Commit Graph

221 Commits

Author SHA1 Message Date
David E. O'Brien
b0d55f3fc9 I think we can stop doing 'ldconfig -aout' during the install now.
The base install doesn't have any a.out bits anymore and hasn't for years.
2004-01-02 09:33:58 +00:00
Tom Rhodes
a27f75251a Provide a way to deal with rc.conf which may already be populated in certain
cases.
2003-12-13 16:12:55 +00:00
Joe Marcus Clarke
504fbf4e1e Replace the KDE and GNOME 2 desktops with KDE (Lite Edition) and GNOME 2
(Lite Edition) respectively.  These "lite" packages are streamlined to
provide users with the core essentials for each desktop and to fit on the
release disc 1.

Approved by:	re (scottl)
2003-12-02 20:49:46 +00:00
Robert Watson
4b51d758d5 Add a Securelevel sub-menu to the Security configuration menu,
permitting the administrator to select a securelevel top operate
at.  Include a helpfile summarizing some of the information from
init(8).  This allows for explicit configuration of securelevels,
which was previously implicit in Security Profile selection.
Currently, there are no checkboxes for the active securelevel,
because sysinstall's facilities for deriving "current settings"
from rc.conf may use only one variable, not two, and I opted for
the simplest approach at this point.

Approved by:	re (scottl)
2003-11-29 21:44:51 +00:00
Robert Watson
7fba2041a7 Remove security profiles from sysinstall. Currently, security profile
selection is used to drive two configuration parameters:

(1) Default enable/disable for sshd
(2) Default enable/disable for securelevels

Replace this with an explicit choice to enable/disable sshd.  A
follow-up commit will add a configuration option to the Security
post-install configuration menu to set the securelevel in rc.conf
explicitly.  This should reduce the level of foot-shooting associated
with accidental enabling of securelevels, make the nature and
implications of the securelevel configuration options more explicit,
as well as make the choice to enable/disable sshd more explicit.

Approved by:	re (scottl)
2003-11-28 18:47:45 +00:00
Robert Watson
4880db4afd Tweak "system security profiles:
(1) Don't modify the configuration of the NFS server as a result of
    selecting a profile.  We already explicitly prompt for the NFS
    server configuration during install, and the user may not get
    much advance notice that we're turning it off again.  Instead,
    use profiles (for better or for worse) only for security tuning.

(2) Don't modify the sendmail setting as part of the security profile:
    use the default from /etc/defaults/rc.conf rather than explicitly
    specifying.  Note that the default in /etc/defaults/rc.conf is
    more conservative than the explicit rc.conf entry added by
    sysinstall during install, as it does not permit SMTP delivery.

(3) Update "congratulations on your profile" text to reflect these
    changes.

Note that security profiles now affect only the securelevel and sshd
settings.  My leaning would be to make sshd an explicit configuration
option, move securelevels to the security menu, and drop security
profiles entirely.  However, that requires more plumbing of sendmail
than I'm currently willing to invest.

We may want to add a "permit SMTP delivery" question to the install
process.
2003-09-28 05:21:23 +00:00
Tom Rhodes
208cece4f0 Fix a cut n paste typo I introduced in rev 1.211.
PR:				57012
Submitted by:			Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp> (original version)
Friendly prod provided by:	murray
MFC:				after re approval
2003-09-27 13:58:16 +00:00
Tom Rhodes
332a31b21e Remove the unrequired -bi from the newaliases line. Note in the commit log
that the last change should have read: exim_enable="YES" in the changes listing.

Discussed with:	ceri
2003-09-11 16:27:16 +00:00
Tom Rhodes
28e0a3843a With the exim port upgrade, modify sysinstall(8):
- Add 'enable_exim="YES"' to rc.conf(5)
- Use the default exim configuration file from the port
- When using sendmail, disable some more scripts that use sendmail specific
  parameters
- Have sysinstall tweak mailer.conf(5) substitution
- Use 'N' flag for newsyslog(8)

Submitted by:	Oliver Eikemeier <eikemeier@fillmore-labs.com>
Reviewed by:	sheldonh, simon
Tested by:	myself (trhodes) and submitter
2003-09-10 20:55:09 +00:00
Hajimu UMEMOTO
571ecd7ab4 Always put an entry for ::1. It may avoid useless DNS lookup
for localhost.

