From mwlucas@blackhelicopters.org  Wed Aug 29 14:06:43 2001
Return-Path: <mwlucas@blackhelicopters.org>
Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18])
	by hub.freebsd.org (Postfix) with ESMTP id 77C9E37B406
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 29 Aug 2001 14:06:43 -0700 (PDT)
	(envelope-from mwlucas@blackhelicopters.org)
Received: (from mwlucas@localhost)
	by blackhelicopters.org (8.9.3/8.9.3) id RAA04371;
	Wed, 29 Aug 2001 17:06:42 -0400 (EDT)
	(envelope-from mwlucas)
Message-Id: <200108292106.RAA04371@blackhelicopters.org>
Date: Wed, 29 Aug 2001 17:06:42 -0400 (EDT)
From: mwlucas@blackhelicopters.org
Reply-To: mwlucas@blackhelicopters.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: description of security profiles in FAQ is just plain wrong
X-Send-Pr-Version: 3.2

>Number:         30203
>Category:       docs
>Synopsis:       description of security profiles in FAQ is just plain wrong
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 29 14:10:07 PDT 2001
>Closed-Date:    Fri Aug 31 09:24:54 PDT 2001
>Last-Modified:  Fri Aug 31 09:30:00 PDT 2001
>Originator:     Michael Lucas
>Release:        FreeBSD 3.5-STABLE i386
>Organization:
None
>Environment:

current -doc tree

>Description:

Robert Watson recently took an axe to the security profiles available
in sysinstall.  There are now only two profiles available, moderate &
extreme.

This is my first -doc patch prepared entirely from reading actual
source code, instead of from reading mailing lists.  As such, I'm
fully prepared to be told that I'm wrong.

I've also cleaned up a couple of sentences and corrected some grammar.
While I might be wrong on source code, I do know that using both a
colon and a semicolon in one sentence is ugly.

>How-To-Repeat:

read the source of sysinstall

>Fix:

*** book.sgml-dist	Wed Aug 29 13:19:01 2001
--- book.sgml	Wed Aug 29 13:44:25 2001
***************
*** 2175,2229 ****
          </question>
  
          <answer>
!           <para>A <quote>security profile</quote> is a set of configuration
!             options that attempts to achieve the desired ratio of security
!             to convenience by enabling and disabling certain programs and
!             other settings.  The more severe the security profile, the less
!             programs will be enabled by default; this is one of the basic
!             principles of security: do not run anything except what you
!             must.</para>
! 
!           <para>Please note that the security profile is just a default
!             setting.  All programs can be enabled and disabled after you have
!             installed FreeBSD by editing or adding the appropriate line(s)
!             to <filename>/etc/rc.conf</filename>.  For more information on
!             the latter, please see the &man.rc.conf.5; manual page.</para>
! 
!           <para>Following is a table that describes what each security
!             profile does.  The columns are the choices you have for a
!             security profile, and the rows are the program or feature that
!             is enabled or disabled.</para>
  
            <table>
              <title>Possible security profiles</title>
  
!              <tgroup cols=5>
                 <thead>
                   <row>
                     <entry></entry>
  
                     <entry>Extreme</entry>
  
-                    <entry>High</entry>
- 
                     <entry>Moderate</entry>
  
-                    <entry>Low</entry>
                   </row>
                 </thead>
  
                 <tbody>
-                  <row>
-                    <entry>&man.inetd.8;</entry>
- 
-                    <entry>NO</entry>
- 
-                    <entry>NO</entry>
- 
-                    <entry>YES</entry>
- 
-                    <entry>YES</entry>
-                  </row>
  
                   <row>
                     <entry>&man.sendmail.8;</entry>
--- 2175,2216 ----
          </question>
  
