diff options
| -rw-r--r-- | release/sysinstall/config.c | 93 | ||||
| -rw-r--r-- | release/sysinstall/dispatch.c | 1 | ||||
| -rw-r--r-- | release/sysinstall/dist.c | 50 | ||||
| -rw-r--r-- | release/sysinstall/install.c | 15 | ||||
| -rw-r--r-- | release/sysinstall/menus.c | 244 | ||||
| -rw-r--r-- | release/sysinstall/sysinstall.h | 7 | ||||
| -rw-r--r-- | usr.sbin/sade/config.c | 93 | ||||
| -rw-r--r-- | usr.sbin/sade/dispatch.c | 1 | ||||
| -rw-r--r-- | usr.sbin/sade/install.c | 15 | ||||
| -rw-r--r-- | usr.sbin/sade/menus.c | 244 | ||||
| -rw-r--r-- | usr.sbin/sade/sade.h | 7 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/config.c | 93 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/dispatch.c | 1 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/dist.c | 50 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/install.c | 15 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/menus.c | 244 | ||||
| -rw-r--r-- | usr.sbin/sysinstall/sysinstall.h | 7 |
17 files changed, 685 insertions, 495 deletions
diff --git a/release/sysinstall/config.c b/release/sysinstall/config.c index 8ce295b..cf37e94 100644 --- a/release/sysinstall/config.c +++ b/release/sysinstall/config.c @@ -388,10 +388,6 @@ configRC_conf(void) fprintf(rcSite, "# This file now contains just the overrides from /etc/defaults/rc.conf\n"); fprintf(rcSite, "# please make all changes to this file.\n\n"); fprintf(rcSite, "# Enable network daemons for user convenience.\n"); - fprintf(rcSite, "inetd_enable=\"YES\"\n"); - fprintf(rcSite, "portmap_enable=\"YES\"\n"); - fprintf(rcSite, "sendmail_enable=\"YES\"\n"); - fprintf(rcSite, "sshd_enable=\"YES\"\n"); } /* Now do variable substitutions */ @@ -470,6 +466,95 @@ configLinux(dialogMenuItem *self) return i; } +int +configSecurityProfile(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + dialog_clear_norefresh(); + dmenuOpenSimple(&MenuSecurityProfile, FALSE); + restorescr(w); + return DITEM_SUCCESS; +} + +/* Use the most fascist security settings */ +int +configSecurityFascist(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); + /* More fascist stuff should go here */ + + msgConfirm("High security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a more secure set of out-of-box defaults to start with.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityModerate(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Moderate security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for a comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you and\n" + "you know exactly what you are doing, select the high\n" + "high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityLiberal(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Liberal security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for the most comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you, select\n" + "the medium security profile or, if you know exactly what you\n" + "are doing, the high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + static void write_root_xprofile(char *str) { diff --git a/release/sysinstall/dispatch.c b/release/sysinstall/dispatch.c index 0b388b4..cd64bf0 100644 --- a/release/sysinstall/dispatch.c +++ b/release/sysinstall/dispatch.c @@ -73,7 +73,6 @@ static struct _word { { "distSetXUser", distSetXUser }, { "distSetMinimum", distSetMinimum }, { "distSetEverything", distSetEverything }, - { "distSetCRYPTO", distSetCRYPTO }, { "distSetSrc", distSetSrc }, { "distSetXF86", distSetXF86 }, { "distExtractAll", distExtractAll }, diff --git a/release/sysinstall/dist.c b/release/sysinstall/dist.c index 61974c8d..e70f446 100644 --- a/release/sysinstall/dist.c +++ b/release/sysinstall/dist.c @@ -197,7 +197,6 @@ static Distribution XF86FontDistTable[] = { { NULL }, }; -static int distMaybeSetCRYPTO(dialogMenuItem *self); static int distMaybeSetPorts(dialogMenuItem *self); static void @@ -211,7 +210,7 @@ distVerifyFlags(void) Dists |= DIST_CRYPTO; } else if ((Dists & DIST_CRYPTO) && !CRYPTODists) - CRYPTODists |= DIST_CRYPTO_CRYPTO; + CRYPTODists |= DIST_CRYPTO_ALL; if (XF86Dists & DIST_XF86_SET) XF86ServerDists |= DIST_XF86_SERVER_VGA16; if (XF86ServerDists) @@ -291,7 +290,9 @@ distSetDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -315,7 +316,7 @@ distSetKernDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_SYS; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -338,7 +339,7 @@ distSetUser(dialogMenuItem *self) distReset(NULL); Dists = _DIST_USER; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -369,50 +370,15 @@ distSetEverything(dialogMenuItem *self) Dists = DIST_ALL | DIST_XF86; SrcDists = DIST_SRC_ALL; + CRYPTODists = DIST_CRYPTO_ALL; XF86Dists = DIST_XF86_ALL; XF86ServerDists = DIST_XF86_SERVER_ALL; XF86FontDists = DIST_XF86_FONTS_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } -int -distSetCRYPTO(dialogMenuItem *self) -{ - int i; - - dialog_clear_norefresh(); - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - else - i = DITEM_SUCCESS; - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - -static int -distMaybeSetCRYPTO(dialogMenuItem *self) -{ - int i = DITEM_SUCCESS | DITEM_REDRAW; - - dialog_clear_norefresh(); - if (!msgYesNo("Do you wish to install cryptographic software?\n\n" - "If you choose No, FreeBSD will use an MD5-based password scheme which,\n" - "while more secure, is not interoperable with the traditional\n" - "DES-based passwords used on other Unix systems.\n\n" - "Note that the international crypto distribution has a better\n" - "implementation of the RSA algorithm, which is patented in the U.S.\n" - "If you are in the USA, use crypto + the rsaref port/package\n.")) { - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - } - - dialog_clear_norefresh(); - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - static int distMaybeSetPorts(dialogMenuItem *self) { diff --git a/release/sysinstall/install.c b/release/sysinstall/install.c index 67399ca..cc53f3e 100644 --- a/release/sysinstall/install.c +++ b/release/sysinstall/install.c @@ -472,6 +472,9 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); } @@ -560,10 +563,12 @@ nodisks: "between interfaces)?")) variable_set2("gateway_enable", "YES", 1); + dialog_clear_norefresh(); if (msgYesNo("Do you want to grant only normal users FTP access to this\n" "host (e.g. no anonymous FTP connections)?")) configAnonFTP(self); + dialog_clear_norefresh(); if (!msgYesNo("Do you want to configure this machine as an NFS server?")) configNFSServer(self); @@ -571,6 +576,13 @@ nodisks: if (!msgYesNo("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); + if (msgYesNo("Do you want to select a default security profile for\n" + "this host (\"medium\" security being the default)?")) + configSecurityProfile(self); + else + configSecurityModerate(self); + + dialog_clear_norefresh(); if (!msgYesNo("Would you like to customize your system console settings?")) dmenuOpenSimple(&MenuSyscons, FALSE); @@ -632,6 +644,9 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/release/sysinstall/menus.c b/release/sysinstall/menus.c index eee9959..b07008d 100644 --- a/release/sysinstall/menus.c +++ b/release/sysinstall/menus.c @@ -42,6 +42,8 @@ setSrc(dialogMenuItem *self) { Dists |= DIST_SRC; SrcDists = DIST_SRC_ALL; + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -50,22 +52,8 @@ clearSrc(dialogMenuItem *self) { Dists &= ~DIST_SRC; SrcDists = 0; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -setCRYPTO(dialogMenuItem *self) -{ - Dists |= DIST_CRYPTO; - CRYPTODists = DIST_CRYPTO_ALL; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -clearCRYPTO(dialogMenuItem *self) -{ - Dists &= ~DIST_CRYPTO; - CRYPTODists = 0; + CRYPTODists &= ~(DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -121,10 +109,10 @@ clearX11Fonts(dialogMenuItem *self) #define _IS_SET(dist, set) (((dist) & (set)) == (set)) #define IS_DEVELOPER(dist, extra) (_IS_SET(dist, _DIST_DEVELOPER | extra) || \ - _IS_SET(dist, _DIST_DEVELOPER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_DEVELOPER | extra)) #define IS_USER(dist, extra) (_IS_SET(dist, _DIST_USER | extra) || \ - _IS_SET(dist, _DIST_USER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_USER | extra)) static int checkDistDeveloper(dialogMenuItem *self) @@ -171,19 +159,14 @@ checkDistMinimum(dialogMenuItem *self) static int checkDistEverything(dialogMenuItem *self) { - return Dists == DIST_ALL && _IS_SET(SrcDists, DIST_SRC_ALL) && \ + return Dists == DIST_ALL && CRYPTODists == DIST_CRYPTO_ALL && \ + _IS_SET(SrcDists, DIST_SRC_ALL) && \ _IS_SET(XF86Dists, DIST_XF86_ALL) && \ _IS_SET(XF86ServerDists, DIST_XF86_SERVER_ALL) && \ _IS_SET(XF86FontDists, DIST_XF86_FONTS_ALL); } static int -CRYPTOFlagCheck(dialogMenuItem *item) -{ - return CRYPTODists; -} - -static int srcFlagCheck(dialogMenuItem *item) { return SrcDists; @@ -225,7 +208,6 @@ DMenu MenuIndex = { { " Disklabel", "The disk Label editor", NULL, diskLabelEditor }, { " Dists, All", "Root of the distribution tree.", NULL, dmenuSubmenu, NULL, &MenuDistributions }, { " Dists, Basic", "Basic FreeBSD distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSubDistributions }, - { " Dists, CRYPTO", "Encryption distribution menu.", NULL, dmenuSubmenu, NULL, &MenuCRYPTODistributions }, { " Dists, Developer", "Select developer's distribution.", checkDistDeveloper, distSetDeveloper }, { " Dists, Src", "Src distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSrcDistributions }, { " Dists, X Developer", "Select X developer's distribution.", checkDistXDeveloper, distSetXDeveloper }, @@ -275,6 +257,7 @@ DMenu MenuIndex = { { " PCNFSD", "Run authentication server for PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, { " Root Password", "Set the system manager's password.", NULL, dmenuSystemCommand, NULL, "passwd root" }, { " Router", "Select routing daemon (default: routed)", NULL, configRouter, NULL, "router_enable" }, + { " Security", "Select a default system security profile.", NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Syscons", "The system console configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSyscons }, { " Syscons, Font", "The console screen font.", NULL, dmenuSubmenu, NULL, &MenuSysconsFont }, { " Syscons, Keymap", "The console keymap configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSysconsKeymap }, @@ -425,70 +408,6 @@ DMenu MenuMouse = { { NULL } }, }; -DMenu MenuXF86Config = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the XFree86 configuration tool you want to use.", -#ifdef __alpha__ - "Due to problems with the VGA16 server right now, only the\n" - "text-mode configuration tool (xf86config) is currently supported.", -#else - "The first tool, XF86Setup, is fully graphical and requires the\n" - "VGA16 server in order to work (should have been selected by\n" - "default, but if you de-selected it then you won't be able to\n" - "use this fancy setup tool). The second tool, xf86config, is\n" - "a more simplistic shell-script based tool and less friendly to\n" - "new users, but it may work in situations where the fancier one\n" - "does not.", -#endif - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, -#ifdef __alpha__ - { "2 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, -#else - { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, - { "3 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, - { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, -#endif - { "D XDesktop", "X already set up, just do desktop configuration.", - NULL, dmenuSubmenu, NULL, &MenuXDesktops }, - { NULL } }, -}; - -DMenu MenuXDesktops = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the default X desktop to use.", - "By default, XFree86 comes with a fairly vanilla desktop which\n" - "is based around the twm(1) window manager and does not offer\n" - "much in the way of features. It does have the advantage of\n" - "being a standard part of X so you don't need to load anything\n" - "extra in order to use it. If, however, you have access to a\n" - "reasonably full packages collection on your installation media,\n" - "you can choose any one of the following desktops as alternatives.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, - { "2 KDE", "The K Desktop Environment.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, - { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, - { "4 GNOME + Enlightenment","GNOME + The E window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, - { "5 Afterstep", "The Afterstep window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, - { "6 Windowmaker", "The Windowmaker window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, - { "7 fvwm2", "The fvwm2 window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, - { NULL } }, -}; - DMenu MenuMediaCDROM = { DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, "Choose a CDROM type", @@ -844,8 +763,17 @@ DMenu MenuSubDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_COMPAT3X }, #endif #endif - { " CRYPTO", "Encryption code - NOT FOR EXPORT!", - CRYPTOFlagCheck,distSetCRYPTO }, + { " crypto", "Basic encryption services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, +#if __FreeBSD__ <= 3 + { " krb", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, +#else + { " krb4", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, + { " krb5", "Kerberos5 authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, +#endif { " dict", "Spelling checker dictionary files", dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_DICT }, { " doc", "Miscellaneous FreeBSD online docs", @@ -871,43 +799,6 @@ DMenu MenuSubDistributions = { { NULL } }, }; -DMenu MenuCRYPTODistributions = { - DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, - "Select the encryption facilities you wish to install.", - "Please check off any special encryption distributions\n" - "you would like to install. Please note that these services are NOT FOR\n" - "EXPORT from the United States. For information on non-U.S. FTP\n" - "distributions of this software, please consult the release notes.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { "All", "Select all of the below", - NULL, setCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { "Reset", "Reset all of the below", - NULL, clearCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { " crypto", "Basic encryption services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, -#if __FreeBSD__ <= 3 - { " krb", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, -#else - { " krb4", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, - { " krb5", "Kerberos5 authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, -#endif - { " skrb4", "Sources for KerberosIV", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, - { " skrb5", "Sources for Kerberos5", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, - { " ssecure", "BSD encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, - { " scrypto", "Contributed encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, - { NULL } }, -}; - DMenu MenuSrcDistributions = { DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, "Select the sub-components of src you wish to install.", @@ -943,8 +834,16 @@ DMenu MenuSrcDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_BIN }, { " sbin", "/usr/src/sbin (system binaries)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SBIN }, + { " scrypto", "/usr/src/crypto (contrib encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, { " share", "/usr/src/share (documents and shared files)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SHARE }, + { " skrb4", "/usr/src/kerberosIV (sources for KerberosIV)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, + { " skrb5", "/usr/src/kerberos5 (sources for Kerberos5)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, + { " ssecure", "/usr/src/secure (BSD encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, { " sys", "/usr/src/sys (FreeBSD kernel)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SYS }, { " tools", "/usr/src/tools (miscellaneous tools)", @@ -956,6 +855,70 @@ DMenu MenuSrcDistributions = { { NULL } }, }; +DMenu MenuXF86Config = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the XFree86 configuration tool you want to use.", +#ifdef __alpha__ + "Due to problems with the VGA16 server right now, only the\n" + "text-mode configuration tool (xf86config) is currently supported.", +#else + "The first tool, XF86Setup, is fully graphical and requires the\n" + "VGA16 server in order to work (should have been selected by\n" + "default, but if you de-selected it then you won't be able to\n" + "use this fancy setup tool). The second tool, xf86config, is\n" + "a more simplistic shell-script based tool and less friendly to\n" + "new users, but it may work in situations where the fancier one\n" + "does not.", +#endif + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, +#ifdef __alpha__ + { "2 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, +#else + { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, + { "3 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, + { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, +#endif + { "D XDesktop", "X already set up, just do desktop configuration.", + NULL, dmenuSubmenu, NULL, &MenuXDesktops }, + { NULL } }, +}; + +DMenu MenuXDesktops = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the default X desktop to use.", + "By default, XFree86 comes with a fairly vanilla desktop which\n" + "is based around the twm(1) window manager and does not offer\n" + "much in the way of features. It does have the advantage of\n" + "being a standard part of X so you don't need to load anything\n" + "extra in order to use it. If, however, you have access to a\n" + "reasonably full packages collection on your installation media,\n" + "you can choose any one of the following desktops as alternatives.", + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, + { "2 KDE", "The K Desktop Environment.