You're taking some random blog article linked to by Thom Holwerda at OSNews seriously? Those are your three strikes, and you're out, my friend.
Look, the OpenBSD team knows exactly what they're doing. They're some of the brightest minds in the field. They have many years of experience with real-world security. They've been around long enough to know that there are something things that sound totally fantastic in theory, but in practice they're a complete failure.
The point of the article is that while the base system may indeed be very secure, it is practically useless. When needing to perform real world functions, the ironclad security of the base install is not all that useful. It's true that providing a good base on which to build your platform is important, however it's not nearly as important as one might think.
For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack. Is lighttpd any more secure on OpenBSD than on Linux? No. All you get with OpenBSD is that it's far less likely that there will be a local security exploit to chain with the lighttpd remote exploit. But with SELinux, you can get an even higher level of security. With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.
I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.
I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.
Sorry man, that's not a highlight. It's a link. I, uhm.. think you may have missed out a bit on the Internet. Here, I'll give you a link to start with: http://www.bing.com/ [bing.com] -- happy binge!
Besides, the mentioned "bullshit" was half way into his post. If you just read the first few words, I think he's happy.
In most browsers, with most configurations, the link shows bright blue. I saw the post, saw the bright blue "Bullshit", and decided it wasn't worth reading the rest unless he decided to be more civil.
"bullshit" is rude? Really? Maybe should avoid the internet, or indeed any grown up environment.
No, "bullshit" is rude.
It's not as rude as "shut your fucking mouth before I rip out your throat and shit over your tonsils, you moronic cunt" but then again it's not exactly "I'm really sorry, but I'm afraid I beg to differ, and can provide reasoned backup for my argument."
I doubt you'd say "bullshit" to your boss or granny if you disagreed with them.
“There is no other way of guarding oneself against flattery than by letting men understand that they will not offend you by speaking the truth; but when everyone can tell you the truth, you lose their respect.” Niccolo Machiavelli
Bullshit is bullshit is bullshit.
The question is whether the link was bullshit or whether the parent post was bullshit.
You're forgetting the difficulty of a successful exploit in the first place. OpenBSD was the first OS to implement ASLR, for example (http://en.wikipedia.org/wiki/ASLR). Linux only has fairly weak ASLR built in. There are a few other differences. Yes, the value of things like SELinux or AppArmor is considerable, and it would be great if OpenBSD implemented such a sandboxing capability, but your argument that the security of the OS itself isn't also very important is incorrect.
But with SELinux, you can get an even higher level of security. With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.
It's not like a hole in SELinux is uncommon, unfortunately. Linux and GNU make for a very good base operating system, but so does BSD. Right off the bat, BSD has the advantage of being a coherent system with amazing documentation. Linux seems to be compatible with more hardware, and many people are more comfortable with the GNU userland. BSD arguably has better licensing terms (depending on your perspective). So each has its advantages and disadvantages, but SELinux I would not even bother listing as a
So, while SELinux might be a good single layer of security (when it works), it certainly isn't impenetrable and should definitely not be viewed as the most important layer of any multi-layered s
Most look like early DoS attacks, I would hope they have sorted that out now, and there doesn't seem to have been one since 2006. As for the rest, well SELinux runs in the kernel, so with the right kernel vulnerability yeah it can be bypassed. Considering most vulnerabilities are not kernel level but userspace....I'll gladly take that extra protection, of which no equivalent is offered on OpenBSD.
Too lazy to look it up, but there have been two widely publicised flaws in the null pointer checking part of SELinux in the past year. Both led to privilege-elevation-to-kernel-mode exploits that only worked if you had SELinux.
That's rather the point of OpenBSD's rejection of SELinux. It is a huge chunk of complex code and it runs in ring 0. It increases the attack surface considerably, and unless you spend a lot of time configuring it, provides little actual benefit.
I can't remember his name. Mult is a system like FreeBSD jails, but with full support for recursion and resource limits from the start. It's a very clean system for sandboxing, which would have been a good fit for OpenBSD, but flames from some of the core developers on the mailing list pushed the author away.
For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.
The OpenBSD base system includes a version of Apache that has been heavily audited (fixing a lot of bugs that didn't seem to get fixed in the main branch until years later - look for 'does not affect OpenBSD' in security advisory notes) and runs in chroot by default.
Is lighttpd any more secure on OpenBSD than on Linux? No
As I recall, lighttpd runs in a chroot by default on OpenBSD, but I could be wrong. On top of this, it has (probably not a full list, just the things I remember):
Address space randomisation, making return-to-libc attacks harder. Linux now includes a weaker version of this.
OpenBSD's malloc() has an aggressive policy about returning memory to the kernel, which trades some performance for making it much harder to exploit use-after-free bugs.
The OpenBSD system compiler enables stack canaries by default and they are enabled for all OpenBSD packages, making stack-smashing attacks basically impossible.
