Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
BSD Operating Systems

OpenBSD Interview: Strengths, Tradeoffs And Plans 161

Duke of URL writes: "Boardwatch interviewed OpenBSD contributor Louis Bertrand. It's an excellent article about OpenBSD's niche and mission. They discussed the continued code audit, OpenSSH, and future version plans, including SMP development, ports rework, and continued integration of IPv6. Journalist Jeffrey Carl does a good job of pointing out OpenBSD's strengths and tradeoffs."
This discussion has been archived. No new comments can be posted.

OpenBSD Interview: Strengths, Tradeoffs And Plans

Comments Filter:
  • by Anonymous Coward

    FreeBSD is in very deep trouble. And while FreeBSD is beset with its own internal strife. It is not the only BSD to be affected by this cancer.

    I read all of the T. Deraadt email thread when I first looked at OpenBSD, and my initial impression was that Theo had a real baaaaadddd attitude. I do know for a fact that a lot of the NetBSD folks were upset to see him leave and fork off his own version of the OS, and to lose him as a developer. But in reading his email he obviously has a problem with taking any criticism, and had no problem with jumping down someone's throat with a flamethrower and foul language. Denial, it's not just a river in Egypt...

    Not that I wouldn't use the OpenBSD or any operating system that met my technical needs, whatever the personality of the people involved. I've dealt with enough bad attitudes from commercial OS vendors in all my years in the industry to be able to deal with it if I had to. It just seems that BSD has an extra heaping helping of bad attitudes that make commercial vendors look like pikers.

    If you *really* read that email thread you would see the attitude loud and clear. "We do not think that it helps anything for you to tell someone he's a fu*khead when he's posting a message trying to help with the OS development." "FU*K YOU, *I* want control of the source and if you don't like it I'll fork my own off!"

    That's my impression of it. Theo sounded like an immature little upset kid to me. The development of any of the O.S. OS's is a group effort, and having one person think they have all the answers and have to be the one in control is dead wrong. So Theo now *has* control of his own fork of BSD, and lost the ability to maintain many of the various platform ports because he has no developers. Thus, the OpenBSD page says that for a VAX port, for instance, "support can be easily ported over from NetBSD". Why all these problems are so prevalent under FreeBSD/OpenBSD/NetBSD remains something of a mystery. These systems seem to be self selective in their attraction to weirdos and big egos.

    The split had nothing to do with the quality of his coding work but everything to do with his very nasty attitude towards people... and NOT just the people of NetBSD Core, but other people who were just civilians trying to help out, or looking for help. No wonder BSD is losing.

  • by Anonymous Coward
    I only use good ol' American software like Linux. Yeah, yeah, I know Linus was from Finland, but he's one of us now. Also, Alan Cox is a Brit and they want to be us so damn bad you can almost count him as an American too.
  • by Anonymous Coward
    By default, any other Unix out there cannot even connect to an OpenBSD box, b/c ssh isn't standard. FTP? HA! This is lack of funcionality.

    OpenBSD used to have telnetd and ftpd enabled by default. There is no security problem with that since the daemons have been audited. However, with the integration of OpenSSH, OpenBSD errs on the side of caution. There have been no known remote exploits for OpenBSD in the last few years. As administrator, enabling ftpd is rather easy, if that service is required. There is no real necessity for telnetd any longer.

    On the other hand, a friend just told me how his Linux machine got rooted in seconds after he started his ftpd. Maybe having a cable modem can be a problem.

    Additonally, ssh is a standard and already very popular. In the future, I expect to see the number of ssh users to grow even more. OpenSSH being free will help achieving that.

    OpenBSD is right on the point where security is considered.

  • by Anonymous Coward
    Given the number of Linux hacks posted to Bugtraq and floating around, I disagree. Ironicly, in some ways, it's not paranoid enough, but that's another matter and one more affiliated with religion than rationale.

    For the normal, competent user who has used BSD systems in the past, such as SunOS, and even a decently competent linux user who reads man pages, does a little research, and doesn't mind spending time (unlike you), OpenBSD is fun to work with. And you can do real work on it without worrying about reading bugtraq every evening.

    I don't know where you get off saying it's completely unworkable. SQL? Available without a single hitch. Netscape? Ditto. Samba? There. Drivers? There. USB? There. SCSI support? There. Linux emulation? There. POSIX compliance? Integrated soon. SSH? There and free.

    What they *hell* isn't there that you really use as a "normal" user?

    If OpenBSD goes overboard, what is underboard? Linux? FreeBSD? CERT is lame and even they have posted holes in the past year for both platforms. I CANNOT do work if I don't believe my data's integrity hasn't been compromised or remote user can scuttle my machine. If I want something usable for a normal user and insecure, I'd buy Windows.
  • W3C, what do they know bout the 'Web? Microsoft is the one that's innovatin' here.

    Speaking of which, you seen that commercial MS is running with Bill talking about how they will always "innovate?" Guess they are just now starting the anti-DOJ PR campaign.
  • It shouldn't be beta in OpenBSD, since it's production in FreeBSD. I only say "should" because SoftUpdates was developed first and reached production level first on BSD/OS, and it definitely does have some deep changes necessary to the UFS and VFS code for integration.

    --

  • What do you mean, "FreeBSD is in deap trouble"? Any time you have more than 200 people working on something, you'll have some conflict. There's no huge divisive war in FreeBSD, even if there are sometimes conflicts between a few people here and there.

    --

  • by pb ( 1020 )
    Well, I've seen some of the e-mails that were tossed around when OpenBSD split, and some of the server logs...

    You're right about the "script kiddies don't write their own material" part, in the strict definition of one, Theo knows enough to write his own tools if he has to.

    But he *acts* like a script kiddie, which I guess was my point. Also, OpenBSD would be a good target user base. Hey, at least we'd get some script kiddies with real sysadmin skills, right? Future BOFH's of the world, unite!
    ---
    pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
  • by pb ( 1020 )
    Oh yeah, I know how it happens, but I don't know why they do it. But these are technical sites, people! They should know enough not to do this, or at least clean up after a bad authoring tool.

    (My text editor never uses a non-standard character set, therefore it's a great authoring tool! ;)

    I've seen this the most with Office--the latest version of Office only outputs good HTML for the latest version of IE for the latest version of Windows--sometimes.

    (no, of course they aren't tied together, Microsoft would *never* do that, they just make up standards that no one has heard of before--the Microsoft Standards. Fun fun fun...)
    ---
    pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
  • by pb ( 1020 )
    Well, make your own decisions. The information is easy enough to find, and Theo's e-mail [theos.com] is damning enough.

    However, this is what I was talking about before [ntu.edu.tw] -- I finally found the reference. It's sad how information can die out, on the net.
    ---
    pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
  • by pb ( 1020 )
    Yep, it's good to have the OS creator set an example for the users. Then if you want to be that profile, you can use that OS, right?

    Bill Gates -- rich capitalist demigod
    Linus Torvalds -- kernel hacker and all around nice guy
    Theo de Raadt -- K-K00l 5kR1p7 k1DD1e!!1!

    OpenBSD: the choice of the next generation of Slashdot users. *sigh*
    ---
    pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
  • >Personally I think the whole OpenBSD thing is nice, but overrated.
    >Will someone please tell me what OpenBSD can do that Linux/FreeBSD
    >cannot? I'm assuming a Unix user is smarter that the average Windows
    >lover, so I don't want to hear 'out of the box'. The only way I see
    >OpenBSD securer than other OS's is that it FORCES you to be secure,
    >whether it applies to your setup or not, which I consider a
    >limitation, not a feature.

