Re: de facto standards (Re: 4.6 will be released on October 1st?)

2009-08-19 Thread Elio Grieco 

On Aug 19, 2009, at 8:36 AM, Nido wrote:


what's wrong with $random_ftp_site?



Some ISPs (Cox *ahem*) block ftp altogether. Good thing OpenBSD has  
http mirrors.


   Elio Grieco

Re: Disable rsh or not?

2006-11-18 Thread Elio Grieco 

Here is a more complete excerpt from the book in question,
Mastering FreeBSD and OpenBSD Security, section 2.1.3.1. Candidates  
for system immutable:


It's sometimes also useful to create blocker files that are  
immutable to prevent file-creation exploits from creating holes.  
Imagine a file-creation exploit that creates a ~root/.rhosts file  
containing +. Your rsh/rlogin daemons (that for some crazy reason  
you didn't disable yet) will now permit root logins from any system  
with no password (see rhosts(5) for more information). If you  
create the file, make it empty, and then make it immutable, you  
protect yourself from an attack like this. There is an equivalent  
~root/.shosts file that is used by ssh; it could also be blocked  
this way.


I think they mean a hypothetical situation in which someone had  
enabled those services. OpenBSD strives to be secure by default a  
point covered in other chapters of the book.


Elio Grieco


On Nov 18, 2006, at 7:58 AM, Maverick wrote:


Hi
i am trying to secure my OpenBSD.
 I am quite new to OpenBSD so i am reading the book Mastering  
FreeBSD And

OpenBSD Security 

It said Your rsh/rlogin daemons (that for some crazy reason you  
didn't
disable yet) will now permit root logins from any system with no  
password


Is that mean i should disable rsh ? Or disable rlogin ?

If one of them so can you please tell me how can i do it?

Thanks a lot

Best regard
Maverick

Re: Is there a deluser equivalent in OpenBSD?

2006-11-16 Thread Elio Grieco 

On Oct 29, 2006, at 11:15 AM, Ingo Schwarze wrote:


Leonardo Rodrigues wrote on Sun, Oct 29, 2006 at 01:45:15PM -0300:
Though, it seems a bit strange that OpenBSD lacks something like  
that.


Look at it from a different perspective:

There are other operating systems out there featuring thousands of
lines of complicated scripts just to ensure that users never need
to do simple tasks themselves.


I agree that is overkill for more esoteric tasks but for something as  
common as user management the basics should be built into the OS. Why  
require users to go writing their own scripts for common tasks? To me  
the whole point of using software is to remove the tedious parts and  
let the humans concentrate on the parts that the computer cannot do.



In addition to the usual simplicity improves maintainability and
usability argument, my impression is that OpenBSD actively encourages
users to understand how the system works - and to understand which
tasks are simple and which ones aren't.


This may seem like simplicity but in reality this forces multiple  
implementations for the deluser command as everyone writes their own  
scripts. This decreases security since each custom script is unlikely  
to be audited for correctness and completeness by as many users as  
part of the main source tree would. Additionally, this wastes time by  
forcing users to reinvent the wheel of user management rather than  
adding new features to the OS.



On first sight, an additional option remove from group to usermod(8)
might not hurt much.  As a second thought, how would you call it, -g
and -G are already occupied; yet it is important for learners to
have option names as few and as mnemonic as possible, and please lets
not get into --remove-from-group.  As a third thought, what might be
the next special case that somebody could come up with for plausible
reasons?  And finally, once you add an option, you have to live with
it for good, as somebody will certainly rely on it.


The idea that a feature should not be added because we do not have a  
handy and simple menmonic for it is absurd. We should consider the  
inclusion of a feature on the basis of its usefulness and the number  
of users who would benefit. Also, making a feature part of the main  
source tree allows the usage and behavior to be standardized. Even if  
the perfect mnemonic is already taken as long as the interface is  
standardized and sane it will still be usable.



Elio Grieco