[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: stripped OpebBSD and a bit philosophy.

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: stripped OpebBSD and a bit philosophy.
From: Jeff Bachtel <sebastion_(_at_)_irelandmail_(_dot_)_com>
Date: Sun, 25 Mar 2001 19:07:35 -0600

I would be interested in a list of known risks of having Apache
installed, but not running on your system. IIRC, the suexec binary is
not suid in the default install, so that leaves basically jack shit
that can be done with it.

Likewise bind. Sendmail does have a suid binary, I believe.

If all of the nifty useful daemons installed on a default OpenBSD
system were active, then yes having a stripped version would have
merit. But they aren't, and the only merit in stripping them out is to
save space. And not a whole hell of a lot of space, at that.

The only part of a OpenBSD default install that even vaguely raises
flags with me is portmap, and I can certainly live with one daemon
that I might want to disable in rc.conf.

The biggest benefit of packaging subsystems isn't for a "Stripped
OpenBSD" (which really is kinda ridiculous), but for discrete
versioning and upgrade of daemons. This would be very nice, but rather
than spend time with regression testing, I'd personally like to see a
atalkd that doesn't panic the system, or an upgraded raidframe that
doesn't panic the system when asked to do Odd Shit.

I guess thats just silly, wanting a system that works perfectly,
rather than a system from which imperfect parts can be removed
quickly.

jeff

> > Because OpenBSD is not a firewall. It's an operation system and everyone will
> > complain about missing DNS support or http support if it is not available in
> > the default install. 
> 
> I beg to differ. Anyone wanting a bloated OS uses something like most linux
> distris or freebsd. 
> 
> > It's not a great deal to do a "rm -f /usr/sbin/httpd [...]" after install,
> 
> That doesn't remove apache completely.
> 
> > but it is a BIG deal to maintain a package system or package selection in the
> > installer.
> 
> pkg_add /mnt/2.8/i386/apache.tgz after installation is a big deal???
> 
> > "Add it if you need it" is consultant voodo, 
> 
> No. This is called "secure by default".
> 
> 
> -- 
> Henning Brauer     | BS Web Services
> Hostmaster BSWS    | Roedingsmarkt 14
> hostmaster_(_at_)_bsws_(_dot_)_de | 20459 Hamburg
> http://www.bsws.de | Germany

-- 
Jeff Bachtel  (NOC,CIS,TAMU)    http://www.cepheid.org/~jeff
				[finger jeff_(_at_)_cepheid_(_dot_)_org for PGP key]
                    (smoke makes debugging easy)

Follow-Ups:
- Re: stripped OpebBSD and a bit philosophy.
  - From: Henning Brauer

References:
- RE: stripped OpebBSD and a bit philosophy.
  - From: Thomas Ammitzbøll-Bach
- Re: stripped OpebBSD and a bit philosophy.
  - From: Henning Brauer

Prev by Date: Firewall - ipf command
Next by Date: make build of -stable dies in usr.sbin/httpd
Previous by thread: Re: stripped OpebBSD and a bit philosophy.
Next by thread: Re: stripped OpebBSD and a bit philosophy.
Index(es):
- Date
- Thread

Visit your host, monkey.org