Tweak "system security profiles:

(1) Don't modify the configuration of the NFS server as a result of
    selecting a profile.  We already explicitly prompt for the NFS
    server configuration during install, and the user may not get
    much advance notice that we're turning it off again.  Instead,
    use profiles (for better or for worse) only for security tuning.

(2) Don't modify the sendmail setting as part of the security profile:
    use the default from /etc/defaults/rc.conf rather than explicitly
    specifying.  Note that the default in /etc/defaults/rc.conf is
    more conservative than the explicit rc.conf entry added by
    sysinstall during install, as it does not permit SMTP delivery.

(3) Update "congratulations on your profile" text to reflect these
    changes.

Note that security profiles now affect only the securelevel and sshd
settings.  My leaning would be to make sshd an explicit configuration
option, move securelevels to the security menu, and drop security
profiles entirely.  However, that requires more plumbing of sendmail
than I'm currently willing to invest.

We may want to add a "permit SMTP delivery" question to the install
process.

1 files changed, 4 insertions, 7 deletions

diff --git a/usr.sbin/sade/config.c b/usr.sbin/sade/config.c
index 5c6d12a270a4..b67e5aa6233a 100644
--- a/usr.sbin/sade/config.c
+++ b/usr.sbin/sade/config.c
@@ -564,16 +564,14 @@ configSecurityExtreme(dialogMenuItem *self)
 {
     WINDOW *w = savescr();
 
-    variable_set2("nfs_server_enable", "NO", 1);
-    variable_set2("sendmail_enable", "NO", 1);
     variable_set2("sshd_enable", "NO", 1);
     variable_set2("kern_securelevel_enable", "YES", 1);
     variable_set2("kern_securelevel", "2", 1);
 
     if (self)
 	msgConfirm("Extreme security settings have been selected.\n\n"
-	    "Sendmail, sshd, and NFS services have been disabled, and\n"
-	    "securelevels have been enabled.\n\n"
+	    "Sshd has been disabled, and kernel security levels have"
+	    "been enabled.\n\n"
 	    "PLEASE NOTE that this still does not save you from having\n"
 	    "to properly secure your system in other ways or exercise\n"
 	    "due diligence in your administration, this simply picks\n"
@@ -589,14 +587,13 @@ configSecurityModerate(dialogMenuItem *self)
 {
     WINDOW *w = savescr();
 
-    variable_set2("sendmail_enable", "YES", 1);
     variable_set2("sshd_enable", "YES", 1);
     variable_set2("kern_securelevel_enable", "NO", 1);
 
     if (self)
 	msgConfirm("Moderate security settings have been selected.\n\n"
-	    "Sendmail and sshd have been enabled, securelevels are\n"
-	    "disabled, and NFS server settings have been left intact.\n\n"
+	    "Sshd has been enabled and kernel securelevels are disabled;\n"
+	    "all other settings have been left intact.\n\n"
             "PLEASE NOTE that this still does not save you from having\n"
             "to properly secure your system in other ways or exercise\n"
             "due diligence in your administration, this simply picks\n"