          <answer>
!           <para>A <quote>security profile</quote> is a set of
!             configuration options that attempts to achieve the desired
!             ratio of security to convenience by enabling and disabling
!             certain programs and other settings.  The more severe the
!             security profile, the fewer programs will be enabled by
!             default.  This is one of the basic principles of security:
!             do not run anything except what you must.</para>
! 
!           <para>Please note that the security profile is just a
!             default setting.  All programs can be enabled or disabled
!             after you have installed FreeBSD by editing or adding the
!             appropriate line(s) to <filename>/etc/rc.conf</filename>.
!             For more information, please see the &man.rc.conf.5;
!             manual page.</para>
! 
!           <para>Following is a table that describes what each of the
!             security profiles does.  The columns are the choices you
!             have for a security profile, and the rows are the program
!             or feature that the profile enables or disables.</para>
  
            <table>
              <title>Possible security profiles</title>
  
!              <tgroup cols=3>
                 <thead>
                   <row>
                     <entry></entry>
  
                     <entry>Extreme</entry>
  
                     <entry>Moderate</entry>
  
                   </row>
                 </thead>
  
                 <tbody>
  
                   <row>
                     <entry>&man.sendmail.8;</entry>
***************
*** 2232,2240 ****
  
                     <entry>YES</entry>
  
-                    <entry>YES</entry>
- 
-                    <entry>YES</entry>
                   </row>
  
                   <row>
--- 2219,2224 ----
***************
*** 2244,2252 ****
  
                     <entry>YES</entry>
  
-                    <entry>YES</entry>
- 
-                    <entry>YES</entry>
                   </row>
  
                   <row>
--- 2228,2233 ----
***************
*** 2254,2261 ****
  
                     <entry>NO</entry>
  
-                    <entry>NO</entry>
- 
  		<entry>MAYBE <footnote>
  		    <para>The portmapper is enabled if the machine has been
  		      configured as an NFS client or server earlier in the
--- 2235,2240 ----
***************
*** 2263,2269 ****
  		  </footnote>
  		</entry>
  
-                    <entry>YES</entry>
                   </row>
  
                   <row>
--- 2242,2247 ----
***************
*** 2271,2281 ****
  
                     <entry>NO</entry>
  
-                    <entry>NO</entry>
- 
                     <entry>YES</entry>
  
-                    <entry>YES</entry>
                   </row>
  
                   <row>
--- 2249,2256 ----
***************
*** 2291,2315 ****
  		      </footnote>
  		      </entry>
  
-                    <entry>YES (1)</entry>
- 
                     <entry>NO</entry>
  
-                    <entry>NO</entry>
                   </row>
                 </tbody>
               </tgroup>
             </table>
  
               <warning>
!                <para>The security profile is not a silver bullet!  Setting
!                  it high does not mean you do not have to keep up with security
!                  issues by reading an appropriate <ulink
                   url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
!                  list</ulink>, using good passwords and passphrases, and
!                  generally adhering to good security practices.  It simply
!                  sets up the desired security to convenience ratio out of
!                  the box.</para>
               </warning>
  
               <note>
--- 2266,2288 ----
  		      </footnote>
  		      </entry>
  
                     <entry>NO</entry>
  
                   </row>
                 </tbody>
               </tgroup>
             </table>
  
               <warning>
!                <para>The security profile is not a silver bullet!
!                  Even the extreme setting does not mean you do not
!                  have to keep up with security issues by reading an
!                  appropriate <ulink
                   url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
!                  list</ulink>, using good passwords and passphrases,
!                  and generally adhering to good security practices.
!                  It simply sets up the desired security to convenience
!                  ratio out of the box.</para>
               </warning>
  
               <note>
>Release-Note:
>Audit-Trail:

From: Dima Dorfman <dima@unixfreak.org>
To: mwlucas@blackhelicopters.org
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong 
Date: Thu, 30 Aug 2001 03:00:25 -0700

 mwlucas@blackhelicopters.org wrote:
 > >Fix:
 > 
 > *** book.sgml-dist	Wed Aug 29 13:19:01 2001
 > --- book.sgml	Wed Aug 29 13:44:25 2001
 > ***************
 > *** 2175,2229 ****
 >           </question>
 >   
 >           <answer>
 > !           <para>A <quote>security profile</quote> is a set of configuration
 > !             options that attempts to achieve the desired ratio of security
 > !             to convenience by enabling and disabling certain programs and
 > !             other settings.  The more severe the security profile, the less
 > !             programs will be enabled by default; this is one of the basic
 > !             principles of security: do not run anything except what you
 > !             must.</para>
 
 Why did all these lines get replaced?  I can't tell what you changed
 except for the last sentence.  Please try to minimize the amount of
 lines changed to make reviewers' and translators' lives easier.  It's
 okay if the resulting paragraph isn't filled (e.g., some lines are too
 short, some overly long)--whoever commits it can fill it for you.
 