    You're right. Not to put it down but OpenBSD is exactly what you said it is. The only real advantage it had was because of the US crypto laws and that's going to change pretty soon. Take a look at the direction Redhat 6.2 is heading in for instance. The other BSD and Linux dists will be talking similar steps as well.
  • Well, mainly because most people don't think of securing Linux. They think of other things (speed, stability, performance, support, toys, etc). However, there are a couple of different projects aiming at security on Linux...

    The first I can think of is Kaos Linux. It's a volunteer-run distro (I don't think they've made a release yet) that is aiming to be the OpenBSD of Linux distros. I used to have the URL but I've been up WAY too long for my brain to be able to pull up that kind of information.

    The other is the Bastille Linux Project (May not be the OFFICIAL name, but you should be able to find it) which is just a patch to harden up some things in Red Hat Linux. They've actually reached 1.0 I believe.

    If you want more information, go to Freshmeat.net and browse the console/os section of the appindex. It should have something that grabs ya.
  • With Linux nowadays most hardware and (good) software is supported. OpenBSD has considerably less hw and sw support.

    Before trying to install OpenBSD you should verify that your hardware is supported. For example, the CMD640 PCI IDE controller is not. The CMD640 is common in many older Dell boxes (e.g., the $100 133Mhz Pentiums you can find by the boatload at Boeing Surplus). It has a nasty bug where simulatenous access to both channels causes servere data corruption. A generic PCI IDE driver will work mostly but will not prevent this problem.

    Do not assume that just because a piece of software works on many Unix-style systems it will work on OpenBSD. Even sw that works on FreeBSD may not work on OpenBSD. Two examples that bit me are: 1.

    • The latest postgresql. Each OS has its own odd way of implementing atomic test and set lock. There must be a specific postgresql interface to this written for each OS. There is (could be was) none for OpenBSD.
    • Apache::Session::SysVSemaphoreLocker does not work on OpenBSD. I believe OpenBSD SysV semaphores are broken. mod_ssl used to have a problem with this but Engenschall has worked around it.

    If your hw/sw is supported by OpenBSD, then you should seriously consider using it.

  • The difference is that you're lying: Microsoft never says that. Cite evidence.
  • Someone have:
    http://www.trustix.net/

    flashboy
  • Seeing these characters myself, I extracted the codes and looked them up. The code I get where I expected the ASCII symmetrical apostrophe is actually the UNICODE right apostrophe.

    What you extracted was character #146, a reserved character in ISO 8859-1 (the default character set for HTML). In Microsoft's character set, #146 is the right apostrophe.

    It's sad, but in some ways, Microsoft is actually LEADING technology. In this case it is the adoption of UNICODE international character set. I wish the Unix/BSD/Linux community would get their act together and get these things working.

    Bzzt. Try again. This is the unicode entity for a right single quote: ’

    Browsers on Linux display it just fine, but they DON'T display Microsoft's proprietary replacement. The "Unix camp" is quite up to date in this regard. The problem is, as stated before, ignorant webmasters - who don't know that Microsoft's proprietary extensions are a Bad Thing, and worse still, don't understand that the proper character to use for an apostrophe is.. an apostrophe, character #39.

    Reference: The Windows Character Set [www.hut.fi]

  • Personally I've found ipf and openbsd to be much easier to understand and maintain than ipfwadm or ipchains. With new firewall tools in 2.4 I'm glad I made the investment and switched. My suggestion if you want to use ipf, is definitely read the ipf howto. [obfuscation.org]

  • Yet another smug little Debian weenie with the "if they only had used Debian GNU-Linux, they wouldn't have been cracked". Yeah, but OpenBSDs superior security has more to it than just disabling daemons. Sure, Debian doesn't run every daemon under the sun by default, but it's still Linux, and does not have the same quality control process as BSD. There is a definite tradeoff here -- in Linux, you get more features, and less well-checked code, because the developers are adding more code all the time as opposed to fixing the code they've already got.

  • Well speaking for myself, I am aware that Open BSDs better security is part of a trade off -- namely, they don't add features to their OS nearly as quickly as they could if they didn't spend so much time proof-reading their code. Their is a definite tradeoff -- features versus security. Linux supports much more hardware than OpenBSD, and is much more user-friendly. But OpenBSD is much more solid from a security standpoint.

    Sure, the "next exploit is waiting to be discovered", and nothing is 100% secure, but it just so happens that it's going to get discovered much faster on Linux or NT than it is on OpenBSD. And the less often exploits are discovered, the less chance that someone will break in.

  • Linux can be made secure with some work.

    Of course it can -- it's OpenSource. Go audit the kernel and get back to us when you're done. There is more to OpenBSD's security than turning off inetd and turning on sshd.

  • Depends on your defn of secure. You can make Linux "secure" and OpenBSD "SECURE". You're right -- for many things Linux's ease of use outweighs OpenBSD's security. But if security is your first priority, and you only want to run a few daemons ( rather than a multi-purpose server with 101 daemons going ) then OpenBSD is a great choice.

  • Mr. Socialism himself. Spread the wealth, everyone is the same, no one can be better than the rest. The rich must give their money to the poor. He should love communist china.

    I'm not clear what "communist China" ( rally more like "state capitalist" ) has to do with "spread the wealth", "everyone is the same" and "no one can be better than the rest". China has entrepreneurs, and inequitable distribution of wealth ( more so than the US ).

    You've just demonstrated that you know jack-shit minus epsilon about "communist" China.

    HAND

  • OpenBSD's hardware support is admittedly not as good as Linux's.

    HAND,

  • Your psots are a riot.
    Cheers,
  • In all PAM-ified systems (such as RedHat and others) you can add a check for a wheel group by just adding the following line to /etc/pam.d/su:

    su auth required pam_wheel.so

    Welcome to the flexible and configurable world of UNIX.
    --

  • Yes. I think Debian also made similar remarks.

    But it is the most flexible and easy to use ftpd. I use it on my home machine but would never use it on a production server (for security reasons).

    Too bad there isn't a secure AND flexible ftpd!

  • I too would really like to start using OpenBSD... It just seem like an concept I'm ready for... But aside from installing the MacOS, Windows 95, 98, NT Workstation 4, NT Server 4, OpenLinux and Redhat Linux, I'm just not sure if i've the actual know-how to pull off an OpenBSD install... Can anyone share their experiences with me/us?

    Is it a really technical process, or is it like the others where you just plop in a CD, choose some options, set some settings, sit back and babysit and viola! you've got an almost working machine? Somehow i doubt it's like that, though.
  • Seeing these characters myself, I extracted the codes and looked them up. The code I get where I expected the ASCII symmetrical apostrophe is actually the UNICODE [unicode.org] right apostrophe.

    It's sad, but in some ways, Microsoft is actually LEADING technology. In this case it is the adoption of UNICODE [unicode.org] international character set. I wish the Unix/BSD/Linux community would get their act together and get these things working.

  • Since the code was a TWO BYTE code, and the browser displayed it as ONE question mark, then the browser knew how to convert UTF-8 encoding into a raw numeric code. It just didn't have a glyph to render it with, so it substituted the question mark.

    That may NOT be the standard, but it is also the case that many standards groups are spending (wasting?) too much time with making things like XML more complicated than they need to be, and not keeping all aspects of standards up to date (like officially supporting UTF-8 encoded UNICODE [unicode.org], which is trivial to implement in validators ... for those who use such things).

    It is already common for standards to be extended and the extensions to be accepted. Netscape added animation to GIF, and while there were some purists crying foul, others just got on with making things better, leaving standards group to eat their dust. I extended GIF to support true-color [ipal.org] images and browsers support that, too (Netscape, Explorer, and Opera, that I have tested). People did bitch and whine about it because it wasn't described in the standard for GIF, but it did work, it did not conflict with the literal standard, and it was the only way to get true-color into web pages until PNG came along (which admittedly was slowed due to browser makers dragging their feet).

