svn commit: r314036 - head/usr.sbin/bsdinstall/scripts

[Conrad Meyer]

On Wed, Feb 22, 2017 at 10:05 AM, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:
> On Wed, Feb 22, 2017 at 08:11:14AM -0800, Conrad Meyer wrote:
>
>> On Wed, Feb 22, 2017 at 3:23 AM, Joel Dahl <joel at vnode.se> wrote:
>> > On Wed, Feb 22, 2017 at 07:56:52AM +0000, Bartłomiej Rutkowski wrote:
>> >> I strongly believe we should, by default, ship as secured and hardened as
>> >> possible in order to improve overall security of new users installations.
>> >> Power users will and do change the OS as they please, they most likely
>> >> don't use bsdinstall in first place, so they're not affected in any way.
>> >
>> > Sorry, I strongly disagree with that. I'm most likely a "power user" and I use
>> > bsdinstall.
>>
>> Ditto.  I'm also unfamiliar enough with the installer to trip on this
>> kind of thing.  Slawa's proposed "disable all" option would be fine.
>
> My english not enought fluent for more explicate proposal, from my
> point most of this options do hardened in only limited cases, for
> other cases same options do system more un-hardened by force working
> as root. Some have unevident effects (/tmp cleaning, for example).

Yep.  I am not concerned about disabling sendmail or remote syslog by
default, though.

> For many users this options will be source of weird issuses (gdb don't
> work? fucking ugly freebsd! migrate to linux).

Yeah, I am concerned about this too.  (Also: "ps doesn't work" would
be a big newbie sysadmin headache.)

> This is evil trend of enforcing weird solutions under the auspices of
> 'my safety': airport security check, backgound check on every point,
> lawfull intercept, block access to hardware management in safety
> enviroment by 'leak ecnription'. I am enoght smart for self-sufficient
> security risk assessment!
>
> Industry already have at some "hardened" BSD: OpenBSD and HardenedBSD.
> Waht about market share?

Best,
Conrad