MFC after:	3 days
2003-08-03 05:55:21 +00:00
Tom Rhodes
b9c3c3fc77 Give users the ability to select an alternative MTA during the installation.
This option adds Postfix and Exim to the list, however, qmail is not added
due to license restrictions.

Collaborated with:	Simon L. Nielsen <simon@nitro.dk>
Reviewed by:		jhb, re@, -audit.
2003-07-12 15:33:09 +00:00
Scott Long
acb9e0f3f6 Teach sysinstall to recognize if acpi was turned off from the bootloader,
and then ask the user if this should be made permanent.

Approved by:	re
2003-05-31 11:28:28 +00:00
Robert Watson
c2f10e2de4 Relocate a call to enable inetd so that it is set regardless of
whether the user chooses to edit inetd.conf.

PR:	39311
Reported by:	Martin Faxer <gmh003532@brfmasthugget.se>
2003-02-06 01:55:40 +00:00
Scott Long
9335d6884c Teach sysinstall about rpcbind, rpc.lockd, and rpc.statd. As an added
bonus, rpcbind will be enabled automatically if rpc.lockd, rpc.statd, amd,
NFS Server, or NIS is enabled.
2003-01-07 07:46:50 +00:00
John Baldwin
cab2a4d2b9 Only try to setup moused(8) before setting up the X server if WITH_MICE is
defined.

Approved by:	re
2002-11-27 19:39:26 +00:00
John Baldwin
8e5bc72116 - Add a configOSF1() function (#ifdef __alpha__) that creates /compat/osf1
in addition to setting osf1_enable to YES.
- Only define configLinux() #ifdef WITH_LINUX.

Approved by:	re
2002-11-27 19:37:00 +00:00
Bruce A. Mah
0108d59df2 Add GNOME 2 to the sysinstall desktop configuration menu, remove
the two GNOME 1-based alternatives.

While here, note that a majority of the items in this menu are not
sentences, and remove trailing dots to make the remainder consistent.

Reviewed by:	marcus
Approved by:	re (bmah)
2002-11-26 22:14:34 +00:00
Marcel Moolenaar
df81b3e662 Also test for type efi everywhere we currently test for type fat.
With this change there's no a priori difference between EFI and
FAT partitions. With this change and the corresponding change to
libdisk, we can create EFI partitions, just like regular FAT
partitions.
2002-11-13 05:39:59 +00:00
Jens Schweikhardt
5333b7726b Typo: s/seperately/separately
PR:		misc/41235
Submitted by:	Fesskat Tudeer <freebsd-fesskat@fesskat.org>
MFC after:	3 days
2002-08-06 20:36:02 +00:00
David E. O'Brien
8777223029 Change our default XF86Config location from /etc/ to /etc/X11/,
following the lead of The XFree86 Project's default.

Approved by:	Murray
2002-06-10 04:47:26 +00:00
Murray Stokely
8c44723416 Add comment to supplement my last commit.
Requested by:  obrien
2002-04-07 10:40:31 +00:00
Murray Stokely
7e25871d19 Teach sysinstall the difference between a command line, and an
executable file, so that we can pass commands with arguments to
configXSetup().
2002-04-06 02:39:27 +00:00
Robert Watson
71e8420535 o No longer mount /proc by default on newly installed systems. Almost
all facilities that previously relied on /proc have been rewritten
  to use ptrace().  procfs has presented a substantial security
  hazard for years, with several user->root compromises in the last
  few years.  Procfs will continue to be available but will require
  administrator intervention to use.

Reviewed by:	scottl, jedgar, mike, tmm
2002-02-10 01:34:04 +00:00
Maxim Sobolev
ef9cff0bec Safwish package built on bento is called `sawfish-gnome', so adjust sysinstall
and print-cdrom-packages.sh accordingly.

