diff options
| author | rwatson <rwatson@FreeBSD.org> | 2001-08-10 23:57:43 +0000 |
|---|---|---|
| committer | rwatson <rwatson@FreeBSD.org> | 2001-08-10 23:57:43 +0000 |
| commit | 5dc8929a4df9432ed9fce8866220f39176df199d (patch) | |
| tree | 3bc6c70dbda13e78bbdb414531ec82577d9fb1b0 /usr.sbin/sysinstall/config.c | |
| parent | e1cf3a47437c4deaa5cf65bf38a73b29bcbf00c6 (diff) | |
| download | FreeBSD-src-5dc8929a4df9432ed9fce8866220f39176df199d.zip FreeBSD-src-5dc8929a4df9432ed9fce8866220f39176df199d.tar.gz | |
o Reduce the number of offered security profiles, as we now have a more
conservative default, and actually prompt specifically for inetd rather
than handling it as a side effect of the security profile. Update the
help file to reflect this change.
o Rename "Fascist" to "Extreme" in the source code, to match the names
presented to the user.
o Remove portmap and inetd from profile management. Portmap is now
disabled by default, but automatically turned on if a feature requires
it (such as NFS, etc).
This is an MFC candidate for 4.4-RELEASE.
Reviewed by: freebsd-arch@FreeBSD.org
Approved by: re@FreeBSD.org
MFC after: 2 days
Diffstat (limited to 'usr.sbin/sysinstall/config.c')
| -rw-r--r-- | usr.sbin/sysinstall/config.c | 85 |
1 files changed, 12 insertions, 73 deletions
diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c index 2085691..91dc643 100644 --- a/usr.sbin/sysinstall/config.c +++ b/usr.sbin/sysinstall/config.c @@ -487,52 +487,22 @@ configSecurityProfile(dialogMenuItem *self) return DITEM_SUCCESS; } -/* Use the most fascist security settings */ +/* Use the most extreme security settings */ int -configSecurityFascist(dialogMenuItem *self) +configSecurityExtreme(dialogMenuItem *self) { WINDOW *w = savescr(); - variable_set2("inetd_enable", "NO", 1); - variable_set2("portmap_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); variable_set2("sendmail_enable", "NO", 1); variable_set2("sshd_enable", "NO", 1); - variable_set2("nfs_server_enable", "NO", 1); variable_set2("kern_securelevel_enable", "YES", 1); variable_set2("kern_securelevel", "2", 1); - /* More fascist stuff should go here */ if (self) msgConfirm("Extreme security settings have been selected.\n\n" - "This means that all \"popular\" network services and\n" - "mechanisms like inetd(8) have been DISABLED by default.\n\n" - "PLEASE NOTE that this still does not save you from having\n" - "to properly secure your system in other ways or exercise\n" - "due diligence in your administration, this simply picks\n" - "a more secure set of out-of-box defaults to start with.\n\n" - "To change any of these settings later, edit /etc/rc.conf"); - - restorescr(w); - return DITEM_SUCCESS; -} - -int -configSecurityHigh(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - variable_set2("inetd_enable", "NO", 1); - variable_set2("sendmail_enable", "YES", 1); - variable_set2("sshd_enable", "YES", 1); - variable_set2("portmap_enable", "NO", 1); - variable_set2("nfs_server_enable", "NO", 1); - variable_set2("kern_securelevel_enable", "YES", 1); - variable_set2("kern_securelevel", "1", 1); - - if (self) - msgConfirm("High security settings have been selected.\n\n" - "This means that most \"popular\" network services and\n" - "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "Sendmail, SSHd, and NFS services have been disabled, and\n" + "securelevels have been enabled.\n" "PLEASE NOTE that this still does not save you from having\n" "to properly secure your system in other ways or exercise\n" "due diligence in your administration, this simply picks\n" @@ -543,54 +513,23 @@ configSecurityHigh(dialogMenuItem *self) return DITEM_SUCCESS; } -int configSecurityModerate(dialogMenuItem *self) { WINDOW *w = savescr(); - variable_set2("inetd_enable", "YES", 1); - if (!variable_cmp("nfs_client_enable", "YES") || - !variable_cmp("nfs_server_enable", "YES")) - variable_set2("portmap_enable", "YES", 1); - if (!variable_cmp("nfs_server_enable", "YES")) - variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("nfs_reserved_port_only", "YES", 1); variable_set2("sendmail_enable", "YES", 1); variable_set2("sshd_enable", "YES", 1); variable_set2("kern_securelevel_enable", "NO", 1); if (self) msgConfirm("Moderate security settings have been selected.\n\n" - "This means that most \"popular\" network services and\n" - "mechanisms like inetd(8) have been enabled by default\n" - "for a comfortable user experience but with possible\n" - "trade-offs in system security. If this bothers you and\n" - "you know exactly what you are doing, select one of the\n" - "other security profiles instead.\n\n" - "To change any of these settings later, edit /etc/rc.conf"); - - restorescr(w); - return DITEM_SUCCESS; -} - -int -configSecurityLiberal(dialogMenuItem *self) -{ - WINDOW *w = savescr(); - - variable_set2("inetd_enable", "YES", 1); - variable_set2("portmap_enable", "YES", 1); - variable_set2("sendmail_enable", "YES", 1); - variable_set2("sshd_enable", "YES", 1); - variable_set2("kern_securelevel_enable", "NO", 1); - - if (self) - msgConfirm("Liberal security settings have been selected.\n\n" - "This means that most \"popular\" network services and\n" - "mechanisms like inetd(8) have been enabled by default\n" - "for the most comfortable user experience but with possible\n" - "trade-offs in system security. If this bothers you and\n" - "you know exactly what you are doing, select one of the\n" - "other security profiles instead.\n\n" + "Sendmail and SSHd have been enabled, securelevels are\n" + "disabled, and NFS server settings have been left intact.\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a standard set of out-of-box defaults to start with.\n\n" "To change any of these settings later, edit /etc/rc.conf"); restorescr(w); |