W^X policy means that you can't map a page as both writable and executable at the same time. This is implemented even on x86, where it requires some convoluted stuff with segmentation because there is no native support in the page tables. This makes anything with a JIT compiler marginally harder to write and makes arbitrary code execution holes much harder. Linux can enforce something like this only on newer systems that have support for the NX bit in page tables.
The network stack uses strong random numbers for a lot of TCP/IP header fields, making things like connection hijacking or SYN flood attacks harder (you said you were running a networked app, right?).
And the best thing? You don't need to configure or even understand any of these for them to work. That's what 'secure by default' means - no faffing with SELinux configuration, no optional security measures that people turn off because they're too hard to get right.
I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.
In practice, SELinux is usually disabled. In the few places it is enabled, it makes the attack surface larger and has led to exploitable bugs that are not present in Linux-without-SELinux.
For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.
A security audited version of Apache, inside a chroot jail [openbsd.org], is part of the standard install [openbsd.org].
Please check your facts before posting. You'll avoid sounding like a trolling fanboi.
Yeah, and then I mentioned a different web server. Maybe I don't want to run ancient software.
And to avoid that internet-age-old ad-hominem 'troll' attack, I realize that Apache 1.3 was only recently EOL'd by Apache, but development on it effectively ceased long ago. Which is why I referenced a more modern web server, though you conveniently declined to quote that portion of my post.
It is the quality rather than the quantity that matters.
- Lucius Annaeus Seneca (4 B.C. - A.D. 65)
Have they decided to implement security yet? (Score:-1, Flamebait)
Or do they still arrogantly dismiss proper access control models without understanding them [osnews.com]?
OSNews? Thom Holwerda? Seriously? (Score:4, Insightful)
You're taking some random blog article linked to by Thom Holwerda at OSNews seriously? Those are your three strikes, and you're out, my friend.
Look, the OpenBSD team knows exactly what they're doing. They're some of the brightest minds in the field. They have many years of experience with real-world security. They've been around long enough to know that there are something things that sound totally fantastic in theory, but in practice they're a complete failure.
Many advanced security approaches fall directl
Re:OSNews? Thom Holwerda? Seriously? (Score:3, Interesting)
Insightful? Really?
The point of the article is that while the base system may indeed be very secure, it is practically useless. When needing to perform real world functions, the ironclad security of the base install is not all that useful. It's true that providing a good base on which to build your platform is important, however it's not nearly as important as one might think.
For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack. Is lighttpd any more secure on OpenBSD than on Linux? No. All you get with OpenBSD is that it's far less likely that there will be a local security exploit to chain with the lighttpd remote exploit. But with SELinux, you can get an even higher level of security. With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.
I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.
I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.
Re: (Score:1, Funny)
Re:OSNews? Thom Holwerda? Seriously? (Score:5, Insightful)
The point of the article is that while the base system may indeed be very secure, it is practically useless.
1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done.
Is lighttpd any more secure on OpenBSD than on Linux? No.
Good thing they have an audited, privsep, chrooted version of Apache, then.
With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.
Bullshit. [grok.org.uk]
I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.
Adding complexity rarely increases reliability.
I would be absolutely ecstatic if OpenBSD implemented something more like SELinux in terms of privilege separation.
The Stephanie project worked towards doing just that, but it appears the project died several years ago.
Re: (Score:2, Insightful)
I'm not trying to be rude, but you lost me at your first mention of SELinux.
Re:OSNews? Thom Holwerda? Seriously? (Score:4, Informative)
Sorry man, that's not a highlight. It's a link.
I, uhm.. think you may have missed out a bit on the Internet. Here, I'll give you a link to start with: http://www.bing.com/ [bing.com] -- happy binge!
Besides, the mentioned "bullshit" was half way into his post. If you just read the first few words, I think he's happy.
Re: (Score:2)
In most browsers, with most configurations, the link shows bright blue. I saw the post, saw the bright blue "Bullshit", and decided it wasn't worth reading the rest unless he decided to be more civil.
Re: (Score:2, Troll)
"bullshit" is rude? Really? Maybe should avoid the internet, or indeed any grown up environment.
No, "bullshit" is rude.
It's not as rude as "shut your fucking mouth before I rip out your throat and shit over your tonsils, you moronic cunt" but then again it's not exactly "I'm really sorry, but I'm afraid I beg to differ, and can provide reasoned backup for my argument."
I doubt you'd say "bullshit" to your boss or granny if you disagreed with them.
Re: (Score:1)
“There is no other way of guarding oneself against flattery than by letting men understand that they will not offend you by speaking the truth; but when everyone can tell you the truth, you lose their respect.” Niccolo Machiavelli
Bullshit is bullshit is bullshit.
The question is whether the link was bullshit or whether the parent post was bullshit.
