OpenBSD 4.8 Released

Mortimer.CA writes "The release of OpenBSD 4.8 has been announced. Highlights include ACPI suspend/resume, better hardware support, OpenBGPD/OpenOSPFD/routing daemon improvements, inclusion of OpenSSH 5.5, etc. Nothing revolutionary, just the usual steady improving of the system. A detailed ChangeLog is available, as usual. Work, of course, has already started on the next release, which should be ready in May, according to the steady six-month release cycle."

Re:fdisk

[ashkar]

Their targeted users have no problem with the installation. If you aren't comfortable with the installation tools, you probably wouldn't be comfortable with OpenBSD. A pretty installation method is looking for a solution to a problem that doesn't exist.

OSNews? Thom Holwerda? Seriously?

[Anonymous Coward]

You're taking some random blog article linked to by Thom Holwerda at OSNews seriously? Those are your three strikes, and you're out, my friend.

Look, the OpenBSD team knows exactly what they're doing. They're some of the brightest minds in the field. They have many years of experience with real-world security. They've been around long enough to know that there are something things that sound totally fantastic in theory, but in practice they're a complete failure.

Many advanced security approaches fall directly into this theoretically-great-but-actually-quite-shitty category. They end up being difficult to implement, and end up being full of security flaws and other holes. They end up causing the very things they're supposed to avoid! Thankfully, the OpenBSD developers know this, and smartly stick with a model that's been proven successful over the couse of 40 years.

Re:fdisk

[Anonymous Coward]

I've only installed OpenBSD twice, both successfully, but their fdsik version was very nice.

Different from Microsoft and Linux fdisk programs? Yes! Because you're not running/installing neither Windows nor Linux. Neither of these are identical systems.

The OpenBSD fdisk is quite possibly better, and without a doubt far better documented, and not just in the excellent up to date man pages but also in official faq's and installation procedures available on the OpenBSD webpages. Stuff one should read.

Who would read/read on Microsoft information when installing Linux?
Who would read/rely on Solaris information when installing Windows?
Who would read/rely on Linux information when installing OpenBSD?

If you're having trouble with OpenBSD fdisk or more likely OpenBSD installation peculiarities and requirements that other operating systems either don't have or gloss over then I would recommend reading the OpenBSD documentation, it's all there, yes the issues that can trap someone entirely new too, usually even emphasized.

A Windows poweruser or superuser can be and often is a total newbie on Linux.
A Linux poweruser or superuser can be and often is a total newbie on OpenBSD.

Don't assume different things to be the same.

Re:fdisk

[tenco]

I just think it's ridicolous that I have to compute partition/disklabel sizes in sectors myself while sitting at a computer. I own a computer because it can compute for me not because I want to compute for it.

Re:OSNews? Thom Holwerda? Seriously?

[machine321]

The point of the article is that while the base system may indeed be very secure, it is practically useless.

1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done.

Is lighttpd any more secure on OpenBSD than on Linux? No.

Good thing they have an audited, privsep, chrooted version of Apache, then.

With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.

Bullshit. [grok.org.uk]

I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.

Adding complexity rarely increases reliability.

I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.

The Stephanie project worked towards doing just that, but it appears the project died several years ago.

Re:OSNews? Thom Holwerda? Seriously?

[yup2000]

I agree and that's why I use it for internet facing machines I don't want have to worry about!
Just look at the 4.7 release. There were 7 patches for the kernel & userland 2 of which were categorized as security. The best someone attacking the system could do is cause a daemon to crash or possibly cause a panic. During the same 6 month time frame linux quite a few more security issues crop up including one that could be used to get root on a box. ouch.

Re:OSNews? Thom Holwerda? Seriously?

[DiegoBravo]

I'm not trying to be rude, but you lost me at your first mention of SELinux.

Re:Have they decided to implement security yet?

[DiegoBravo]

From the article, about a "secure operating system":

> Generally, this would be taken to mean an operating system that was designed with security in mind, and provides various methods and tools to implement security polices and limits on the system.

Sadly most naive users still believe that security is about setting fine grained permissions, roles, resources and tagging system objects in general. In practice 1) security exploits simply bypass or reconfigure such validations or policies for their own purpose, and 2) getting a really good "fine grained" configuration and reconfiguration is pretty difficult, time consuming, and prone to error (i.e. to increase the vulnerability.)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:OSNews? Thom Holwerda? Seriously?

[metrix007]

Thanks, I found the mitre one pretty useful.

Most look like early DoS attacks, I would hope they have sorted that out now, and there doesn't seem to have been one since 2006. As for the rest, well SELinux runs in the kernel, so with the right kernel vulnerability yeah it can be bypassed. Considering most vulnerabilities are not kernel level but userspace....I'll gladly take that extra protection, of which no equivalent is offered on OpenBSD.

Re:OSNews? Thom Holwerda? Seriously?

[jimicus]

If you take a wider view, what you're describing is typical of the worst of F/OSS development attitudes across all platforms - OpenBSD is by no means unique. Many projects have taken active steps to curb such responses (such as introducing codes of conduct on mailing lists), but many haven't.

What generally happens is:

• Someone mentions on a developers' mailing list a perceived weakness of the product. They may word it perfectly politely, they may ask if there's a reason for this perceived weakness they may have missed - but ATEOTD they're still drawing that weakness to the developers' attention.
• That person gets enough flaming to toast a small buffalo - regardless of how politely the thread started. If questioned, those doing the flaming justify it by saying things like "We believe in communicating in the quickest, most direct way possible. That means we have to tell the poster he's an ignorant f*ckwit who obviously doesn't realise that what he's asking for is totally unrealistic/unnecessary/both". (The fact that every other product already has this "unrealistic" feature is ignored)
• The original poster gets the hint, and uses an alternative product. Who wants to deal with people like that if it should prove necessary further down the line? The thread eventually dies naturally and everyone forgets about it. This process may repeat itself a few times.
• Some time later - maybe months or even years a new patch is introduced. This patch adds support for the feature which was originally discussed and led to the flamewar, and the feature will be trumpeted loudly from the rooftops in the next set of release notes.

Re:Have they decided to implement security yet?

[TheRaven64]

And there's a very good example of this. Windows NT has had fine-grained ACLs on every single kernel object (not just files - mutexes, sockets, processes - everything that the kernel is responsible for) since its creation. Until relatively recently, UNIX systems had a very coarse-grained security system; use/group/all permissions on files, no permissions on anything that wasn't a file (although a lot of things are in UNIX), one magic user that can bypass everything. Guess which one had more vulnerabilities.

To make matters more interesting, compare the Windows NT kernel with a Linux kernel - for pretty much any time period you pick, the NT kernel will have fewer security advisories. Nothing is bypassing these fancy security mechanisms, they're just not being used. In a lot of cases, Windows users were running as the highest-privileged used and running their apps with this privilege, in spite of the fact that the kernel supports much better policies.

A door is only a security mechanism if you remember (and understand how) to close and lock it.

Re:fdisk

[Anonymous Coward]

Are those decimal (1,000,000) or binary (1,048,576) megabytes?

Re:OSNews? Thom Holwerda? Seriously?

[Cyberax]

"1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done."

Fortunately, we have alternatives to SELinux. Personally, I use AppArmor.