Installation changes

[6502]

I have 2 questions or recommendations about FreeBSD installer:

1) Why default Home directory permissions are 755 and not 700 or 710? With current default permissions every user can see and read files of other users.

2) Why installer does not include activation/installation of firewall? It can be at final step (or in network settings) and disabled/unchecked by default.

 

[SirDice]

1) It's your job as sysadmin to change it if you need too.
2) Again, it's your job as a sysadmin to enable one of the firewalls and configure it correctly.

The installer does nothing more than install a basic system that's workable for most people. It's up to you if you want things differently. You could create a custom install script for example, see bsdinstall(8).

 

[6502]

1) IMHO it is better to have increased security by default and change it to more "liberal" if necessary.

2) I agree that sysadmin can enable firewall but I guess that most installations have firewall (i.e. activation is question of time, usually one of first steps after install). Some options which currently exist can also be missing and modified by sysadmin after installation.

 

[SirDice]

Well, if you want to suggest changes I suggest you do so on the mailing lists. There are very few developers here on the forums. The forum's main purpose is to provide user support by other users.

Note that this is a general user and administrator forum, where the community aims to assist those who want to install, run, or upgrade FreeBSD as-is. Discussions about what FreeBSD needs to be, or needs to add, or needs to lose, are pointless on the forums. We do not maintain the operating system here.

 

[cracauer@]

Firewall shouldn't be needed on a system that runs no TCP or UDP services yet.

I guess the mail agent is the only nagging point here.

 

[mer]

Firewalls always seem to be a point of contention. "I'm running a workstation that is not serving anything, do I need to run a firewall?" 4 out of 5 people say yes you should and 4 out of 5 people say don't bother. I'm in the "I run a firewall on a workstation in default deny in, default allow out" simply to make it a little harder, while recognizing it takes resources.

I think not installing/activating one by default is a good thing because the installer doesn't know if you want to run ipfw or pf. So leave that to you.

Home directory permissions: my opinion only an issue for a single workstation used by multiple people. If I'm the only one to use it, who cares if root can read my user files.

 

[Phishfry]

Why installer does not include activation/installation of firewall?

Actually 3 firewalls are installed. Does FreeBSD now have a prefered firewall?
Who would chose what the default firewall is?

What about networks with a central firewall. Clients don't need a firewall in that arrangement.

 

[Erichans]

1) Why default Home directory permissions are 755 and not 700 or 710? With current default permissions every user can see and read files of other users.

I suspect that has something to do with the expected trust and cooperation between users when UNIX was developed. However, if so desired a sysadmin can use adduser -C to generate a adduser.conf(5) with customised standard settings for Home directory permissions.

Note: the entry defaultHomePerm generated for Home directory permissions in /etc/adduser.conf is strangely not listed in adduser.conf(5)

 

[Alain De Vos]

chmod 700 /usr/home/*
chmod 700  /root