    So I suspect as soon as you have full UNICODE [unicode.org] support in X windows and/or the font server, with proper fonts, it will work fine (despite what some useless validator says).

  • A reasonably knowledgeable person can download the latest version of the source for the services you actually do run, and install them, in hours, not weeks.

    I'm not trying to demerit OpenBSD, because I believe OpenBSD is a great system, and should be seriously considered, especially for firewall points. But if there is some reason that would weigh in favor of some other operating system, such as familiarity (I am far more familiar with Linux, especially Slackware, than I am of OpenBSD), then you might still choose something other than OpenBSD, and you can still make it be secure with reasonable effort. If you're a business, just hire someone who knows what they are doing, not someone who has to piddle around the newsgroups for the next couple months to learn how to recognize a security clue.

  • I've always wanted to know ... did the people who designed the CMD640 actually lose their jobs as they should have, or was the whole company a loser?
  • If the main reason you use OpenBSD is because of ipf, why don't you use one of the other operating systems on which ipf runs? There must be other reasons specific to OpenBSD to attract you to it.
  • Which is all well and good, but SGML (and hence HTML) doesn't use a Unicode character set. It uses 7-bit ASCII. When you send pages with those sorts of characters through something like the W3C's HTML validation program [http], they show up as errors.
  • jail is in FreeBSD-4.0 Release and 4 Stable and in FreeBSD-5 current (no doubt).

    Details.. :)
  • Quoting OpenBSD man su:

    If group 0 (normally ``wheel'') has users listed then only those users can su to ``root''.

    So, if you want GNUish behavoir, just remove root from that group. And everybody will be allowed to su. The reason it's the way it is -- 'secure by default'.
  • Am i the only one that finds the following a bit disturbing?
    And then they wonder why i wouldn't trust any linux distribution in any critical enviroment

    HEH
    Why GNU su does not support the wheel group (by Richard Stallman)
    • Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)
    • However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

      I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

  • Just letting you know that the whole "must be in the wheel group to su to root" is a BSDism, and is not limited to OpenBSD. Any BSD based OS (Early SunOS, Ultrix, etc) uses the wheel group to prevent non admins from becoming root. If Linux is your only Unix experience, then you're forgiven. :)

    Anyway, the wheel thing is a poor example of how OpenBSD is overly paranoid. Is it really that much trouble to vi /etc/group? Also, if you're not overly paranoid, then you're not good at security. They go hand in hand.
  • It's all about choice...which is (in my opinion, at least) a big part of what open source is all about. OS A has something you want? Use it. OS B pisses you off? Don't use it. Kinda like OS C but you feel it could be done a little better? Modify it.

    As far as the "problem" you had with your user account, you probably could have guessed that a proactively secure OS would not put a user account into an su-enabled group by default, and you could have placed that user in the proper group before going a few steps further then getting all pissy about it.

    Just remember kids, nobody's forcing you to use one OS or the other, and that's the damn point.

  • by JatTDB ( 29747 )
    Damn right...su functionality is definitely one place where I want my system to act like a heavy-handed hateful dictator from hell.

    There's a reason the root account is referred to as the SUPERUSER....he is supposed to have unwarranted power over other users.

    I can't think of many situations where having su capability from any user would have any advantage over the proper method except perhaps a little convenience. And we're unix people...since when did we give a damn about convenience?

  • Now, now. You're bagging on the install but you're only really talking about one part of it. disklabel is harrowing, particularly for those used to DOS/linux-style fdisk. Once you're past disklabel, the install is like settling into a big pile of fluffy pillows.

    Okay, there are one or two other tiny things, such as that just before the very first prompt, you get the spurious non-error:

    sh: /etc/rc: No such file or directory

    which you probably won't know isn't a problem unless you have INSTALL.i386 right in front of you and are following along.

    So that's how installation should be done, at least until you're used to it: print out INSTALL.i386 and log26.txt and if something looks weird, don't panic until you've read them both.
  • Blaming the user for a flawed system is silly.

    If it isnt secure out of the box, its flawed.

    Its a flawed concept to launch all kinds of stupid daemons as installation default.

    Its idiotic to expect users to fiddle with a number of strange configuration files if they REALLY want the thing to be secure.

    AND EVEN IF YOU CHANGE ALL THIS, you still get cracked due to bad software with silly design (bind, imap, sendmail, etc.).

    No so with OpenBSD, as seems.

    If just one very good bastard can take you out, your system is not worth much (think of credit card information).

    The agonizing thing is, that SuSE, RedHat et al are exceptionally clueless when it comes to security.
  • I seem remember a number of SuSE security reports until they finally simply advised to uninstall the thing...
  • As much as I like Linux, OpenBSD really is better suited to the job of a firewall/NAT box. The setup for that functionality is pretty darn simple, and unlike most Linux distros, you don't have to go out of your way to lock-down an OpenBSD machine, when security is an issue. Really, I think the only word to describe OpenBSD is jizzmatic

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • No, I like OpenBSD. Enough to make me... uh, well you know.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • Well, at least with FreeBSD there is a 'softupdates'
    kernel options which makes ufs way faster than
    ext2 on linux... But there are copyright restrictions
    so they can't include it on the stock kernel.

    This is maybe on OpenBSD
  • simple. turn off all services in inetd.conf ( or kill inetd ), turn on firewalling in your kernel and execute ipchains to deny all ports input. now try and hack a machine such as this one. you can *never* break a box like this no matter what distro you use or how many buffer overflows are in it. and its more secure than obsd default anyway. happy?
  • two celerons = $100
    one abit BP6 = $125
    SMP = priceless (or $225)

    any questions ?
  • secure by default is worthless IMHO. a clueless admin can easily botch a secure by default system. much better to let the user learn the hard way even if its more painful. i personally spend at least a full day securing my linux boxen with ipchains, portsentry, sentinel, nmap etc after installation. its a good thing too - you learn a lot.
  • i dont hate it. it has its places..and i hate people carping about how secure it is out of the box when *nothing* is secure unless you actually look at it with a magnifying glass. i dont like the pace of development (too slow) and the lack of drivers. other than thats its just unix.
  • Well, if you weren't taking a spin on things in an effort to attack BSD as a whole, you might not have posted anonymously. In fact, as I recall from readign the archives, Theo did have some right to be angry. His temper is known quite well, and after the recent 'NetBSD blocking OpenBSD mail' junk a month or so ago, its pretty obvious he hasn't changed.

    Now, Theo asked for months for core membership again, and waited after being told over and over again everything would be sorted out shortly. You also must remember he didn't apologize not only ut of being hubris, but because the person in question spammed him. This was unknown when he was removed from core, and came to light afterwards. Theo should have been allowed to continue on core, or at least should not have been left hanging. If you DID read the archive, then you'd see that (it seems) only one member had a grudge against Theo enough to screw around with him. His attitude was a problem, but no one denies Theo is a marvelous hacker.

    NetBSD folks wanted him to stay, and wanted the political bullshit to end, and repeatedly chimmed in that while Theo needed to calm down, he's contributions were more than enouh to warrent tolerance. They wanted him back! And many wanted the code he developed over the 3 month leave, which Theo kept to himself. This was out of pride, and surely as an incentive to get things back together. When OpenBSD was released, this code was out for the NetBSD folks to grab and use. BSD allows pollination, and really this is a great benefit.

    So, the guy Theo flamed was an ass, and by going under the BSDL Theo did not restrict his code. He forked because he cofounded NetBSD, and his passion/ego was great enough he had to be in the top ranks. And heck, his ego is deserved after all.