 The same applies to some of the other paragraphs.  Other than that and
 a few minor markup nits, this looks pretty good.  However, please
 submit the updated version (fixing the problem my previous paragraph
 describes) as a unified diff; that'd make it easier to read.
 
 Thanks.

From: Michael Lucas <mwlucas@blackhelicopters.org>
To: Dima Dorfman <dima@unixfreak.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong
Date: Thu, 30 Aug 2001 18:22:46 -0400

 --lrZ03NoBR/3+SXJZ
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Thu, Aug 30, 2001 at 03:00:25AM -0700, Dima Dorfman wrote:
 > Why did all these lines get replaced?
 
 Because my fingers are trained to automatically type esc-Q.  :)
 
 Is this more like it?
 
 -- 
 Michael Lucas
 mwlucas@blackhelicopters.org
 http://www.blackhelicopters.org/~mwlucas/
 Big Scary Daemons: http://www.oreillynet.com/pub/q/Big_Scary_Daemons
 
 --lrZ03NoBR/3+SXJZ
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="secprof.2"
 
 --- book.sgml-dist	Thu Aug 30 11:10:07 2001
 +++ book.sgml-secprof	Thu Aug 30 11:10:03 2001
 @@ -2178,52 +2178,38 @@
            <para>A <quote>security profile</quote> is a set of configuration
              options that attempts to achieve the desired ratio of security
              to convenience by enabling and disabling certain programs and
 -            other settings.  The more severe the security profile, the less
 -            programs will be enabled by default; this is one of the basic
 -            principles of security: do not run anything except what you
 -            must.</para>
 +            other settings.  The more severe the security profile, the fewer
 +            programs will be enabled by
 +            default.  This is one of the basic principles of security:
 +            do not run anything except what you must.</para>
  
            <para>Please note that the security profile is just a default
              setting.  All programs can be enabled and disabled after you have
              installed FreeBSD by editing or adding the appropriate line(s)
 -            to <filename>/etc/rc.conf</filename>.  For more information on
 -            the latter, please see the &man.rc.conf.5; manual page.</para>
 +            to <filename>/etc/rc.conf</filename>.  For more information,
 +            please see the &man.rc.conf.5; manual page.</para>
  
 -          <para>Following is a table that describes what each security
 -            profile does.  The columns are the choices you have for a
 -            security profile, and the rows are the program or feature that
 -            is enabled or disabled.</para>
 +          <para>The following table describes what each of the
 +            security profiles does.  The columns are the choices you
 +            have for a security profile, and the rows are the program
 +            or feature that the profile enables or disables.</para>
  
            <table>
              <title>Possible security profiles</title>
  
 -             <tgroup cols=5>
 +             <tgroup cols=3>
                 <thead>
                   <row>
                     <entry></entry>
  
                     <entry>Extreme</entry>
  
 -                   <entry>High</entry>
 -
                     <entry>Moderate</entry>
  
 -                   <entry>Low</entry>
                   </row>
                 </thead>
  
                 <tbody>
 -                 <row>
 -                   <entry>&man.inetd.8;</entry>
 -
 -                   <entry>NO</entry>
 -
 -                   <entry>NO</entry>
 -
 -                   <entry>YES</entry>
 -
 -                   <entry>YES</entry>
 -                 </row>
  
                   <row>
                     <entry>&man.sendmail.8;</entry>
 @@ -2232,9 +2218,6 @@
  
                     <entry>YES</entry>
  
 -                   <entry>YES</entry>
 -
 -                   <entry>YES</entry>
                   </row>
  