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, + { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, + { "4 GNOME + Enlightenment","GNOME + The E window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, + { "5 Afterstep", "The Afterstep window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, + { "6 Windowmaker", "The Windowmaker window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, + { "7 fvwm2", "The fvwm2 window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, + { NULL } }, +}; + DMenu MenuXF86Select = { DMENU_NORMAL_TYPE, "XFree86 3.3.6 Distribution", @@ -1254,6 +1217,8 @@ DMenu MenuConfigure = { NULL, dmenuSubmenu, NULL, &MenuMouse, NULL }, { " Networking", "Configure additional network services", NULL, dmenuSubmenu, NULL, &MenuNetworking }, + { " Security", "Select default system security profile", + NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Startup", "Configure system startup options", NULL, dmenuSubmenu, NULL, &MenuStartup }, { " Options", "View/Set various installation options", @@ -1340,6 +1305,8 @@ DMenu MenuNetworking = { dmenuVarCheck, configAnonFTP, NULL, "anon_ftp" }, { " Gateway", "This machine will route packets between interfaces", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" }, + { " inetd", "This machine wants to run the inet daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" }, { " NFS client", "This machine will be an NFS client", dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" }, { " NFS server", "This machine will be an NFS server", @@ -1348,6 +1315,8 @@ DMenu MenuNetworking = { dmenuVarCheck, dmenuSubmenu, NULL, &MenuNTP, '[', 'X', ']', "ntpdate_enable=YES" }, { " PCNFSD", "Run authentication server for clients with PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, + { " portmap", "This machine wants to run the portmapper daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "portmap_enable=YES" }, { " Routed", "Select routing daemon (default: routed)", dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", @@ -1369,7 +1338,7 @@ DMenu MenuNTP = { "close to you to have your system time synchronized accordingly.", "These are the primary open-access NTP servers", NULL, - { { "None", "No ntp server", + { { "None", "No NTP server", dmenuVarsCheck, dmenuSetVariables, NULL, "ntpdate_enable=NO,ntpdate_flags=none" }, { "Other", "Select a site not on this list", @@ -1625,6 +1594,21 @@ DMenu MenuUsermgmt = { { NULL } }, }; +DMenu MenuSecurityProfile = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Default system security profile", + "Each item in this list will set what it considers to\n" + "be \"appropriate\" values in that category for various\n" + "security-related knobs in /etc/rc.conf.", + "Select a canned security profile.", + NULL, + { { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate }, + { "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal }, + { "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate }, + { "High", "Very restrictive security settings.", NULL, configSecurityFascist }, + { NULL } }, +}; + DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/release/sysinstall/sysinstall.h b/release/sysinstall/sysinstall.h index d44b8cb..5049470 100644 --- a/release/sysinstall/sysinstall.h +++ b/release/sysinstall/sysinstall.h @@ -375,6 +375,7 @@ extern DMenu MenuMediaFTP; /* FTP media menu */ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ +extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ extern DMenu MenuSyscons; /* System console configuration menu */ extern DMenu MenuSysconsFont; /* System console font configuration menu */ @@ -387,7 +388,6 @@ extern DMenu MenuInstallCustom; /* Custom Installation menu */ extern DMenu MenuDistributions; /* Distribution menu */ extern DMenu MenuDiskDevices; /* Disk type devices */ extern DMenu MenuSubDistributions; /* Custom distribution menu */ -extern DMenu MenuCRYPTODistributions;/* Encryption distribution menu */ extern DMenu MenuSrcDistributions; /* Source distribution menu */ extern DMenu MenuXF86; /* XFree86 main menu */ extern DMenu MenuXF86Select; /* XFree86 distribution selection menu */ @@ -443,6 +443,10 @@ extern int configRouter(dialogMenuItem *self); extern int configPCNFSD(dialogMenuItem *self); extern int configNFSServer(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); +extern int configSecurityProfile(dialogMenuItem *self); +extern int configSecurityFascist(dialogMenuItem *self); +extern int configSecurityModerate(dialogMenuItem *self); +extern int configSecurityLiberal(dialogMenuItem *self); /* crc.c */ extern int crc(int, unsigned long *, unsigned long *); @@ -496,7 +500,6 @@ extern int distSetUser(dialogMenuItem *self); extern int distSetXUser(dialogMenuItem *self); extern int distSetMinimum(dialogMenuItem *self); extern int distSetEverything(dialogMenuItem *self); -extern int distSetCRYPTO(dialogMenuItem *self); extern int distSetSrc(dialogMenuItem *self); extern int distSetXF86(dialogMenuItem *self); extern int distExtractAll(dialogMenuItem *self); diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c index 8ce295b..cf37e94 100644 --- a/usr.sbin/sade/config.c +++ b/usr.sbin/sade/config.c @@ -388,10 +388,6 @@ configRC_conf(void) fprintf(rcSite, "# This file now contains just the overrides from /etc/defaults/rc.conf\n"); fprintf(rcSite, "# please make all changes to this file.\n\n"); fprintf(rcSite, "# Enable network daemons for user convenience.\n"); - fprintf(rcSite, "inetd_enable=\"YES\"\n"); - fprintf(rcSite, "portmap_enable=\"YES\"\n"); - fprintf(rcSite, "sendmail_enable=\"YES\"\n"); - fprintf(rcSite, "sshd_enable=\"YES\"\n"); } /* Now do variable substitutions */ @@ -470,6 +466,95 @@ configLinux(dialogMenuItem *self) return i; } +int +configSecurityProfile(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + dialog_clear_norefresh(); + dmenuOpenSimple(&MenuSecurityProfile, FALSE); + restorescr(w); + return DITEM_SUCCESS; +} + +/* Use the most fascist security settings */ +int +configSecurityFascist(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); + /* More fascist stuff should go here */ + + msgConfirm("High security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a more secure set of out-of-box defaults to start with.