    Theo has less control than Linux of his fork of NetBSD, because no one makes him some god. Now that is immature. And Linus has said the GNU model basically forces this (read OpenSources, appendix). His ego is from brats telling him how leet he is. Linus deserves a lot of what came about, but his hack of UNIX is a far cry from staying in form. Of course, he switches this as saying the other forms must have been arciech, which generally seems more of an excuse than anything else.

    I wont even bother withthe VAX bit because that's just so dumb on your part...

    The split happened due to Theo's relationship with a core member, due to his attitude. No one has ever said otherwise, and Theo has a well deserved reputation. Personally, I respect Theo and Jordon Hubbard, among other developers on their core team, far more than Linux developers. That's due to their design models, their skill, and their passion. I think people accept Linux's faults like they do Microsoft's, ie for the latter.. 'its ok to reboot at least once a day.' Of course, I think Microsoft gets to much flame for bs madeup by people who know jackshit.. but I'm sure Linux gets the same. Heck.. I may be one of them.

    All in all, take everything anyone says with a grain of salt. And BSD isn't losing, or else no one would ever talk about it. Media is up. Who ever said we must live in a single OS (and OS design) world? Personally, the more ideas that come into the world, the better. The better usually bubblesort themselves to the top. The best doesn't always win, but one better than the old does.
  • by Skratch ( 39859 )
    OpenBSD does it the correct way and requires a user to be in the group "wheel" in order to su to root. It's Linux that is backwards on this, and I personnaly think it's a much more secure model than the Linux way. It may not seem to it like most, but Linux is actually the oddball when it comes to a lot of things, like IP Masquerading, the rest of the world calls it IP NAT (Network Address Translation). There's quite a few examples like this that kind of make me not appreciate Linux as much, since it doesn't educate people correctly on the 'Unix way' of doing things.

    Don't get me wrong though, I almost exclusively run Linux myself.
  • It's sad to say, but OpenBSD just didn't work for me. It's an awesome OS, and I wish I had a reason to use it, but when I set it up as a Firewall/NAT box, the ftp proxy simply didn't work. Not only does the ftp proxy not work for me, but appearently it doesn't work for a lot of people, no one knows why either, it just arbitrarily decides if it wants to work on your system or not. Not only that, but I installed Webmin [webmin.com], a sweetass web based administration tool onto my OpenBSD box just to see what it was like on OpenBSD, and you wanna know what it's like? Two words: KERNEL PANIC. Webmin (v .77) actually kernel panicked my OpenBSD box. I was able to reproduce it over and over.

    Needless to say, I installed RedHat on it and havn't had a problem since, FTP proxy and all that good shit works fine, and no kernel panics. It's a shame though, OpenBSD seems like a much better designed OS, and it's easy as shit to use and learn....
  • Now, don't go losing your head over that ...

    I'm sure both OpenBSD and Bastille Linux are both good, but no sense getting locked up over the relative merits of both. Security is all well and good, but we need our daily bread, lest we hunger for cake.

  • Hi.

    I too would really like to start using OpenBSD... It just seem like an concept I'm ready for... But aside from installing the MacOS, Windows 95, 98, NT Workstation 4, NT Server 4, OpenLinux and Redhat Linux, I'm just not sure if i've the actual know-how to pull off an OpenBSD install... Can anyone share their experiences with me/us?

    I switched my boxes OpenBSD 2.6 a couple of months back; it was surprisingly easy. You may actually have more experience in relevant areas than I had - my background was in NT admin, though I use various flavours of UNIX (as an ordinary user) a lot at work.

    I have a couple of suggestions, though: first, read the FAQ on the OpenBSD site thoroughly beforehand. Several times, for preference - it really does help. Second, try an install or two in VMware first if you can - the install routine can be a bit unfriendly the first time, but is efficient once you've got used to it. (Some things're also organised differently from Linux, so it's good to get used to that in advance as well.)

    (As to how much work is needed once it's installed - that depends on what you want to do with it. Several bits of server are integrated and ready to go - Apache, OpenSSH and Sendmail, for instance - but if you're looking to use it as a workstation, you'll need to add quite a few apps. That's generally easy if they've been ported, though - the ports and packages system works well, but is a bit limited compared to what's on offer for Linux or FreeBSD.)

    Cheers,

    Mat.

  • LOL- you hit it right on the head with your last comment; Linux-Mandrake [linux-mandrake.com] has security settings. I'm amazed you don't know about it. : )

    I'm not sure that it's definitely a "secure" linux but it has configurable security options, which is definitely a step above the rest of the distros; maybe you should grab a copy of Mandrake7.0. Or maybe you meant something totally different and I'm just stupid.

    -Chris
  • Much as I love Linux, let me get right to the point. For all you people spouting off the same old argument (I can just turn off the services and install ssh and poof! OpenBSD) you have NO IDEA what this is really about. Do any of you even really know what a buffer overrun or an audit really is? Didn't think so. Just install OpenBSD and learn a few things
  • AC writes: When installing anything and run into problems, you check the lists for relevant info. NE2000 cards come up again and again on the mailing list as having problems. If you would have looked instead of asking, it would have taken you 5 minutes of *glancing* at the archives to realize this. You lost several days of work due to your inability to do this, not bad drivers. Yes, NE2000 cards suck in general. I'm aware of the lack of standards. I'm aware that there are a lot of sucko cards in particular. I'm using cards with the RealTek chipset which is known to be one of the best out there.

    WRT to the mailing lists, I did an exhaustive search before I posted my first message. I always search before posting. There was nothing in the openbsd list archives indicating problems similar to mine. If there were, I missed them. I tend to think this is not the case, as most people learn pretty quickly that they have posted a FAQ to a mailing list.

    If you saw a lot of messages recently, chances are they were actually written by me or on responce to me. ;-)

    How do you lose several days debugging and swapping hardware? You swap the hardware (10 minutes max) and move on.

    The problem was that the cards were listed as supported, that they were recognized, and that for the most part they did work. Connections to most sites were *flawlwss.* The problem was that there was a bizarre interaction between the driver and the TCP stack that was only triggered under very unique (but always replicatable) conditions.

    With 20/20 hindsight, yeah, I *could* have found the problem with a 10 minute hardware swap. But we *all* know how good our hindsight is...

    -p.

  • You are trolling.

    If you would actually read the exploit you'd realize that the problem existed in ALL versions of SSH as well as OpenSSH.

    Indeed, there are no fixes for the standard SSH client, but the OpenSSH client put out by OpenBSD has been patched.
  • I think that limiting yourself to non-SMP because SMP hardware is more expensive is asinine

    I think it's reasonable to not spend a large ammount of time solving and debugging a difficult problem that exists only on hardware that most of the users of your product can't even afford. Now that SMP motherboards ('hardware') is lower in price (BP6 anyone?) they are considering reevaluating that stance.

    It's not like they have unlimited resources to implement everything, you know.

    I would also be content with an answer "SMP adds a LOT more complexity, and we don't feel it CAN be as solid as a single processor" (and even if that's not the reason stated, I am positive that that influenced their decisions.)
  • btw a good book on using OpenBSD for this stuff is Configuring Linux and OpenBSD Firewalls, it's like $35

    I'm going to have to disagree with you on this one. While I do think the book is decent overall, I found Linux Firewalls [amazon.com] by Robert Ziegler goes into much more detail on what exactly needs to be let in and out to get a working firewall. Even for OpenBSD I think this book will help people more in the long run. All the information in "Building Linux and OpenBSD Firewalls" as it pertains to OpenBSD is readily available in the OpenBSD FAQ and the IPFilter how-to.

    Of course, I'd also recommend Orielly's Building Internet Firewalls [amazon.com] as an excellent resource for those looking into building a firewall. Yeah, yeah, it's a little out of date but the majority of the material still stands today.

    LiNT

  • I suppose I'll share my two bits here.