Re: (Score:3, Insightful)
"1998 called, they want their rationalization back. Besides, just about everyone turns off SELinux when they want to actually get work done."
Fortunately, we have alternatives to SELinux. Personally, I use AppArmor.
Re: (Score:3, Interesting)
You're forgetting the difficulty of a successful exploit in the first place. OpenBSD was the first OS to implement ASLR, for example (http://en.wikipedia.org/wiki/ASLR). Linux only has fairly weak ASLR built in. There are a few other differences. Yes, the value of things like SELinux or AppArmor is considerable, and it would be great if OpenBSD implemented such a sandboxing capability, but your argument that the security of the OS itself isn't also very important is incorrect.
Re: (Score:2)
But with SELinux, you can get an even higher level of security. With SELinux, you need not only a local privilege escalation, but a hole in SELinux as well.
It's not like a hole in SELinux is uncommon, unfortunately. Linux and GNU make for a very good base operating system, but so does BSD. Right off the bat, BSD has the advantage of being a coherent system with amazing documentation. Linux seems to be compatible with more hardware, and many people are more comfortable with the GNU userland. BSD arguably has better licensing terms (depending on your perspective). So each has its advantages and disadvantages, but SELinux I would not even bother listing as a
Re: (Score:1)
Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?
Re: (Score:2)
Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?
http://linux.slashdot.org/story/10/09/20/0217204/Linux-Kernel-Exploit-Busily-Rooting-64-Bit-Machines?from=rss [slashdot.org]
Re: (Score:1)
Yeah, that's not a flaw in SELinux. Nice try though.
Re: (Score:2)
Can you find me an example of a hole in SELinux? Even one? I don't mean a flaw in policy affecting some distros, but an actual flaw in the subsystem?
Yes, I accept your challenge. Here is some light reading for you.
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=selinux [mitre.org] - Obviously not all listed here are flaws in SELinux itself, but there are some.
http://www.zdnet.co.uk/news/security-threats/2009/07/20/linux-exploit-gets-around-security-barrier-39688318/ [zdnet.co.uk]
So, while SELinux might be a good single layer of security (when it works), it certainly isn't impenetrable and should definitely not be viewed as the most important layer of any multi-layered s
Re: (Score:2, Insightful)
Thanks, I found the mitre one pretty useful.
Most look like early DoS attacks, I would hope they have sorted that out now, and there doesn't seem to have been one since 2006. As for the rest, well SELinux runs in the kernel, so with the right kernel vulnerability yeah it can be bypassed. Considering most vulnerabilities are not kernel level but userspace....I'll gladly take that extra protection, of which no equivalent is offered on OpenBSD.
Re: (Score:2)
Too lazy to look it up, but there have been two widely publicised flaws in the null pointer checking part of SELinux in the past year. Both led to privilege-elevation-to-kernel-mode exploits that only worked if you had SELinux.
That's rather the point of OpenBSD's rejection of SELinux. It is a huge chunk of complex code and it runs in ring 0. It increases the attack surface considerably, and unless you spend a lot of time configuring it, provides little actual benefit.
If you want to take issue with Op
Re: (Score:2)
Re:OSNews? Thom Holwerda? Seriously? (Score:5, Informative)
For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.
The OpenBSD base system includes a version of Apache that has been heavily audited (fixing a lot of bugs that didn't seem to get fixed in the main branch until years later - look for 'does not affect OpenBSD' in security advisory notes) and runs in chroot by default.
Is lighttpd any more secure on OpenBSD than on Linux? No
As I recall, lighttpd runs in a chroot by default on OpenBSD, but I could be wrong. On top of this, it has (probably not a full list, just the things I remember):
And the best thing? You don't need to configure or even understand any of these for them to work. That's what 'secure by default' means - no faffing with SELinux configuration, no optional security measures that people turn off because they're too hard to get right.
I would argue that OpenBSD may be secure by design, but SELinux is, in practice, more secure.
In practice, SELinux is usually disabled. In the few places it is enabled, it makes the attack surface larger and has led to exploitable bugs that are not present in Linux-without-SELinux.
Re: (Score:2)
For example, if you need to build a web server, you might pick OpenBSD because of its "secure-by-default" mantra. But what does that really buy you? You still need to run web server software, which is going to be the vector for any attack.
A security audited version of Apache, inside a chroot jail [openbsd.org], is part of the standard install [openbsd.org].
Please check your facts before posting. You'll avoid sounding like a trolling fanboi.
Re: (Score:2)
Yeah, and then I mentioned a different web server. Maybe I don't want to run ancient software.
And to avoid that internet-age-old ad-hominem 'troll' attack, I realize that Apache 1.3 was only recently EOL'd by Apache, but development on it effectively ceased long ago. Which is why I referenced a more modern web server, though you conveniently declined to quote that portion of my post.