Revealed by:	re
MFC after:	1 day
2002-01-09 20:10:02 +00:00
Robert Watson
4d0032bde9 o Expand the text describing the Security options menu.
o Move nfs_reserved_port_only out of security profiles (where it was
  set somewhat improperly) to the Security options menu directly.
  Previously, the variable was set to true for Moderate, but not for
  Extreme, which is at best inconsistent.
o Update the Security Profiles help file to remove reference to the
  NFS reserved port.

o Note that the kernel currently defaults the sysctl to '0', but
  sysinstall has changed it to '1' as a default as of late; however,
  rc.conf sets the value to NO as the default.  This change brings
  them relatively into sync.

Sponsored by:	DARPA, NAI Labs
2001-12-21 19:51:44 +00:00
Robert Watson
86f2d72fd8 o Add a configSecurity menu to generally configure security settings,
and pull configSecurityProfile under that menu.  Add a menu option
  to determine whether LOMAC is enabled at boot.  Probably, eventually,
  many of the 'Security Profile' menu choices should be pulled out
  independently into the Security Menu, so as to make them individually
  selectable.

Sponsored by:	DARPA, NAI Labs
2001-12-21 18:30:50 +00:00
Murray Stokely
d47aa91c6a Silence warnings on alpha :
Use '%p' when printing out the address of a function.
  sizeof(int) != sizeof(long)
2001-09-22 22:34:14 +00:00
Robert Watson
dd5360b44c Spell SSHd as sshd to improve readability and consistency. 2001-09-04 20:22:14 +00:00
Robert Watson
0d0f76632d Add an additional \n before the "cautionary note" on the topic of
admins needing to pay attention when configuring the system.  This
improves readability of this message.
2001-09-04 20:21:12 +00:00
Ruslan Ermilov
1c86a7d9c7 Removed the (possible) ambiguity in /etc/rc.conf comment.
PR:		bin/29736
2001-08-17 16:05:54 +00:00
Josef Karthauser
67923e665b Sysinstall inserts a comment between changes to /etc/rc.conf.
Add a timestamp to the comment so that it's possible to see when
changes were made.

e.g.:
# -- sysinstall generated deltas -- # Wed Aug 15 18:10:20 2001
2001-08-15 17:10:49 +00:00
Robert Watson
86a02c1326 Somewhere along the way, configSecurityModerate() lost it's "int"
return value.

Spotted by:	gratuitous use of diff during MFC process
2001-08-11 03:26:52 +00:00
Robert Watson
614af3941d o Reduce the number of offered security profiles, as we now have a more
conservative default, and actually prompt specifically for inetd rather
  than handling it as a side effect of the security profile.  Update the
  help file to reflect this change.
o Rename "Fascist" to "Extreme" in the source code, to match the names
  presented to the user.
o Remove portmap and inetd from profile management.  Portmap is now
  disabled by default, but automatically turned on if a feature requires
  it (such as NFS, etc).

This is an MFC candidate for 4.4-RELEASE.

Reviewed by:	freebsd-arch@FreeBSD.org
Approved by:	re@FreeBSD.org
MFC after:	2 days
2001-08-10 23:57:43 +00:00
Robert Watson
f5ad562c54 Return DITEM_SUCCESS from configInetd(), as apparently a success or
failure value is expected.

Spotted by:     gcc
2001-08-10 02:23:10 +00:00
Andrey A. Chernov
cf9da17cbb Apply pending /etc/ttys changes before calling editor on it
Approved by:	rwatson
2001-08-07 15:13:42 +00:00
Robert Watson
f3ea28cb07 In preparation for MFC of sysinstall changes to edit /etc/ttys in
post-install config, reduce the potential confusion from the existence
of both configTTYs and configTtys by renaming configTTYs to
configEtcTtys.  While this is not a C naming conflict, it was probably
a poor choice of names on my part.
2001-08-07 12:48:17 +00:00
Robert Watson
c17d6a73f2 Add the ability to modify /etc/ttys before first reboot during the
system installation process.  This allows users installing via serial
console to enable serial console login during the installation
process using an un-customized install.  The user is not prompted to
modify /etc/ttys during a normal install, but is offered the
opportunity during post-install configuration.

- Introduce configTTYs(), which describes the benefits of editing
  /etc/ttys, and asks for confirmation before spawning the editor.
- add configTTYs to the post-install configuration, as well as to
  the global configuration index.
2001-08-02 03:53:36 +00:00
Robert Watson
0c09bcb0e8 Compensate for default disabling of network services in inetd.conf(5)
by providing the opportunity to edit inetd.conf during the system
installation process.  The following modifications were made:

(1) Expand the Anonymous FTP description dialog to indicate that inetd
    and ftpd must be enabled before it can be used.