    I'm pretty new to OpenBSD myself. So far, I think it's the greatest OS ever.

    My advice to new users would be under ideal conditions, use a seperate computer and a full hard disk. Don't try dual booting or you'll end up kicking yourself in the end. On your first install, leave out X. See how things run and get used to the OS, then install X. Start off by completely reading through the FAQ and the install walkthrough for your architecture. Finally, once you've got it installed don't forget to check man afterboot.

    ahhh, I still remember my first install. I kept thinking I did something wrong because it went by so fast. 10 minutes in and out.

    LiNT

  • Uh, no, the character is not Unicode.

    The byte produced by MicroSoft word is actually in the range 0x80-0x9F. The real Unicode character would be greater than 0xFF. The official Unicode spec says these are the "C1 control characters". MicroSoft has actually invented non-standard meanings for these bytes, since it was much easier than supporting UTF-8 to get these symbols into their 8-bit programs.

    However I would not be too hard on MicroSoft, because:

    This "C1 reserved area" is an ancient back-compatability hack to avoid accidentally producing control characters on systems that strip off the high bit. We should not be making stupid standards just for back compatability with obsolete equipment!

    MicroSoft has used these values to encode typographic symbols that real people really, really, want!. They did not use them for more obscure letters. This encoding serves far more people than almost any of the Unicode pages.

    NetScape and Unix still stink when handling UTF-8. They just display question marks. At least MSoft displays a square box, and it even correctly displays all codes that are in the 0-0xff range or are in the Symbols character set.

    I very much recommend that the Linux/Unix/Unicode world swallow their pride and adopt the MicroSoft assignments for the characters in the range 0x80-0x9F as part of the Unicode standard, and that everybody (X and the console) fix their fonts to display these characters as soon as possible!!!

    I would complain though about MicroSoft's "smart" quotes. It changes apostrophe into a single-close quote character. This is wrong, they should leave it an apostrophe. This breaks all search engines and keywording of files! The text ``this isn't quoted'' should display as ?this isn't quoted' on NetScape, not ?this isn?t quoted?.

  • I have a dual boot machine with OpenBSD on the first drive and Linux on the second. This reflects our server setup - a combination of Linux database servers and OpenBSD webservers. As the connection to our ISP is awful and I'm only blessed with one development machine, I do all programming and testing on the one machine.

    I've found OpenBSD to be an excellent alternative to Linux. The install is quick - just follow the instructions carefully the first time - and the man pages are very good.

    As a reflection of OpenBSD's stripped down philosophy all I have installed above and beyond the core OS is:

    NEdit (statically linked against Lesstif)
    Gimp (development version and required libs)
    Blackbox window manager
    Netscape (the BSDI version - seems far more stable
    than on any other platform I've used it on)


    Chris Wareham
  • The encoding of the document isn't specified, so it's the default ISO-Latin-1. The quotation mark used throughout the document, however, is encoded as character code 146. According to this page on Latin-1 and Unicode in HTML [pemberley.com], the 128-159 range is invalid. M$'s codepage 1252, however, embraces and extends the standard.

    Excerpt:

    All the CP1252 characters are also available in Unicode. For example the CP1252 character 146 that you mentioned (RIGHT SINGLE QUOTATION MARK) has the Unicode number 8217, therefore you should use this number in order to conform to the HTML standard. Modern HTML browsers like Netscape 4.0 understand Unicode, and will automatically convert the Unicode character ’ back into the character 146 on MS-Windows machines, and into the appropriate character on other systems.

    The funny thing is that this page actually renders properly on my Netscape for OS/2, the #1 victim of the embrace&extend strategy...

  • You posted this same article four times. Yet no matter how many times you say "FreeBSD is in very deep trouble," you say absolutely nothing to support that claim. In fact, the FreeBSD team seems in better shape than it has been in ages, and their latest release, 4.0, shows it. The NetBSD and OpenBSD groups both show more life and vigor than they have in a long time.

    It's all a bit like a dog who keeps returning to sniff his own vomit--both your SPAM-posting and this obsessive need you, like some others, seem to have to keep revisiting the whole Theo flame-fest. The whole incident is long in the past, but you just have to keep coming back to sniff at it. (Alas, this same behavior is shared by some of the BSD folks--including some of the participants--but fortunately many of them have been able to turn their differences into a positive force, creating useful technical distinctions and not just meaningless personal ones.)

    I suspect that your real motivation is contained in your need to see BSD as somehow "losing." Losing what? This is free software. OpenBSD, FreeBSD, and NetBSD aren't companies who must maintain market-share or go under--nor is Linux, for that matter. They aren't sports teams or rock bands. They don't need to cannibalize each other's user base to survive. They are all developed by teams that are actually quite a bit more stable and harmonious than most commercial software development teams (where the average developer lasts a bit over a year). They really don't need cheering sections, especially ones composed of gossips nattering away like old ladies over personalities.

    -Ed
  • BSDI is an interesting case, given that they've just had a little encounter with the Open-Source freight train. Although I know it rankles many BSDI fans to hear it, I'm sure that more than one customer has been asking themselves why they should pay thousands of dollars for BSD/OS (or whatever BSDI is calling it thse days) when they can get FreeBSD/NetBSD/OpenBSD for free? Well, they are now beginning the process of merging their system with FreeBSD and changing their business model to something more along the lines of a Red Hat. But even then, the fortunes and misfortunes of BSDI are only peripherally related to the success of BSD in general.

    The general trends are positive ones. Not only is there the BSDI/FreeBSD latchup, but sharing among the three free BSD's has been increasing, and although it might be a little while before it's reflected in marketing surveys, interest in BSD is on the rise (in part because of the Linux explosion, and in part because of the success of BSD users such as Yahoo!).

    Things might be grim in your little neck of the woods. But they look pretty bright in mine.

    -Ed
  • by psmith ( 11508 )
    From the su manpage in GNU shellutils:
    This program does not support a "wheel group" that restricts who can su to super-user accounts, because that can help fascist system administrators hold unwarranted power over other users.

    Myself, I tend to be one of the aforementioned fascists, so in the past I've installed a version of su that's wheel group-aware.

    Now, you can enable 'wheel group only' behavior with PAM.

  • I hate to give you crap on this, as a sysadmin, I feel your pain, but....


    after about 2 yrs being on the net (public email/web/cgi/ssh/sql services being run), I was broken into 3 times. each time it costed me a lot of effort and pain. plus downtime. and even lost files ;-( ;-(


    It just sounds like your using the wrong software. Linux is not the most Secure OS out of the box, but if you work with it, it can be very secure.

    One problem I notice is that people use the same crappy bug ridden buffer overflow software all the time. I am still amazed that anyone runs sendmail, wu-ftpd or bind (Well, bind is the only choice in DNS). How many exploits are there for just these three packages? Sendmail is the worst of all time.

    What people need to do is black list bad software. Get X amount of security problems in previous versions, use different software. I won't touch sendmail since it has such a poor history of security. So what do I use? qmail! Same story for wu-ftpd. I use proftpd (Yes, they had an overflow in a beta, but it was only for writeable directories) since it is pretty secure. And for bind? Well, I am waiting for the author of qmail to finish up his DNSd package so I can use that. Until then, I keep an eye open on the mailing lists for the next bind exploit.

  • Ya, that is the one I was talking about. I just could not remember the name. Shame on me since I am such a qmail fan.
  • I forgot to add in all of this, D.J. Bernsteins explanations of how things work are some of the best. Just check out the qmail documentation and the TinyDNS FAQ's on how things work. Its just nice to see someone make good quality software and documentation.
  • Wow!

    What a bunch of children! I have alway heard of the NetBSD breakup as being pretty petty, but posting is quite clear on thing. They need to grow up.

