406710beb9b92dce84af3e8325 (patch) | |
| tree | 69a33c016d59b2712939bd3387495c538e03fe8c /usr.sbin/sade/config.c | |
| parent | 4f9a35a47bfc7ab2e2bd6a15305928d80f80536c (diff) | |
| download | FreeBSD-src-1e1af75f40ca41406710beb9b92dce84af3e8325.zip FreeBSD-src-1e1af75f40ca41406710beb9b92dce84af3e8325.tar.gz | |
Compensate for default disabling of network services in inetd.conf(5)
by providing the opportunity to edit inetd.conf during the system
installation process. The following modifications were made:
(1) Expand the Anonymous FTP description dialog to indicate that inetd
and ftpd must be enabled before it can be used.
(2) Introduce a new configInetd() pair of dialogs, the first describing
inetd, giving a couple of examples of services that require it, and
hinting at potential risk, then asking the user if they wish to
enable it. The second indicates that inetd.conf must be configured
to enabled specific services, and asks if the user would like to
load inetd.conf into the editor to modify it. Add this
configuration action to the index.
There are some further improvements that might be considered:
(1) Provide a more inetd.conf-specific configuration tool that speaks
inetd.conf(5). However, this is made difficult by the "yet another
configuration format" nature of inetd.conf, as well as its use of
commenting to disable services, rather than an in-syntax way to
disable a service without commenting it out. Submissions here
would probably be welcome.
(2) There's some overlap between settings in the somewhat obtuse
Security Profile mechanism and other settings, including the inetd
setting, and NFS server configuration. As features become
individually tunable, they should probably be removed from the
security profile mechanism. Otherwise, somewhat counter-intuitively,
sysinstall (in practice) queries multiple times whether inetd, nfsd,
etc, should be enabled/disabled. A possible future direction might
be to drive profiles not by degree of paranoia, rather, the set
of services desired. Or simply to remove the Security Profile
mechanism and resort to feature-driven configuration.
Reviewed by: imp, chris, jake, nate, -arch, -stable
Diffstat (limited to 'usr.sbin/sade/config.c')
| -rw-r--r-- | usr.sbin/sade/config.c | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c index 41a8907..56ffede 100644 --- a/usr.sbin/sade/config.c +++ b/usr.sbin/sade/config.c @@ -955,6 +955,39 @@ configPCNFSD(dialogMenuItem *self) } int +configInetd(dialogMenuItem *self) +{ + char cmd[256]; + + WINDOW *w = savescr(); + + if (msgYesNo("The Internet Super Server (inetd) allows a number of simple Internet\n" + "services to be enabled, including finger, ftp, and telnetd. Enabling\n" + "these services may increase risk of security problems by increasing\n" + "the exposure of your system.\n\n" + "With this in mind, do you wish to enable inetd?\n")) { + variable_set2("inetd_enable", "NO", 1); + } else { + /* If inetd is enabled, we'll need an inetd.conf */ + + if (!msgYesNo("inetd(8) relies on its configuration file, /etc/inetd.conf, to determine\n" + "which of its Internet services will be available. The default FreeBSD\n" + "inetd.conf(5) leaves all services disabled by default, so they must be\n" + "specifically enabled in the configuration file before they will\n" + "function, even once inetd(8) is enabled. Note that services for\n" + "IPv6 must be seperately enabled from IPv4 services.\n\n" + "Select [Yes] now to invoke an editor on /etc/inetd.conf, or [No] to\n" + "use the current settings.\n")) { + sprintf(cmd, "%s /etc/inetd.conf", variable_get(VAR_EDITOR)); + dialog_clear(); + systemExecute(cmd); + variable_set2("inetd_enable", "YES", 1); + } + } + restorescr(w); +} + +int configNFSServer(dialogMenuItem *self) { char cmd[256]; |
