[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: more mail related musings...
Education is the answer here.
As Aaron suggests, we could patch the system, or even come up with a
utility to do all sorts of management but that path leads to M$/Apple land
where a nice pixmap shows up while some utility goes berserk on your
Matthew suggests "failing secure" but the risk to the project is that the
system will "fail non-functional" and be slagged with comments like "I
installed it but nothing worked".
I favour a series of tutorials (white papers, whatever) in /usr/share/doc
to alert the user to the risks/benefits and recommended practices for
OpenBSD. Theo's initial mail message to root was a great help when I
started, and the "So you want to put a machine on the Internet" FAQ from
news.answers is another good example.
The man pages are for experts: you know what you're doing and you're using
them as a reference on syntax and expected behaviour. They are not
tutorial materials, even if they are correct.
I'm putting my name down to form a team to add tutorial documentation to
the OpenBSD distribution. The stuff is out there, but it needs to be
collected and edited.
What says the group?
Louis Bertrand, Bowmanville, ON, Canada
On Fri, 23 Oct 1998, Matthew Patton wrote:
> Since our stated goal is security, I want to run this idea by the community.
> We have in the distro a fixed sendmail daemon as well as the highly
> regarded smtpd and smtpfwdd from Obtuse Systems.
> Does it make sense to change our default distribution to use these programs
> together in concert rather than relying exclusively on sendmail? Well
> actually out of box, no kind of mail daemon is running. I don't intend to
> change that. Just changing the comments in rc.conf is what I am proposing.
> Maybe a blurb or two in the after_install man page as well.
> On a slightly related note, our default inetd.conf has things like shell,
> login, daytim, time, comsat, ntalk, rstatd, rusersd, finger all running.
> This seems to go against a "security first" mindset. My idea is that we
> should shut all of them down save maybe telnet, ftp, ident, and/or change
> rc.conf to have a NO as the default.
> Some may argue that I'm off my rocker (again). But I think it's important
> that we "fail secure" as apposed to "failing open." New users are probably
> apt to just let their system run in whatever default state they found it in
> not knowing what's really going on. If they discover they need something
> that was off, they are likely to read whatever man page necessary to turn a
> service on. I feel this is a good thing.
> OpenBSD - Because security matters... (http://www.openbsd.org/)
> The spark of the revolutionary war, the battle of Lexington and Concord,
> was prompted by the ruling government's attempts to confiscate the
> "assault weapons" of the day held by local militias.