    I think this is why Linux is so hot. Just about everyone in the kernel development is pretty damn cool. Linus is a real 'net personality. In fact, I saw a long interview with him and his wife on Finish TV and was quite impressed with how nice and down to earth he and his wife is. Alan Cox and the other major contributors are also seem very nice. I have had email conversions with some of them and they seem to be down to earth people (Ya, I know its email, everyone sounds like that).

    This may not sound like much; "Big deal, who cares if they are nice". When your getting started into something you have never done before, you would like people to be alittle friendly, even if they are not helpful. Sounds silly, but have you ever done something, in an area, where the people who also did it were assholes? Didn't think so.

    For example, I wanted to try out FreeBSD a couple of years ago, but all the FreeBSD people talked crap about Linux and Linux people. Everything was, "X is better in FreeBSD than X in Linux.", "Linux sucks...blah blah blah". Worst of all, they were plain ole' dickheads. That kept me from trying out FreeBSD for a couple years until I had to for work. Now I work in a FreeBSD shop, and now I like FreeBSD, I just hate FreeBSD people.
  • This is ridiculous. While I have no doubt at all that OpenBSD is a far more secure OS than Linux, I think the implication that you will be hacked if you are running Linux vs. OpenBSD is silly.

    I am responsible for a dozen Liunx machines on the Internet (i.e., there is no firewall between us and the kiddies) and a couple of AIX boxes too. No sooner had our Linux boxes gone online than I had dozens of attacks each day. But by proper use of tcpwrappers and some commonsense security checks, we have yet to be broken into. As a matter of fact, i have found tcpwrappers to be quite a deterrent. Most people just give up an go away.

    Now I am sure that some determined bastard (or bitch) could take us out if they really wanted. And I am sure that their job would be much harder if we ran OpenBSD instead. But your inability to properly secure your boxes under Linux does not mean OpenBSD is the correct solution. Especially if you are wasting a processor in an OpenBSD box.

  • <PEDANTIC>

    REAL old-school UNIX hackers don't use vi, they use ed. ed is the ORIGINAL, and still the standard, UNIX editor.

    Compared to ed, vi is Office2000.

    </PEDANTIC>
  • > Straight off, I get the message that this user is not in the appropriate group to su to root.

    That is a *feature*, not a bug. Next time, put your "normal" user in the "wheel" group. Then, you'll be able to su just fine.

    > I mean, how difficult would it be for the installer to list the services, (with all of them
    > off by default) and let you choose which ones to install?

    My first take on this is, "not hard". But, then I think a little deeper. If you do this, then a lot of clueless folks will do "enable everything", and you're back to square one. Best if you treat a Unix box like a Unix box, and learn what risks you take *before* opening yourself up to them.

    > Or even to ask what normal user accounts should be in the admin group?

    At install time, what "normal" user accounts does it know about? IIRC, it doesn't ask you to set up a normal user account - it assumes that you will know to do that (though it's been a good while since I've installed it - though I run it every day - so my memory may be Swiss cheese).

    --Corey
  • Eh. Who cares?

    Quite simply, as long as the OpenBSD project stays true to its goals of a proactively secure open-source OS, I don't care if Theo eats children for breakfast and breaks the legs of people in nursing homes for fun. As long as it doesn't affect the code, I'm all for it.

  • I recently downloaded and installed OpenBSD on one of my machines. While I'll be the first to admit that I didn't work as hard as I could have at it, it still seemed to me to be completely paranoid. For instance, on my own machines, the first thing I do is create my user account, and then finish the setup by suing from there to root. (part of my setup on machines is to compile/install the necessary services, and I like having the source code owned by me, so that I can look at it without being a privelaged user). Straight off, I get the message that this user is not in the appropriate group to su to root.
    All in all, the machine seemed overly paranoid, and completely unworkable for a normal user.
    Reading the article, I discovered that I agree with most of their viewpoints (I think that limiting yourself to non-SMP because SMP hardware is more expensive is asinine - the power users are the ones most likely to need this kind of OS), but the hoops they make one jump to get a usable system are a pain. I mean, how difficult would it be for the installer to list the services, (with all of them off by default) and let you choose which ones to install? Or even to ask what normal user accounts should be in the admin group?
    Basically, I guess that I just want to say, I admire the idea behind their software, I just really don't like the way that they implemented it.
  • When I saw the /. story blurb, I was a little excited, hoping that maybe they had been able to shed some more light (or at least new information) on the whole OpenSSH fiasco. Unfortunately, I was disappointed.

    Yes, I use OpenBSD because of its benefits. And I respect de Raadt's technical abilities. But his interpersonal skills leave a lot to be desired.

    In first grade, they called this "Does not play well with others".

  • How is this any different from Microsoft who blames all of Window's problems on the user fuqing up?
  • I'm sorry, I can't give an exact reference and I don't have time to look now. But I remember a recent /. thread where there was references to MS blaming users on doing something wrong being a reason why NT was unstable. Weak evidance,I know, but if you look you can probably find something.
  • I am barely out of the ranks of newbies, but the text based install for OpenBSD does the job very well if you take the time to read what is asks of you. Also, print out the main FAQ and install stuff, or have it up on a browser on a pc next to you.

    The partitioning took me a couple tries, but once I got that straightened out, I was happy with it. Once I got OpenBSD up, I had KDE up very quickly via their (limited compared to FreeBSD) ports collection.

    Later that summer, I figured since this was a laptop, I ought to have the more populist FreeBSD installed so I would have increased access to ready made ports. Well, I had a helluva time getting KDE and XFree going on this Thinkpad, so from my history, I think the OpenBSD install is cleaner than FreeBSD's.

    I still have FreeBSD on my laptop, and am running a OpenBSD box doing NAT at home. I really love the clean design of OpenBSD on servers- whats there is probably there because everyone uses it, but you are going to have to learn to activate it (sendmail as a daemon, for example) so you don't leave yourself wide open.

    matt
  • by nuggz ( 69912 )
    wheel group only this isn't a major issue, you could
    1. patch it
    2. use the OpenBSD su, or other similar su
    3. chmod o-x /bin/su ; chgrp wheel /bin/su

    Option 3 is what I use for /dev/dsp on my linux box, works pretty nicely.

    There IS more then one way to do it.
  • Did you not read afterboot(8)? It covers just about everything you've asked.

    Anyhow - why the hell would you want to go through forty minutes of saying 'Yes, I want nfsiod enabled on boot' in the install, when a simple vi /etc/rc.conf will do it? Minimalism saves everyone a lot of time. I don't want some overly extensive GUI that asks 93,000 questions. I can do that myself.

    Please, read documentation before complaining about a product.
  • Which one is used less? I think I'll go with the one that is used less, that way there is less support, and I won't have to listen to all the newbie complaints of "how do I do this?"

    Definitely NetBSD/pc532 [netbsd.org] :) Good luck finding a machine to run it on; less than 200 boards were made.

  • Manual pages just aren't enough.

    They can be, when they're good. For cases when they aren't the OpenBSD FAQ and the mailing list archive will solve nearly any problem.

    And, they're all located at one place: http://www.openbsd.org [openbsd.org]

    The HOWTO's aren't supplimentry anymore, they are *standard* documentation.
    Only when "standard" means often outdated, scattered across a thousand websites, and lacking real detail on anything but the common case.

    OpenBSD docs used to be spotty, but they made a real effort to bring them up to speed, and keep them there.

    The Linux community has yet to make this effort.
  • I think I was hacked due to bind. I was running the latest version (8.mumble) and lo and behold, I found traces (probably very intentional) of a breakin. there was a subdir under /var/named. harumph!

    with openbsd, named runs as NON ROOT so I don't really have to worry much.

    --

  • I am NOT a prominet site (its my dsl end-system with just my own personal stuff on it; demos of work that I did, etc).

    yet I was hacked thrice. not sure what gives, but I just got tired of it.

    not saying that linux is a Kiddie magnet - but if they portscan and find linux-like environments, they're more likely to hack it since linux is one of the most INSECURE unix's out there (IMHO, of course).

    all I can say at this point is: if you run linux and don't religiously follow the *security* groups (most folks don't have that kind of spare time), then you ARE at risk. same with freebsd, too; I don't think its all that much more secure than linux.

    --

  • I'd just like to add to what others have said. Linux, just like any operating system, takes a bit of work to make *and keep* secure. But there are some excellent tools at your disposal:

    Secure-Linux [openwall.com] is a Linux kernel patch that adds nifty security features, which eliminates many, if not most, buffer overflow attacks. I tested this with one of the ProFTPd exploits, and indeed, the exploit failed against a known vulnerable version of ProFTPd. Without the patch, the exploit worked.

    Psionic PortSentry [psionic.com] detects and responds to port scans in real time. It works with other Unixes as well.

    With these tools, the standard ipchains stuff, and a willingness to not run *every* daemon under the sun, you can have a reasonably secure Linux box.

    Also, to throw those k1dd13z for an extra loop, put all this on linuxppc. Let 'em chew on that for a while...

    New XFMail home page [slappy.org]

    /bin/tcsh: Try it; you'll like it.

  • by Amphigory ( 2375 ) on Friday April 07, 2000 @04:32PM (#1145084) Homepage
    I looked a couple of weeks ago, and was unable to find anyone who had done a secure linux distro. Why would I rather have Linux?
    • Faster. OpenBSD is slow on my boxes.
    • Better hardware support.
    • SMP
    • Better commercial app support.
    • Generally, easier install.
    There are a couple of pages out there that describe products, but no downloadable distros. This sounds to me like a great market for someone to "do a mandrake" in.

    --

  • by Dast ( 10275 ) on Friday April 07, 2000 @04:00PM (#1145085)
    I just installed it tonight for the first time. The disk setup was a tad cryptic, but the documentation rocks, as long as you know what to look for. It was so clear I almost wanted to cry.

    (BTW, where are the preconfigured firewall and gateway scripts installed by default?)

    But I agree the article wasn't really that great.
  • by linuxonceleron ( 87032 ) on Friday April 07, 2000 @09:02AM (#1145086) Homepage
    I've been looking into OpenBSD for a while to replace Linux on my firewall, and it seems like its much better suited for the job. Many people overlook the *BSDs, but Linux has become too mainstream for my tastes :). I should be putting OpenBSD 2.6(+?) on my IP Masq box over spring break...btw a good book on using OpenBSD for this stuff is Configuring Linux and OpenBSD Firewalls, it's like $35

  • by Anony Mouse ( 106601 ) on Saturday April 08, 2000 @12:56AM (#1145087)
    And exactly how big of a problem is Linux's source code, or any of RedHat 6.X's services source? Obviously not as bad as some of you make it out to be. How many times a week do you hear of people's boxes being rooted b/c somebody read Linux's source code, found a hole, and exploited a machine? Not everyone is as eleet as you and reads source code and finds buffer overflows in services(sarcasm) nightly.

    First of all, relax. There's no need to be so defensive. Nobody's saying that your favorite OS sucks! :) A compliment for OpenBSD is not (necessarily) a criticism of Linux.

    Services like sendmail and apache have been around for a LONG time, and many vulnerabilities have been discovered, and fixed. If you are paranoid, use the oldest version that doesn't have known vulnerabilities.

    So, umm, this sounds like words of support for OpenBSD, because that's what OpenBSD does by default (do any Linux distributions take this approach?). It would be *a lot* of trouble to go around downgrading all of the critical network daemons on a Linux distribution to get it secured down (not to mention the time spent finding the last "secure" version of those daemons). Just because someone hasn't broken into a system yet, does not mean that the system is secure! ;)

    They (OS service developers) don't brag about formal 'line-by-line' autids of their sofware, but just because they don't have 'audits' doesn't mean that they lag behind on security.

    Yes, it pretty much does. What you don't look for, you probably won't find. ;) For software of any significant size and complexity, unless you actively look for security holes (or bugs in general), chances are they exist. That said, it doesn't mean that Linux is grossly insecure, but it does lag behind OpenBSD in the security arena a bit.

    What mail service comes with OpenBSD? Surely they write their own, b/c Sendmail doesn't have 'security audits' of their code.

    OpenBSD 2.5 and FreeBSD 3.2 (the two distributions that I happen to have in front of me at the moment, which also happen to have been released around the same time) both shipped with the exact same version of sendmail (8.9.3). The difference? On FreeBSD, sendmail is eneabled by default (as I assume it is on most Linux distributions as well, but it has been a long while since I have administered one of those, so I can't speak for any of them).

    On OpenBSD (/etc/rc.conf):
    sendmail_flags=NO

    On FreeBSD (/etc/defaults/rc.conf):
    sendmail_enable="YES"

    (actually, a quick diff of the source files shows that they are not exactly the same -- looks like some extra type casting and bounds checking has been added)

    Don't get me wrong here, I love FreeBSD (and Linux), but this illustrates the point that Louis Bertrand is trying to make: if I had no knowledge of the security issues surrounding sendmail, the default would be for my OpenBSD system to be "secure" (in that regard) and my FreeBSD system to be potentially less so. I have plenty of other things to worry about than how secure every single network daemon on my system might be, and there is some comfort in knowing that the OpenBSD folks have already done a lot of that work.

    -- Anony Mouse

    p.s.
    http://www.securityfocus.com/vdb/bottom.html?secti on=exploit&vid=1006
    http://www.securityfocus.com/vdb/bottom.html?secti on=discussion&vid=1078

  • by 348 ( 124012 ) on Friday April 07, 2000 @09:15AM (#1145088) Homepage
    OpenBSD is absolutely the choice for me. Sure it has some problems, any SW product will. But with OpenBSD I get a relatively secure environment right from day one. I don't need to have our admins spend weeks implementing bolt-on's to make the environment fairly bulletproof. The only disapointment I have using OpenBSD is that it is very basic. However that is one of the things that our admins love about it. Less bells and whistles means less stuff to break.
  • I just got tired of my linux box being hacked and broken into ;-(

    after about 2 yrs being on the net (public email/web/cgi/ssh/sql services being run), I was broken into 3 times. each time it costed me a lot of effort and pain. plus downtime. and even lost files ;-( ;-(

    so I decided to give openbsd a try. so far, its doing what I need it to. I'm wasting a dual BX board on openbsd (it does not have SMP like linux does; which is what my previous o/s was) but I'll exchange computes for secure computes anyday.

    the way I see it is: if you're inside a protected region (inside the company firewall where there are no 'bad' people to screw you over) then linux on the desktop seems to rule for me. but for any kind of public box, the Kiddies all know about linux and its weaknesses. I'm not sure they know much about openbsd. and even if they did know about it, there's few (if any) open holes they could crawl thru.

    today, I'm being ultra paraoid. I'm not running cgi's anymore, no networked sql, and I even dumped sendmail for qmail. so on my site, its qmail and ssh - THAT'S IT.

    only time will tell - but I feel much better already, knowing that there has been a controlled audit of the openbsd code.

    --

  • by Frater 219 ( 1455 ) on Friday April 07, 2000 @11:07AM (#1145090) Journal
    FWIW, you can get a proper su (in Debian, at least) by installing the secure-su package.
  • by Skapare ( 16644 ) on Friday April 07, 2000 @11:09AM (#1145091) Homepage

    Are you good enough to be a security admin?

