On Tue, Jun 20, 2000 at 08:45:25AM -0400, Raul Miller wrote:
> In my opinion, this is true of all services. Exporting them to all
> connected systems by default is a security risk. And, while there's a lot
> we could do if the technology were better, we could at least have some
> sort of file in /etc which defines some basic policy about such things
> -- export by default vs. localhost only vs. ask user vs. export only
> "the important stuff" by default [which, unfortnately, is undecidable,
> but it's worth mentioning if only for contrast].
> [... why not ipchains ...]
>
> What would be "really nice", of course, would be an enhancement to
> ipchains which let you make decisions on a per-program basis. But,
> since we don't have that, I think we need a little more attention on
> getting the user involved in the configuration of exported services.
> [...]
>
> My guess is that debconf could be pressed into service, here. For woody,
> it would be nice to have a whole category of optional questions related to
> "do you want this exported or not". Share some initial leading question
> or three, so that people can choose whether they want this level of detail
> at config time, and then leave the rest up to package implementation.
This sounds really interesting. I think it needs some work before it
becomes a policy proposal, but I think this is better than just
referring to /usr/doc.
I think this is more of a "show me the code" type of situation.
Julian
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Julian Gilbey, Dept of Maths, QMW, Univ. of London. [EMAIL PROTECTED]
Debian GNU/Linux Developer, see http://www.debian.org/~jdg
Donate free food to the world's hungry: see http://www.thehungersite.com/