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityModerate(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Moderate security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for a comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you and\n" + "you know exactly what you are doing, select the high\n" + "high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityLiberal(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Liberal security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for the most comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you, select\n" + "the medium security profile or, if you know exactly what you\n" + "are doing, the high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + static void write_root_xprofile(char *str) { diff --git a/usr.sbin/sade/dispatch.c b/usr.sbin/sade/dispatch.c index 0b388b4..cd64bf0 100644 --- a/usr.sbin/sade/dispatch.c +++ b/usr.sbin/sade/dispatch.c @@ -73,7 +73,6 @@ static struct _word { { "distSetXUser", distSetXUser }, { "distSetMinimum", distSetMinimum }, { "distSetEverything", distSetEverything }, - { "distSetCRYPTO", distSetCRYPTO }, { "distSetSrc", distSetSrc }, { "distSetXF86", distSetXF86 }, { "distExtractAll", distExtractAll }, diff --git a/usr.sbin/sade/install.c b/usr.sbin/sade/install.c index 67399ca..cc53f3e 100644 --- a/usr.sbin/sade/install.c +++ b/usr.sbin/sade/install.c @@ -472,6 +472,9 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); } @@ -560,10 +563,12 @@ nodisks: "between interfaces)?")) variable_set2("gateway_enable", "YES", 1); + dialog_clear_norefresh(); if (msgYesNo("Do you want to grant only normal users FTP access to this\n" "host (e.g. no anonymous FTP connections)?")) configAnonFTP(self); + dialog_clear_norefresh(); if (!msgYesNo("Do you want to configure this machine as an NFS server?")) configNFSServer(self); @@ -571,6 +576,13 @@ nodisks: if (!msgYesNo("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); + if (msgYesNo("Do you want to select a default security profile for\n" + "this host (\"medium\" security being the default)?")) + configSecurityProfile(self); + else + configSecurityModerate(self); + + dialog_clear_norefresh(); if (!msgYesNo("Would you like to customize your system console settings?")) dmenuOpenSimple(&MenuSyscons, FALSE); @@ -632,6 +644,9 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/usr.sbin/sade/menus.c b/usr.sbin/sade/menus.c index eee9959..b07008d 100644 --- a/usr.sbin/sade/menus.c +++ b/usr.sbin/sade/menus.c @@ -42,6 +42,8 @@ setSrc(dialogMenuItem *self) { Dists |= DIST_SRC; SrcDists = DIST_SRC_ALL; + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -50,22 +52,8 @@ clearSrc(dialogMenuItem *self) { Dists &= ~DIST_SRC; SrcDists = 0; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -setCRYPTO(dialogMenuItem *self) -{ - Dists |= DIST_CRYPTO; - CRYPTODists = DIST_CRYPTO_ALL; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -clearCRYPTO(dialogMenuItem *self) -{ - Dists &= ~DIST_CRYPTO; - CRYPTODists = 0; + CRYPTODists &= ~(DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -121,10 +109,10 @@ clearX11Fonts(dialogMenuItem *self) #define _IS_SET(dist, set) (((dist) & (set)) == (set)) #define IS_DEVELOPER(dist, extra) (_IS_SET(dist, _DIST_DEVELOPER | extra) || \ - _IS_SET(dist, _DIST_DEVELOPER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_DEVELOPER | extra)) #define IS_USER(dist, extra) (_IS_SET(dist, _DIST_USER | extra) || \ - _IS_SET(dist, _DIST_USER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_USER | extra)) static int checkDistDeveloper(dialogMenuItem *self) @@ -171,19 +159,14 @@ checkDistMinimum(dialogMenuItem *self) static int checkDistEverything(dialogMenuItem *self) { - return Dists == DIST_ALL && _IS_SET(SrcDists, DIST_SRC_ALL) && \ + return Dists == DIST_ALL && CRYPTODists == DIST_CRYPTO_ALL && \ + _IS_SET(SrcDists, DIST_SRC_ALL) && \ _IS_SET(XF86Dists, DIST_XF86_ALL) && \ _IS_SET(XF86ServerDists, DIST_XF86_SERVER_ALL) && \ _IS_SET(XF86FontDists, DIST_XF86_FONTS_ALL); } static int -CRYPTOFlagCheck(dialogMenuItem *item) -{ - return CRYPTODists; -} - -static int srcFlagCheck(dialogMenuItem *item) { return SrcDists; @@ -225,7 +208,6 @@ DMenu MenuIndex = { { " Disklabel", "The disk Label editor", NULL, diskLabelEditor }, { " Dists, All", "Root of the distribution tree.", NULL, dmenuSubmenu, NULL, &MenuDistributions }, { " Dists, Basic", "Basic FreeBSD distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSubDistributions }, - { " Dists, CRYPTO", "Encryption distribution menu.", NULL, dmenuSubmenu, NULL, &MenuCRYPTODistributions }, { " Dists, Developer", "Select developer's distribution.", checkDistDeveloper, distSetDeveloper }, { " Dists, Src", "Src distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSrcDistributions }, { " Dists, X Developer", "Select X developer's distribution.", checkDistXDeveloper, distSetXDeveloper }, @@ -275,6 +257,7 @@ DMenu MenuIndex = { { " PCNFSD", "Run authentication server for PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, { " Root Password", "Set the system manager's password.", NULL, dmenuSystemCommand, NULL, "passwd root" }, { " Router", "Select routing daemon (default: routed)", NULL, configRouter, NULL, "router_enable" }, + { " Security", "Select a default system security profile.", NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Syscons", "The system console configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSyscons }, { " Syscons, Font", "The console screen font.", NULL, dmenuSubmenu, NULL, &MenuSysconsFont }, { " Syscons, Keymap", "The console keymap configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSysconsKeymap }, @@ -425,70 +408,6 @@ DMenu MenuMouse = { { NULL } }, }; -DMenu MenuXF86Config = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the XFree86 configuration tool you want to use.", -#ifdef __alpha__ - "Due to problems with the VGA16 server right now, only the\n" - "text-mode configuration tool (xf86config) is currently supported.", -#else - "The first tool, XF86Setup, is fully graphical and requires the\n" - "VGA16 server in order to work (should have been selected by\n" - "default, but if you de-selected it then you won't be able to\n" - "use this fancy setup tool). The second tool, xf86config, is\n" - "a more simplistic shell-script based tool and less friendly to\n" - "new users, but it may work in situations where the fancier one\n" - "does not.", -#endif - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, -#ifdef __alpha__ - { "2 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, -#else - { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, - { "3 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, - { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, -#endif - { "D XDesktop", "X already set up, just do desktop configuration.", - NULL, dmenuSubmenu, NULL, &MenuXDesktops }, - { NULL } }, -}; - -DMenu MenuXDesktops = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the default X desktop to use.", - "By default, XFree86 comes with a fairly vanilla desktop which\n" - "is based around the twm(1) window manager and does not offer\n" - "much in the way of features. It does have the advantage of\n" - "being a standard part of X so you don't need to load anything\n" - "extra in order to use it. If, however, you have access to a\n" - "reasonably full packages collection on your installation media,\n" - "you can choose any one of the following desktops as alternatives.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, - { "2 KDE", "The K Desktop Environment.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, - { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, - { "4 GNOME + Enlightenment","GNOME + The E window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, - { "5 Afterstep", "The Afterstep window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, - { "6 Windowmaker", "The Windowmaker window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, - { "7 fvwm2", "The fvwm2 window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, - { NULL } }, -}; - DMenu MenuMediaCDROM = { DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, "Choose a CDROM type", @@ -844,8 +763,17 @@ DMenu MenuSubDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_COMPAT3X }, #endif #endif - { " CRYPTO", "Encryption code - NOT FOR EXPORT!", - CRYPTOFlagCheck,distSetCRYPTO }, + { " crypto", "Basic encryption services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, +#if __FreeBSD__ <= 3 + { " krb", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, +#else + { " krb4", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, + { " krb5", "Kerberos5 authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, +#endif { " dict", "Spelling checker dictionary files", dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_DICT }, { " doc", "Miscellaneous FreeBSD online docs", @@ -871,43 +799,6 @@ DMenu MenuSubDistributions = { { NULL } }, }; -DMenu MenuCRYPTODistributions = { - DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, - "Select the encryption facilities you wish to install.", - "Please check off any special encryption distributions\n" - "you would like to install. Please note that these services are NOT FOR\n" - "EXPORT from the United States. For information on non-U.S. FTP\n" - "distributions of this software, please consult the release notes.