                   <row>
 @@ -2244,9 +2227,6 @@
  
                     <entry>YES</entry>
  
 -                   <entry>YES</entry>
 -
 -                   <entry>YES</entry>
                   </row>
  
                   <row>
 @@ -2254,8 +2234,6 @@
  
                     <entry>NO</entry>
  
 -                   <entry>NO</entry>
 -
  		<entry>MAYBE <footnote>
  		    <para>The portmapper is enabled if the machine has been
  		      configured as an NFS client or server earlier in the
 @@ -2263,7 +2241,6 @@
  		  </footnote>
  		</entry>
  
 -                   <entry>YES</entry>
                   </row>
  
                   <row>
 @@ -2271,11 +2248,8 @@
  
                     <entry>NO</entry>
  
 -                   <entry>NO</entry>
 -
                     <entry>YES</entry>
  
 -                   <entry>YES</entry>
                   </row>
  
                   <row>
 @@ -2291,19 +2265,16 @@
  		      </footnote>
  		      </entry>
  
 -                   <entry>YES (1)</entry>
 -
                     <entry>NO</entry>
  
 -                   <entry>NO</entry>
                   </row>
                 </tbody>
               </tgroup>
             </table>
  
               <warning>
 -               <para>The security profile is not a silver bullet!  Setting
 -                 it high does not mean you do not have to keep up with security
 +               <para>The security profile is not a silver bullet!  Even if you use the
 +                 extreme setting, you need to keep up with security
                   issues by reading an appropriate <ulink
                   url="../handbook/eresources.html#ERESOURCES-MAIL">mailing
                   list</ulink>, using good passwords and passphrases, and
 @@ -2311,6 +2282,7 @@
                   sets up the desired security to convenience ratio out of
                   the box.</para>
               </warning>
 +
  
               <note>
                 <para>The security profile mechanism is meant to be used
 
 --lrZ03NoBR/3+SXJZ--
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Fri Aug 31 09:24:54 PDT 2001 
State-Changed-Why:  
Patch committed, thanks! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=30203 

From: Dima Dorfman <dima@unixfreak.org>
To: Michael Lucas <mwlucas@blackhelicopters.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: docs/30203: description of security profiles in FAQ is just plain wrong 
Date: Fri, 31 Aug 2001 09:24:50 -0700

 Michael Lucas <mwlucas@blackhelicopters.org> wrote:
 > On Thu, Aug 30, 2001 at 03:00:25AM -0700, Dima Dorfman wrote:
 > > Why did all these lines get replaced?
 > 
 > Because my fingers are trained to automatically type esc-Q.  :)
 > 
 > Is this more like it?
 
 Yes.  I've applied it after fixing a few minor nits:
 
 > --- book.sgml-dist	Thu Aug 30 11:10:07 2001
 > +++ book.sgml-secprof	Thu Aug 30 11:10:03 2001
 > @@ -2178,52 +2178,38 @@
 ...
 > -          <para>Following is a table that describes what each security
 > -            profile does.  The columns are the choices you have for a
 > -            security profile, and the rows are the program or feature that
 > -            is enabled or disabled.</para>
 > +          <para>The following table describes what each of the
 > +            security profiles does.  The columns are the choices you
 
 "...what each of the security profiles does".  The verb (does) doesn't
 agree in number with the subject (profiles).  Or something like
 that--you get the idea.  I'm not an English teacher, so I probably got
 the terms all wrong.  I changed 'does' to 'do'.
 
 >                   <row>
 >                     <entry></entry>
 >  
 >                     <entry>Extreme</entry>
 >  
 > -                   <entry>High</entry>
 > -
 >                     <entry>Moderate</entry>
 >  
 > -                   <entry>Low</entry>
 >                   </row>
 
 Excess vertical whitespace.  This ends up looking like:
 
 	<entry>Moderate</entry>
 
       </row>
 
 which is wrong.
 
 There are some more caes of this below, which I've also fixed before
 committing.
 
 Thanks!
>Unformatted:
