Jens-Eike Jesau wrote:
Hi Jens,
* Hartmut Gerlicher (h.gerlicher@tu-bs.de) [19990922 13:25] spoke:
[...] | what is/does nscd? | | and why the hell it is enabeld by default? | | (I hate programs beeing enabeld by default [...]
I enjoyed reading this thread. Yes, most of you *hate* sloppy default-setups, and those security holes a SuSE-System has, if used by an unexperienced user.
I was about to write along the same line, but in the end didn't dare.
But, i think it's not fair to blame SuSE for that ( well, especially if they documented their policy anywhere... e.g. drop a note about things like nscd..) they do a damn good job in helping unexperienced users to get a working system set up, a system that *can* be made secure afterwards, without having to build from scratch.
A newbie *can* use it out of the box, can play and test a lot, without having to bother to get the stuff simply to run.
Imagine, how disappointing it is for a newbie, if he *cant* test all that funny services on his localhost, if he had to wander through all collected wisdom of wizardhood, just for getting to know how a UNIX behaves.
I am not a newbie anymore, but I am utterly confused by all these services, deamons and particulary what they are good for. Since I do not exactly know what to look for or ask, the amount of stuff to read (=time to spend) is enourmous.
Of course, this system *can not* be perfectly secure, by far not secure enough for a cable connection w/ statIP.
You have to know what you're doing then, and YaST *can* be a valuable help then ( can be a threat also.. ;-) ).
I'd suggest to the SuSE-People to prepare some kind of 'profile', with an outline of a setup for various tasks, and ask the user, if he wants a machine for standalone, family or www-server use. These set of permissions from "easy" to "paranoid" is already a good idea; why not try something in this fashion for the services ? Maybe increase the verbosity-level of package selection
( "hey U idiot, don't tell me U want *that* package on a server ? No, i won't install that." ) ;-)
Well, it does not need to be SuSE by the way. Imagine a "tool" that "edits" or "recreates" the relevant files in a style the kernel config works. If I press help in there, I get a nice description about an uncomprehensive option in a mostly umcomprehencive help text ending with "If you don't know what we talk about you probaply won't need this." or "It's save for most users to say NO here". I Like that ;-) One of my personal fears is something like the "windows effect". You install a new small tool that works perfect and two weeks later when you use your scanner the next time, it won't work. I fear similar things happen with disabled services. I know this is a lame comparision, but that's what I fear. Anyway, I had a look into /etc/inetd.conf and disabled pop3, talk, ntalk, finger, (what the heck is "ident"?), btx and midinet by double "##" them, to find the stuff easier... Juergen
Bye !
-- Gruss / with best regards Jens-Eike Jesau
-- ========================================== __ _ Juergen Braukmann mail: brauki@cityweb.de| -o)/ / (_)__ __ ____ __ Tel: 0201-743648 dk4jb@db0qs.#nrw.deu.eu| /\\ /__/ / _ \/ // /\ \/ / ==========================================_\_v __/_/_//_/\_,_/ /_/\_\