    Part of the problem is too many people just installing some packaged software, which they picked for reasons related to how many other clueless people picked it, and they expect it to be rock solid secure as installed without any configuration or tuning. They also expect top notch performance.

    If you want security, then you have to understand security, or you have to get something that is guaranteed to be secure right from the box, or hire someone who knows security (and please, no whining about lack of technical people when technical people are still looking for decent jobs where their employers respect their skills). OpenBSD probably is the most secure system available right now, as installed, although even I would not trust it without looking under the hood.

    A system/network security expert can make most systems secure (even NT if enough information can be had). Businesses have to commit to the attitude of security and trust a security expert to set it up for them. If you can't trust someone, then you better pull the plug on that internet connection right now (and probably also fire all your employees).

  • by Tim Pierce ( 19033 ) on Friday April 07, 2000 @10:14AM (#1145092)

    Straight off, I get the message that this user is not in the appropriate group to su to root.

    This is pretty common behavior on non-Linux machines and certainly did not originate with OpenBSD. In order to su root, you must be in the wheel group.

    Linux does not require this because it uses the GNU version of su, which is intended specifically not to have this requirement. Here is an explanation [qnx.com] for this decision:

    Why GNU su does not support the wheel group (by Richard Stallman)

    Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

    However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

    I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

  • by pb ( 1020 ) on Friday April 07, 2000 @09:08AM (#1145093)
    Why do people have to mangle the charset on these pages? It's almost unreadable in Solaris, with all those "?"'s littering it.

    It's good to see something like this in an interview, though:


    Unless security is your primary consideration, you probably aren?t going to use OpenBSD for all of your Unix servers. Linux, FreeBSD and NetBSD all
    excel in various areas where OpenBSD does not. However, OpenBSD certainly has its place, and should be part of any network administrator?s toolkit.
    For your most security-sensitive tasks, OpenBSD is very likely to be ?the right tool for the right job.?


    Many Linux distros are great for a catch-all, newbie-friendly OS, whereas most BSD's (I've heard, I haven't used any of them extensively) feel more like a traditional Unix out-of-the-box.

    (*please*, no "*BSD is Unix, Linux is not blah blah blah" comments. Because they're free, they both have *no* official "Unix" code, it was taken out of *BSD, and was never in Linux, but they share the same kernel interface, which is good enough for me)

    For a Linux alternative, use FreeBSD. For other platforms, use NetBSD. If you like the way Linux does things, use Linux. Need security? Run OpenBSD. Want media/SMP goodies and a pretty interface? Get BeOS. etc., etc., etc.

    They all have their niches, and *advocacy* involves recognizing that, and using the tool that's right for the job. So it's good to see some real BSD advocacy.
    ---
    pb Reply or e-mail; don't vaguely moderate [152.7.41.11].
  • or weaknesses of OpenBSD.

    I installed it for the first time about 3 weeks ago, and I can't believe how much I love it. (I use linux as my workstation, and work on AIX, Solaris, etc.)

    Everyone talks a lot about how secure it is, but that doesn't help anyone who actually wants to USE it. If you're wondering how useable it is, the answer is, "very!"

    I would say its strengths, as far as a server OS, are:

    1) Tiny, tiny footprint. Full server install w/out X windows is like 100 MB.

    2) Nice, full man pages.

    3) It comes with a ton of preconfigured firewall and gateway scripts, along with a ton of info on what they do.

    4) It, by default, emails you every day with info on what's going on on your system. This is the type of thing most sysadmins spend their first four or five months writing for Slowaris/AIX/etc.

    5) It has GREAT networking support. Tunnels, VPN, etc, etc are right there ready to rock from the word 'go.'

    6) It really does only run a tiny set of services on startup. I think it starts with like, 6 processes, by default. That's a very nice base from which to build.

    7) Ports rock my little world. They make life very, very nice.

    On the downside:

    1) The install is amazingly terrifying the first few times. If you don't know what partitions are, if you don't understand hard drive geometry, don't even bother with OBSD. Get FreeBSD and install it a few times first. It follows the same concepts, and has a more clear explanation of what's going on.

    2) The filesystem sucks raw ass. Even mounted noatime and.. whatever else the other mount option is to make things faster.. :P .. it's slow as hell.

    That's pretty much the only bad things I'd say aobut it. I _love_ it as a firewall OS, and I might use it as a web server or something.. The FS performance scares me.

    All in all, the article was lame, as far as explaining why anyone would use OBSD. :P

    --
    blue
  • by pkj ( 64294 ) on Friday April 07, 2000 @10:31AM (#1145095)
    First off, let me state that I am OS slut. I've done my stint with Solaris, Irix, FreeBSD and for the past two years Linux. (And I even develop a fair bit of software they gets deployed under 'doze, but we don't need to talk about that.) All have their strengths and weaknesses, and I'm not terribly partial to any of them.

    I have been meaning to play with OpenBSD for quite some time now, and finally decided to deploy it on my gateway/firewall which had been running RedHat 5.2 for the past two years. From all that I had read, this seemed to be the perfect application of OpenBSD. The install went very smoothly and I was very impressed by installation/sysadmin documentation available on the openbsd web site. The only install problem was my 2gig SCSI disk, of which only 1 gig was recognized. This was no big deal, as 1 gig was plenty, but this is aparently a known limitation of OpenBSD and some drives/BIOSs.

    The first thing I noticed was that the openbsd firewall code is lacking all the plug-ins for mangling complicated protocols like irc, realaudio, quake, etc. Even the use of non-passive ftp required the use of a proxy. This wasn't a big deal for me since I don't use any of these, but I know that many linux users would see this as a big problem.

    A day or so after my install, I noticed that througput on my cable modem was just really sucking to some sites, and I could not connect to others at all. I figured this was a problem with the cable service, which has actually been quite good for me. After jacking my laptop directly into the cable box, I realized that there was nothing wrong with my net connection and that the openbsd machine was fubaring the connections.

    No problem, I'll post to the openbsd mailing list and see what the problem is. I got several replies that I must have something configured improperly. No, said I, the system is virtually stock, and I get excellent throughput to most sites. After much bitching, someone eventually notified me that the NE2000 device driver had known problems. So I replaced the cards with 3c509s (don't laugh, it's all I had on hand) and most of my problems went away. Thanks guys, if you had *told* me the driver was buggy, I could have saved myself a few days of headaches.

    I say *most* of my problems, because I had very similar problems with the 3c509 cards, although they were not nearly as bad. Eventually, I was able to get someone to admit to the fact the the 3c509 driver was buggy as well.

    Needless to say, at this point I was quite pissed as I had lost several days of work debugging and swapping hardware. I don't mind the fact that there are bugs in free software, but what really pissed me off was the fact that (1) the cards were listed as being supported (2) there was absolutely indication of problems with the drivers for these cards in any of the documentation when in fact they had been reported my many people before me and (3) the attitude of the people on the openbsd mailing list who outright assumed that because things were not working that I had done something wrong.

    I'm sorry, but it was a terribly souring experience for me, and I am not likely to go back any time soon. In all fairness, however, I must say that openbsd performed flawlessly for 2-3 weeks aside from the problems I had with device drivers. In mentioning this to other people, I almost always got the response, "Yeah, the openbsd drivers suck." Perhaps I was just terribly unlucky. Who knows...

    As an addendum, I switched back to Linux and my machine has been very happy ever since. There's a lot of stuff I don't like about Linux (design and implementation) but I really must concede that things Just Work(TM) a remarkably large percentage of the time. And perhaps more importantly, I have been much more impressed by the attitudes and helpfullness of people in the Linux community. I don't always get the right answer to questions I post, but I usually get enough to be helpful...

    And finally, to the Openbsd people who happen to stumble across this message, I do hope that you will take my comments as constructive criticism, for that is how they are intended.

    -p.

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!

Working...