the name for the moderate security profile is "moderate", not
"medium", so update this one reference to it as "medium".
This is a 4.4-RELEASE MFC candidate.
MFC after: 2 days
by providing the opportunity to edit inetd.conf during the system
installation process. The following modifications were made:
(1) Expand the Anonymous FTP description dialog to indicate that inetd
and ftpd must be enabled before it can be used.
(2) Introduce a new configInetd() pair of dialogs, the first describing
inetd, giving a couple of examples of services that require it, and
hinting at potential risk, then asking the user if they wish to
enable it. The second indicates that inetd.conf must be configured
to enabled specific services, and asks if the user would like to
load inetd.conf into the editor to modify it. Add this
configuration action to the index.
There are some further improvements that might be considered:
(1) Provide a more inetd.conf-specific configuration tool that speaks
inetd.conf(5). However, this is made difficult by the "yet another
configuration format" nature of inetd.conf, as well as its use of
commenting to disable services, rather than an in-syntax way to
disable a service without commenting it out. Submissions here
would probably be welcome.
(2) There's some overlap between settings in the somewhat obtuse
Security Profile mechanism and other settings, including the inetd
setting, and NFS server configuration. As features become
individually tunable, they should probably be removed from the
security profile mechanism. Otherwise, somewhat counter-intuitively,
sysinstall (in practice) queries multiple times whether inetd, nfsd,
etc, should be enabled/disabled. A possible future direction might
be to drive profiles not by degree of paranoia, rather, the set
of services desired. Or simply to remove the Security Profile
mechanism and resort to feature-driven configuration.
Reviewed by: imp, chris, jake, nate, -arch, -stable
names suggest, they perform methods on Device's. In addition, they
check that the pointer passed to them is valid; if it isn't, they
pretend that the action failed. This fixes some crashes due to NULL
dereferences (e.g., PR 26509).
Approved by: jkh (some time ago)
no as a default. Sysinstall should be both less dangerous and less
annoying as a result of this change, though that's just my opinion
(since they're the defaults which annoy ME the least :).
standard or serial. This change needs to be done to the entire system that
depends on this. This way we don't have some code using OnVTY checks
and other doing
strcmp(variable_get(VAR_FIXIT_TTY), "standard") == 0
checks. Also we need to set VAR_FIXIT_TTY to "serial" if we come up on
a serial console.
Also fixed a dialog problem in that dialog was used when dialog was
disabled causing some troubles such as not letting the cursor keys
work when exiting the fixit mode on media (ie. not the fixit shell but
for example fixit on a floppy).
Submitted by: Doug Ambrisko <ambrisko@whistle.com>
PR: 22352
a default. This should prevent people from whacking return at
the Distributions menu and getting nothing selected as a result
(a minimal "standard" system will at least install).
Flagged as big tech support headache by: Chris Shumway <cshumway@osd.bsdi.com>
appropriate(?) defaults for "low", "medium" and "high" security
environments. Medium is basically what we currently have with a little
seat-belt tightening where it made sense. Low is the same as medium but
without the tightening. High is positively fascist with nothing turned
on by default and an automatic call to 911 if it can find a modem.
does bad things to /etc/make.conf in certain situations. Also
soften the "don't install crypto from the USA!" messages since,
except for RSA (which is still noted), that's not so true anymore.
IPv6 configuration is only done by rtsol. Does someone really
need manual configuration? :-)
You can specify IPv6 DNS server as well.
We have only one server ftp7.jp.freebsd.org that speaks IPv6
in this time. ftp7.jp speaks IPv4 as well and also listed as
Japan #7.
Approved by: jkh
setting 'usbd_enable' in rc.conf during nwe installs if USB is detected.
Also, since usbd already handles USB mice automatically, note that the
mouse setup section in sysinstall only applies to non-USB mice.
on locale.
o Allow use of "G" in label editor to stand for gigabytes. This
is actually an unrelated patch which I meant to commit separately
but what the heck, it's late.
Partially submitted by: phk
as redoing all the menus to have proper, or at least non-hallucinogenic,
keyboard accelerators.
This requires my recent update to libdialog to work properly and will
probably also exhibit some other "interesting" behavior while the last
few missing screen clears are found (which is why I'm not going to MFC
immediately). At least now, however, sysinstall does not gratuitously
redraw random screens at the drop of a hat and drive serial console
installers out of their minds.