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { "All", "Select all of the below", - NULL, setCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { "Reset", "Reset all of the below", - NULL, clearCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { " crypto", "Basic encryption services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, -#if __FreeBSD__ <= 3 - { " krb", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, -#else - { " krb4", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, - { " krb5", "Kerberos5 authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, -#endif - { " skrb4", "Sources for KerberosIV", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, - { " skrb5", "Sources for Kerberos5", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, - { " ssecure", "BSD encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, - { " scrypto", "Contributed encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, - { NULL } }, -}; - DMenu MenuSrcDistributions = { DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, "Select the sub-components of src you wish to install.", @@ -943,8 +834,16 @@ DMenu MenuSrcDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_BIN }, { " sbin", "/usr/src/sbin (system binaries)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SBIN }, + { " scrypto", "/usr/src/crypto (contrib encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, { " share", "/usr/src/share (documents and shared files)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SHARE }, + { " skrb4", "/usr/src/kerberosIV (sources for KerberosIV)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, + { " skrb5", "/usr/src/kerberos5 (sources for Kerberos5)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, + { " ssecure", "/usr/src/secure (BSD encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, { " sys", "/usr/src/sys (FreeBSD kernel)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SYS }, { " tools", "/usr/src/tools (miscellaneous tools)", @@ -956,6 +855,70 @@ DMenu MenuSrcDistributions = { { NULL } }, }; +DMenu MenuXF86Config = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the XFree86 configuration tool you want to use.", +#ifdef __alpha__ + "Due to problems with the VGA16 server right now, only the\n" + "text-mode configuration tool (xf86config) is currently supported.", +#else + "The first tool, XF86Setup, is fully graphical and requires the\n" + "VGA16 server in order to work (should have been selected by\n" + "default, but if you de-selected it then you won't be able to\n" + "use this fancy setup tool). The second tool, xf86config, is\n" + "a more simplistic shell-script based tool and less friendly to\n" + "new users, but it may work in situations where the fancier one\n" + "does not.", +#endif + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, +#ifdef __alpha__ + { "2 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, +#else + { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, + { "3 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, + { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, +#endif + { "D XDesktop", "X already set up, just do desktop configuration.", + NULL, dmenuSubmenu, NULL, &MenuXDesktops }, + { NULL } }, +}; + +DMenu MenuXDesktops = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the default X desktop to use.", + "By default, XFree86 comes with a fairly vanilla desktop which\n" + "is based around the twm(1) window manager and does not offer\n" + "much in the way of features. It does have the advantage of\n" + "being a standard part of X so you don't need to load anything\n" + "extra in order to use it. If, however, you have access to a\n" + "reasonably full packages collection on your installation media,\n" + "you can choose any one of the following desktops as alternatives.", + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, + { "2 KDE", "The K Desktop Environment.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, + { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, + { "4 GNOME + Enlightenment","GNOME + The E window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, + { "5 Afterstep", "The Afterstep window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, + { "6 Windowmaker", "The Windowmaker window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, + { "7 fvwm2", "The fvwm2 window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, + { NULL } }, +}; + DMenu MenuXF86Select = { DMENU_NORMAL_TYPE, "XFree86 3.3.6 Distribution", @@ -1254,6 +1217,8 @@ DMenu MenuConfigure = { NULL, dmenuSubmenu, NULL, &MenuMouse, NULL }, { " Networking", "Configure additional network services", NULL, dmenuSubmenu, NULL, &MenuNetworking }, + { " Security", "Select default system security profile", + NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Startup", "Configure system startup options", NULL, dmenuSubmenu, NULL, &MenuStartup }, { " Options", "View/Set various installation options", @@ -1340,6 +1305,8 @@ DMenu MenuNetworking = { dmenuVarCheck, configAnonFTP, NULL, "anon_ftp" }, { " Gateway", "This machine will route packets between interfaces", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" }, + { " inetd", "This machine wants to run the inet daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" }, { " NFS client", "This machine will be an NFS client", dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" }, { " NFS server", "This machine will be an NFS server", @@ -1348,6 +1315,8 @@ DMenu MenuNetworking = { dmenuVarCheck, dmenuSubmenu, NULL, &MenuNTP, '[', 'X', ']', "ntpdate_enable=YES" }, { " PCNFSD", "Run authentication server for clients with PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, + { " portmap", "This machine wants to run the portmapper daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "portmap_enable=YES" }, { " Routed", "Select routing daemon (default: routed)", dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", @@ -1369,7 +1338,7 @@ DMenu MenuNTP = { "close to you to have your system time synchronized accordingly.", "These are the primary open-access NTP servers", NULL, - { { "None", "No ntp server", + { { "None", "No NTP server", dmenuVarsCheck, dmenuSetVariables, NULL, "ntpdate_enable=NO,ntpdate_flags=none" }, { "Other", "Select a site not on this list", @@ -1625,6 +1594,21 @@ DMenu MenuUsermgmt = { { NULL } }, }; +DMenu MenuSecurityProfile = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Default system security profile", + "Each item in this list will set what it considers to\n" + "be \"appropriate\" values in that category for various\n" + "security-related knobs in /etc/rc.conf.", + "Select a canned security profile.", + NULL, + { { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate }, + { "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal }, + { "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate }, + { "High", "Very restrictive security settings.", NULL, configSecurityFascist }, + { NULL } }, +}; + DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/usr.sbin/sade/sade.h b/usr.sbin/sade/sade.h index d44b8cb..5049470 100644 --- a/usr.sbin/sade/sade.h +++ b/usr.sbin/sade/sade.h @@ -375,6 +375,7 @@ extern DMenu MenuMediaFTP; /* FTP media menu */ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ +extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ extern DMenu MenuSyscons; /* System console configuration menu */ extern DMenu MenuSysconsFont; /* System console font configuration menu */ @@ -387,7 +388,6 @@ extern DMenu MenuInstallCustom; /* Custom Installation menu */ extern DMenu MenuDistributions; /* Distribution menu */ extern DMenu MenuDiskDevices; /* Disk type devices */ extern DMenu MenuSubDistributions; /* Custom distribution menu */ -extern DMenu MenuCRYPTODistributions;/* Encryption distribution menu */ extern DMenu MenuSrcDistributions; /* Source distribution menu */ extern DMenu MenuXF86; /* XFree86 main menu */ extern DMenu MenuXF86Select; /* XFree86 distribution selection menu */ @@ -443,6 +443,10 @@ extern int configRouter(dialogMenuItem *self); extern int configPCNFSD(dialogMenuItem *self); extern int configNFSServer(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); +extern int configSecurityProfile(dialogMenuItem *self); +extern int configSecurityFascist(dialogMenuItem *self); +extern int configSecurityModerate(dialogMenuItem *self); +extern int configSecurityLiberal(dialogMenuItem *self); /* crc.c */ extern int crc(int, unsigned long *, unsigned long *); @@ -496,7 +500,6 @@ extern int distSetUser(dialogMenuItem *self); extern int distSetXUser(dialogMenuItem *self); extern int distSetMinimum(dialogMenuItem *self); extern int distSetEverything(dialogMenuItem *self); -extern int distSetCRYPTO(dialogMenuItem *self); extern int distSetSrc(dialogMenuItem *self); extern int distSetXF86(dialogMenuItem *self); extern int distExtractAll(dialogMenuItem *self); diff --git a/usr.sbin/sysinstall/config.c b/usr.sbin/sysinstall/config.c index 8ce295b..cf37e94 100644 --- a/usr.sbin/sysinstall/config.c +++ b/usr.sbin/sysinstall/config.c @@ -388,10 +388,6 @@ configRC_conf(void) fprintf(rcSite, "# This file now contains just the overrides from /etc/defaults/rc.conf\n"); fprintf(rcSite, "# please make all changes to this file.