(2) Introduce a new configInetd() pair of dialogs, the first describing
    inetd, giving a couple of examples of services that require it, and
    hinting at potential risk, then asking the user if they wish to
    enable it.  The second indicates that inetd.conf must be configured
    to enabled specific services, and asks if the user would like to
    load inetd.conf into the editor to modify it.  Add this
    configuration action to the index.

There are some further improvements that might be considered:

(1) Provide a more inetd.conf-specific configuration tool that speaks
    inetd.conf(5).  However, this is made difficult by the "yet another
    configuration format" nature of inetd.conf, as well as its use of
    commenting to disable services, rather than an in-syntax way to
    disable a service without commenting it out.  Submissions here
    would probably be welcome.

(2) There's some overlap between settings in the somewhat obtuse
    Security Profile mechanism and other settings, including the inetd
    setting, and NFS server configuration.  As features become
    individually tunable, they should probably be removed from the
    security profile mechanism.  Otherwise, somewhat counter-intuitively,
    sysinstall (in practice) queries multiple times whether inetd, nfsd,
    etc, should be enabled/disabled.  A possible future direction might
    be to drive profiles not by degree of paranoia, rather, the set
    of services desired.  Or simply to remove the Security Profile
    mechanism and resort to feature-driven configuration.

Reviewed by:	imp, chris, jake, nate, -arch, -stable
2001-08-02 03:25:16 +00:00
Andrey A. Chernov
3670a10826 Add ability to configure console terminal type in /etc/ttys
Reviewed by:	audit, jkh's silence
2001-07-17 04:09:50 +00:00
Ruslan Ermilov
d95db8f60e msdos -> msdosfs. 2001-06-01 12:16:09 +00:00
David E. O'Brien
f5a79676ee Our exports(5) syntax is rather "host-centric", while people comming from
a Sun background think in a more FS-centric mind set.  Add a note to help
the Sun backgrounded ones to not make invalid assumptions.
2001-04-22 18:59:03 +00:00
David E. O'Brien
3d43d76fe3 Add an example borrowed from the FAQ showing a very commonly desired
export in FreeBSD'ville for `make installworld' elsewhere.
2001-04-22 18:54:20 +00:00
David E. O'Brien
ad0f825a09 Give a little more variety in the /etc/exports example. 2001-04-01 09:19:23 +00:00
Jordan K. Hubbard
386deae89c afterstep doesn't need an explicit xterm started for it either. 2001-03-24 03:17:35 +00:00
Jordan K. Hubbard
7416da67e9 Very small cosmetic tweak - avoid starting an extra xterm for the fvwm
desktop case.
2001-03-16 03:32:13 +00:00
Jordan K. Hubbard
369e272fb6 Argh! Why can't I stop breaking the fvwm desktop option? *I* use
fvwm as my desktop, yet I've broken this damn thing 3 times in a row
now while all the desktops I don't actually use continue to work fine! :)
2001-03-14 09:39:54 +00:00
Jordan K. Hubbard
56d6f15dca OK, *now* we only sort the file once (red face). 2001-03-14 03:26:40 +00:00
Jordan K. Hubbard
401e1ee5c1 Be a better rc.conf citizen and create an initial file which:
1. Has a time-stamp to show when it was created

2. Sorts and uniq's the output to only contain single instances of a
   given setting. This doesn't mean you still can't have settings which
   override one another, that's still possible since it's too much
   trouble to do the redundancy checking here.

Requested by: 	lots of people
2001-03-13 06:42:12 +00:00
Jordan K. Hubbard
c95f3d84ce Properly deal with the fvwm desktop - this should restore that option
to functionality.
2001-03-12 22:43:27 +00:00
Jordan K. Hubbard
717bd36c83 Fix some of the security profile messages to be more explanatory
and also obey most of the rules of english in their construction.

Add a help screen for the security menu which gives the user a rough idea
just what the various security profiles do.
2001-03-08 10:16:56 +00:00