\n\n"); fprintf(rcSite, "# Enable network daemons for user convenience.\n"); - fprintf(rcSite, "inetd_enable=\"YES\"\n"); - fprintf(rcSite, "portmap_enable=\"YES\"\n"); - fprintf(rcSite, "sendmail_enable=\"YES\"\n"); - fprintf(rcSite, "sshd_enable=\"YES\"\n"); } /* Now do variable substitutions */ @@ -470,6 +466,95 @@ configLinux(dialogMenuItem *self) return i; } +int +configSecurityProfile(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + dialog_clear_norefresh(); + dmenuOpenSimple(&MenuSecurityProfile, FALSE); + restorescr(w); + return DITEM_SUCCESS; +} + +/* Use the most fascist security settings */ +int +configSecurityFascist(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "NO", 1); + variable_set2("portmap_enable", "NO", 1); + variable_set2("sendmail_enable", "NO", 1); + variable_set2("sshd_enable", "NO", 1); + variable_set2("nfs_server_enable", "NO", 1); + variable_set2("kern_securelevel_enable", "YES", 1); + variable_set2("kern_securelevel", "2", 1); + /* More fascist stuff should go here */ + + msgConfirm("High security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been DISABLED by default.\n\n" + "PLEASE NOTE that this still does not save you from having\n" + "to properly secure your system in other ways or exercise\n" + "due diligence in your administration, this simply picks\n" + "a more secure set of out-of-box defaults to start with.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityModerate(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + if (!variable_cmp("nfs_client_enable", "YES") || + !variable_cmp("nfs_server_enable", "YES")) + variable_set2("portmap_enable", "YES", 1); + if (!variable_cmp("nfs_server_enable", "YES")) + variable_set2("nfs_reserved_port_only", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Moderate security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for a comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you and\n" + "you know exactly what you are doing, select the high\n" + "high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + +int +configSecurityLiberal(dialogMenuItem *self) +{ + WINDOW *w = savescr(); + + variable_set2("inetd_enable", "YES", 1); + variable_set2("portmap_enable", "YES", 1); + variable_set2("sendmail_enable", "YES", 1); + variable_set2("sshd_enable", "YES", 1); + + msgConfirm("Liberal security settings have been selected.\n\n" + "This means that most \"popular\" network services and\n" + "mechanisms like inetd(8) have been enabled by default\n" + "for the most comfortable user experience but with possible\n" + "trade-offs in system security. If this bothers you, select\n" + "the medium security profile or, if you know exactly what you\n" + "are doing, the high security profile instead.\n\n" + "To change any of these settings later, edit /etc/rc.conf"); + + restorescr(w); + return DITEM_SUCCESS; +} + static void write_root_xprofile(char *str) { diff --git a/usr.sbin/sysinstall/dispatch.c b/usr.sbin/sysinstall/dispatch.c index 0b388b4..cd64bf0 100644 --- a/usr.sbin/sysinstall/dispatch.c +++ b/usr.sbin/sysinstall/dispatch.c @@ -73,7 +73,6 @@ static struct _word { { "distSetXUser", distSetXUser }, { "distSetMinimum", distSetMinimum }, { "distSetEverything", distSetEverything }, - { "distSetCRYPTO", distSetCRYPTO }, { "distSetSrc", distSetSrc }, { "distSetXF86", distSetXF86 }, { "distExtractAll", distExtractAll }, diff --git a/usr.sbin/sysinstall/dist.c b/usr.sbin/sysinstall/dist.c index 61974c8d..e70f446 100644 --- a/usr.sbin/sysinstall/dist.c +++ b/usr.sbin/sysinstall/dist.c @@ -197,7 +197,6 @@ static Distribution XF86FontDistTable[] = { { NULL }, }; -static int distMaybeSetCRYPTO(dialogMenuItem *self); static int distMaybeSetPorts(dialogMenuItem *self); static void @@ -211,7 +210,7 @@ distVerifyFlags(void) Dists |= DIST_CRYPTO; } else if ((Dists & DIST_CRYPTO) && !CRYPTODists) - CRYPTODists |= DIST_CRYPTO_CRYPTO; + CRYPTODists |= DIST_CRYPTO_ALL; if (XF86Dists & DIST_XF86_SET) XF86ServerDists |= DIST_XF86_SERVER_VGA16; if (XF86ServerDists) @@ -291,7 +290,9 @@ distSetDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -315,7 +316,7 @@ distSetKernDeveloper(dialogMenuItem *self) distReset(NULL); Dists = _DIST_DEVELOPER; SrcDists = DIST_SRC_SYS; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -338,7 +339,7 @@ distSetUser(dialogMenuItem *self) distReset(NULL); Dists = _DIST_USER; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } @@ -369,50 +370,15 @@ distSetEverything(dialogMenuItem *self) Dists = DIST_ALL | DIST_XF86; SrcDists = DIST_SRC_ALL; + CRYPTODists = DIST_CRYPTO_ALL; XF86Dists = DIST_XF86_ALL; XF86ServerDists = DIST_XF86_SERVER_ALL; XF86FontDists = DIST_XF86_FONTS_ALL; - i = distMaybeSetCRYPTO(self) | distMaybeSetPorts(self); + i = distMaybeSetPorts(self); distVerifyFlags(); return i; } -int -distSetCRYPTO(dialogMenuItem *self) -{ - int i; - - dialog_clear_norefresh(); - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - else - i = DITEM_SUCCESS; - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - -static int -distMaybeSetCRYPTO(dialogMenuItem *self) -{ - int i = DITEM_SUCCESS | DITEM_REDRAW; - - dialog_clear_norefresh(); - if (!msgYesNo("Do you wish to install cryptographic software?\n\n" - "If you choose No, FreeBSD will use an MD5-based password scheme which,\n" - "while more secure, is not interoperable with the traditional\n" - "DES-based passwords used on other Unix systems.\n\n" - "Note that the international crypto distribution has a better\n" - "implementation of the RSA algorithm, which is patented in the U.S.\n" - "If you are in the USA, use crypto + the rsaref port/package\n.")) { - if (!dmenuOpenSimple(&MenuCRYPTODistributions, FALSE)) - i = DITEM_FAILURE; - } - - dialog_clear_norefresh(); - distVerifyFlags(); - return i | DITEM_REDRAW | DITEM_RESTORE; -} - static int distMaybeSetPorts(dialogMenuItem *self) { diff --git a/usr.sbin/sysinstall/install.c b/usr.sbin/sysinstall/install.c index 67399ca..cc53f3e 100644 --- a/usr.sbin/sysinstall/install.c +++ b/usr.sbin/sysinstall/install.c @@ -472,6 +472,9 @@ installExpress(dialogMenuItem *self) if (DITEM_STATUS((i = installCommit(self))) == DITEM_SUCCESS) { i |= DITEM_LEAVE_MENU; + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); } @@ -560,10 +563,12 @@ nodisks: "between interfaces)?")) variable_set2("gateway_enable", "YES", 1); + dialog_clear_norefresh(); if (msgYesNo("Do you want to grant only normal users FTP access to this\n" "host (e.g. no anonymous FTP connections)?")) configAnonFTP(self); + dialog_clear_norefresh(); if (!msgYesNo("Do you want to configure this machine as an NFS server?")) configNFSServer(self); @@ -571,6 +576,13 @@ nodisks: if (!msgYesNo("Do you want to configure this machine as an NFS client?")) variable_set2("nfs_client_enable", "YES", 1); + if (msgYesNo("Do you want to select a default security profile for\n" + "this host (\"medium\" security being the default)?")) + configSecurityProfile(self); + else + configSecurityModerate(self); + + dialog_clear_norefresh(); if (!msgYesNo("Would you like to customize your system console settings?")) dmenuOpenSimple(&MenuSyscons, FALSE); @@ -632,6 +644,9 @@ installCustomCommit(dialogMenuItem *self) i = installCommit(self); if (DITEM_STATUS(i) == DITEM_SUCCESS) { + /* Set default security level */ + configSecurityModerate(self); + /* Give user the option of one last configuration spree */ installConfigure(); return i; diff --git a/usr.sbin/sysinstall/menus.c b/usr.sbin/sysinstall/menus.c index eee9959..b07008d 100644 --- a/usr.sbin/sysinstall/menus.c +++ b/usr.sbin/sysinstall/menus.c @@ -42,6 +42,8 @@ setSrc(dialogMenuItem *self) { Dists |= DIST_SRC; SrcDists = DIST_SRC_ALL; + CRYPTODists |= (DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -50,22 +52,8 @@ clearSrc(dialogMenuItem *self) { Dists &= ~DIST_SRC; SrcDists = 0; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -setCRYPTO(dialogMenuItem *self) -{ - Dists |= DIST_CRYPTO; - CRYPTODists = DIST_CRYPTO_ALL; - return DITEM_SUCCESS | DITEM_REDRAW; -} - -static int -clearCRYPTO(dialogMenuItem *self) -{ - Dists &= ~DIST_CRYPTO; - CRYPTODists = 0; + CRYPTODists &= ~(DIST_CRYPTO_SCRYPTO | DIST_CRYPTO_SSECURE | + DIST_CRYPTO_SKERBEROS4 | DIST_CRYPTO_SKERBEROS5); return DITEM_SUCCESS | DITEM_REDRAW; } @@ -121,10 +109,10 @@ clearX11Fonts(dialogMenuItem *self) #define _IS_SET(dist, set) (((dist) & (set)) == (set)) #define IS_DEVELOPER(dist, extra) (_IS_SET(dist, _DIST_DEVELOPER | extra) || \ - _IS_SET(dist, _DIST_DEVELOPER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_DEVELOPER | extra)) #define IS_USER(dist, extra) (_IS_SET(dist, _DIST_USER | extra) || \ - _IS_SET(dist, _DIST_USER | DIST_CRYPTO | extra)) + _IS_SET(dist, _DIST_USER | extra)) static int checkDistDeveloper(dialogMenuItem *self) @@ -171,19 +159,14 @@ checkDistMinimum(dialogMenuItem *self) static int checkDistEverything(dialogMenuItem *self) { - return Dists == DIST_ALL && _IS_SET(SrcDists, DIST_SRC_ALL) && \ + return Dists == DIST_ALL && CRYPTODists == DIST_CRYPTO_ALL && \ + _IS_SET(SrcDists, DIST_SRC_ALL) && \ _IS_SET(XF86Dists, DIST_XF86_ALL) && \ _IS_SET(XF86ServerDists, DIST_XF86_SERVER_ALL) && \ _IS_SET(XF86FontDists, DIST_XF86_FONTS_ALL); } static int -CRYPTOFlagCheck(dialogMenuItem *item) -{ - return CRYPTODists; -} - -static int srcFlagCheck(dialogMenuItem *item) { return SrcDists; @@ -225,7 +208,6 @@ DMenu MenuIndex = { { " Disklabel", "The disk Label editor", NULL, diskLabelEditor }, { " Dists, All", "Root of the distribution tree.", NULL, dmenuSubmenu, NULL, &MenuDistributions }, { " Dists, Basic", "Basic FreeBSD distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSubDistributions }, - { " Dists, CRYPTO", "Encryption distribution menu.", NULL, dmenuSubmenu, NULL, &MenuCRYPTODistributions }, { " Dists, Developer", "Select developer's distribution.", checkDistDeveloper, distSetDeveloper }, { " Dists, Src", "Src distribution menu.", NULL, dmenuSubmenu, NULL, &MenuSrcDistributions }, { " Dists, X Developer", "Select X developer's distribution.", checkDistXDeveloper, distSetXDeveloper }, @@ -275,6 +257,7 @@ DMenu MenuIndex = { { " PCNFSD", "Run authentication server for PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, { " Root Password", "Set the system manager's password.", NULL, dmenuSystemCommand, NULL, "passwd root" }, { " Router", "Select routing daemon (default: routed)", NULL, configRouter, NULL, "router_enable" }, + { " Security", "Select a default system security profile.", NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Syscons", "The system console configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSyscons }, { " Syscons, Font", "The console screen font.", NULL, dmenuSubmenu, NULL, &MenuSysconsFont }, { " Syscons, Keymap", "The console keymap configuration menu.", NULL, dmenuSubmenu, NULL, &MenuSysconsKeymap }, @@ -425,70 +408,6 @@ DMenu MenuMouse = { { NULL } }, }; -DMenu MenuXF86Config = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the XFree86 configuration tool you want to use.", -#ifdef __alpha__ - "Due to problems with the VGA16 server right now, only the\n" - "text-mode configuration tool (xf86config) is currently supported.", -#else - "The first tool, XF86Setup, is fully graphical and requires the\n" - "VGA16 server in order to work (should have been selected by\n" - "default, but if you de-selected it then you won't be able to\n" - "use this fancy setup tool). The second tool, xf86config, is\n" - "a more simplistic shell-script based tool and less friendly to\n" - "new users, but it may work in situations where the fancier one\n" - "does not.", -#endif - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, -#ifdef __alpha__ - { "2 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, -#else - { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, - { "3 xf86config", "Shell-script based XFree86 configuration tool.", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, - { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", - NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, -#endif - { "D XDesktop", "X already set up, just do desktop configuration.", - NULL, dmenuSubmenu, NULL, &MenuXDesktops }, - { NULL } }, -}; - -DMenu MenuXDesktops = { - DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, - "Please select the default X desktop to use.", - "By default, XFree86 comes with a fairly vanilla desktop which\n" - "is based around the twm(1) window manager and does not offer\n" - "much in the way of features. It does have the advantage of\n" - "being a standard part of X so you don't need to load anything\n" - "extra in order to use it. If, however, you have access to a\n" - "reasonably full packages collection on your installation media,\n" - "you can choose any one of the following desktops as alternatives.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - NULL, dmenuExit }, - { "2 KDE", "The K Desktop Environment.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, - { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, - { "4 GNOME + Enlightenment","GNOME + The E window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, - { "5 Afterstep", "The Afterstep window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, - { "6 Windowmaker", "The Windowmaker window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, - { "7 fvwm2", "The fvwm2 window manager", - NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, - { NULL } }, -}; - DMenu MenuMediaCDROM = { DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, "Choose a CDROM type", @@ -844,8 +763,17 @@ DMenu MenuSubDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_COMPAT3X }, #endif #endif - { " CRYPTO", "Encryption code - NOT FOR EXPORT!", - CRYPTOFlagCheck,distSetCRYPTO }, + { " crypto", "Basic encryption services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, +#if __FreeBSD__ <= 3 + { " krb", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, +#else + { " krb4", "KerberosIV authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, + { " krb5", "Kerberos5 authentication services", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, +#endif { " dict", "Spelling checker dictionary files", dmenuFlagCheck, dmenuSetFlag, NULL, &Dists, '[', 'X', ']', DIST_DICT }, { " doc", "Miscellaneous FreeBSD online docs", @@ -871,43 +799,6 @@ DMenu MenuSubDistributions = { { NULL } }, }; -DMenu MenuCRYPTODistributions = { - DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, - "Select the encryption facilities you wish to install.", - "Please check off any special encryption distributions\n" - "you would like to install. Please note that these services are NOT FOR\n" - "EXPORT from the United States. For information on non-U.S. FTP\n" - "distributions of this software, please consult the release notes.", - NULL, - NULL, - { { "X Exit", "Exit this menu (returning to previous)", - checkTrue, dmenuExit, NULL, NULL, '<', '<', '<' }, - { "All", "Select all of the below", - NULL, setCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { "Reset", "Reset all of the below", - NULL, clearCRYPTO, NULL, NULL, ' ', ' ', ' ' }, - { " crypto", "Basic encryption services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_CRYPTO, }, -#if __FreeBSD__ <= 3 - { " krb", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS }, -#else - { " krb4", "KerberosIV authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS4 }, - { " krb5", "Kerberos5 authentication services", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_KERBEROS5 }, -#endif - { " skrb4", "Sources for KerberosIV", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, - { " skrb5", "Sources for Kerberos5", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, - { " ssecure", "BSD encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, - { " scrypto", "Contributed encryption sources", - dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, - { NULL } }, -}; - DMenu MenuSrcDistributions = { DMENU_CHECKLIST_TYPE | DMENU_SELECTION_RETURNS, "Select the sub-components of src you wish to install.", @@ -943,8 +834,16 @@ DMenu MenuSrcDistributions = { dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_BIN }, { " sbin", "/usr/src/sbin (system binaries)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SBIN }, + { " scrypto", "/usr/src/crypto (contrib encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SCRYPTO }, { " share", "/usr/src/share (documents and shared files)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SHARE }, + { " skrb4", "/usr/src/kerberosIV (sources for KerberosIV)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS4 }, + { " skrb5", "/usr/src/kerberos5 (sources for Kerberos5)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SKERBEROS5 }, + { " ssecure", "/usr/src/secure (BSD encryption sources)", + dmenuFlagCheck, dmenuSetFlag, NULL, &CRYPTODists, '[', 'X', ']', DIST_CRYPTO_SSECURE }, { " sys", "/usr/src/sys (FreeBSD kernel)", dmenuFlagCheck, dmenuSetFlag, NULL, &SrcDists, '[', 'X', ']', DIST_SRC_SYS }, { " tools", "/usr/src/tools (miscellaneous tools)", @@ -956,6 +855,70 @@ DMenu MenuSrcDistributions = { { NULL } }, }; +DMenu MenuXF86Config = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the XFree86 configuration tool you want to use.", +#ifdef __alpha__ + "Due to problems with the VGA16 server right now, only the\n" + "text-mode configuration tool (xf86config) is currently supported.", +#else + "The first tool, XF86Setup, is fully graphical and requires the\n" + "VGA16 server in order to work (should have been selected by\n" + "default, but if you de-selected it then you won't be able to\n" + "use this fancy setup tool). The second tool, xf86config, is\n" + "a more simplistic shell-script based tool and less friendly to\n" + "new users, but it may work in situations where the fancier one\n" + "does not.", +#endif + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, +#ifdef __alpha__ + { "2 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, +#else + { "2 XF86Setup", "Fully graphical XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF86Setup" }, + { "3 xf86config", "Shell-script based XFree86 configuration tool.", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=xf86config" }, + { "4 XF98Setup", "Fully graphical XFree86 configuration tool (PC98).", + NULL, dmenuSetVariable, NULL, VAR_XF86_CONFIG "=XF98Setup" }, +#endif + { "D XDesktop", "X already set up, just do desktop configuration.", + NULL, dmenuSubmenu, NULL, &MenuXDesktops }, + { NULL } }, +}; + +DMenu MenuXDesktops = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Please select the default X desktop to use.", + "By default, XFree86 comes with a fairly vanilla desktop which\n" + "is based around the twm(1) window manager and does not offer\n" + "much in the way of features. It does have the advantage of\n" + "being a standard part of X so you don't need to load anything\n" + "extra in order to use it. If, however, you have access to a\n" + "reasonably full packages collection on your installation media,\n" + "you can choose any one of the following desktops as alternatives.", + NULL, + NULL, + { { "X Exit", "Exit this menu (returning to previous)", + NULL, dmenuExit }, + { "2 KDE", "The K Desktop Environment.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=kde" }, + { "3 GNOME + Afterstep", "GNOME + Afterstep window manager.", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=gnome" }, + { "4 GNOME + Enlightenment","GNOME + The E window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=enlightenment" }, + { "5 Afterstep", "The Afterstep window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=afterstep" }, + { "6 Windowmaker", "The Windowmaker window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=windowmaker" }, + { "7 fvwm2", "The fvwm2 window manager", + NULL, dmenuSetVariable, NULL, VAR_DESKSTYLE "=fvwm2" }, + { NULL } }, +}; + DMenu MenuXF86Select = { DMENU_NORMAL_TYPE, "XFree86 3.3.6 Distribution", @@ -1254,6 +1217,8 @@ DMenu MenuConfigure = { NULL, dmenuSubmenu, NULL, &MenuMouse, NULL }, { " Networking", "Configure additional network services", NULL, dmenuSubmenu, NULL, &MenuNetworking }, + { " Security", "Select default system security profile", + NULL, dmenuSubmenu, NULL, &MenuSecurityProfile }, { " Startup", "Configure system startup options", NULL, dmenuSubmenu, NULL, &MenuStartup }, { " Options", "View/Set various installation options", @@ -1340,6 +1305,8 @@ DMenu MenuNetworking = { dmenuVarCheck, configAnonFTP, NULL, "anon_ftp" }, { " Gateway", "This machine will route packets between interfaces", dmenuVarCheck, dmenuToggleVariable, NULL, "gateway_enable=YES" }, + { " inetd", "This machine wants to run the inet daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "inetd_enable=YES" }, { " NFS client", "This machine will be an NFS client", dmenuVarCheck, dmenuToggleVariable, NULL, "nfs_client_enable=YES" }, { " NFS server", "This machine will be an NFS server", @@ -1348,6 +1315,8 @@ DMenu MenuNetworking = { dmenuVarCheck, dmenuSubmenu, NULL, &MenuNTP, '[', 'X', ']', "ntpdate_enable=YES" }, { " PCNFSD", "Run authentication server for clients with PC-NFS.", dmenuVarCheck, configPCNFSD, NULL, "pcnfsd" }, + { " portmap", "This machine wants to run the portmapper daemon", + dmenuVarCheck, dmenuToggleVariable, NULL, "portmap_enable=YES" }, { " Routed", "Select routing daemon (default: routed)", dmenuVarCheck, configRouter, NULL, "router_enable=YES" }, { " Rwhod", "This machine wants to run the rwho daemon", @@ -1369,7 +1338,7 @@ DMenu MenuNTP = { "close to you to have your system time synchronized accordingly.", "These are the primary open-access NTP servers", NULL, - { { "None", "No ntp server", + { { "None", "No NTP server", dmenuVarsCheck, dmenuSetVariables, NULL, "ntpdate_enable=NO,ntpdate_flags=none" }, { "Other", "Select a site not on this list", @@ -1625,6 +1594,21 @@ DMenu MenuUsermgmt = { { NULL } }, }; +DMenu MenuSecurityProfile = { + DMENU_NORMAL_TYPE | DMENU_SELECTION_RETURNS, + "Default system security profile", + "Each item in this list will set what it considers to\n" + "be \"appropriate\" values in that category for various\n" + "security-related knobs in /etc/rc.conf.", + "Select a canned security profile.", + NULL, + { { "X Exit", "Exit this menu (returning to previous)", NULL, configSecurityModerate }, + { "Low", "Fairly wide-open (little) security.", NULL, configSecurityLiberal }, + { "Medium", "Moderate security settings [DEFAULT].", NULL, configSecurityModerate }, + { "High", "Very restrictive security settings.", NULL, configSecurityFascist }, + { NULL } }, +}; + DMenu MenuFixit = { DMENU_NORMAL_TYPE, "Please choose a fixit option", diff --git a/usr.sbin/sysinstall/sysinstall.h b/usr.sbin/sysinstall/sysinstall.h index d44b8cb..5049470 100644 --- a/usr.sbin/sysinstall/sysinstall.h +++ b/usr.sbin/sysinstall/sysinstall.h @@ -375,6 +375,7 @@ extern DMenu MenuMediaFTP; /* FTP media menu */ extern DMenu MenuMediaTape; /* Tape media menu */ extern DMenu MenuNetworkDevice; /* Network device menu */ extern DMenu MenuNTP; /* NTP time server menu */ +extern DMenu MenuSecurityProfile; /* Security profile menu */ extern DMenu MenuStartup; /* Startup services menu */ extern DMenu MenuSyscons; /* System console configuration menu */ extern DMenu MenuSysconsFont; /* System console font configuration menu */ @@ -387,7 +388,6 @@ extern DMenu MenuInstallCustom; /* Custom Installation menu */ extern DMenu MenuDistributions; /* Distribution menu */ extern DMenu MenuDiskDevices; /* Disk type devices */ extern DMenu MenuSubDistributions; /* Custom distribution menu */ -extern DMenu MenuCRYPTODistributions;/* Encryption distribution menu */ extern DMenu MenuSrcDistributions; /* Source distribution menu */ extern DMenu MenuXF86; /* XFree86 main menu */ extern DMenu MenuXF86Select; /* XFree86 distribution selection menu */ @@ -443,6 +443,10 @@ extern int configRouter(dialogMenuItem *self); extern int configPCNFSD(dialogMenuItem *self); extern int configNFSServer(dialogMenuItem *self); extern int configWriteRC_conf(dialogMenuItem *self); +extern int configSecurityProfile(dialogMenuItem *self); +extern int configSecurityFascist(dialogMenuItem *self); +extern int configSecurityModerate(dialogMenuItem *self); +extern int configSecurityLiberal(dialogMenuItem *self); /* crc.c */ extern int crc(int, unsigned long *, unsigned long *); @@ -496,7 +500,6 @@ extern int distSetUser(dialogMenuItem *self); extern int distSetXUser(dialogMenuItem *self); extern int distSetMinimum(dialogMenuItem *self); extern int distSetEverything(dialogMenuItem *self); -extern int distSetCRYPTO(dialogMenuItem *self); extern int distSetSrc(dialogMenuItem *self); extern int distSetXF86(dialogMenuItem *self); extern int distExtractAll(dialogMenuItem *self); |
