OpenBSD 3.5 Reviewed

eeg3 writes "NewsForge has a review of OpenBSD 3.5. It encompasses a fair amount of information, more specifically it details security, cryptography, installation, and new features." While not afraid to point out OpenBSD's shortcomings as a desktop OS, it's still a good tour of possibly the most secure OS. NewsForge and Slashdot are both owned by OSDN.

Question

[NanoGator]

Every time there's a story about a vulnerability in something Microsoft related, there's a ton of modded up comments to the tune of "people should use Linux and related stuff to be more secure." But if security's such a BFD, why isn't BSD more popular around here?

Re:Question

[black mariah]

Because you can't like BSD and spooge all over the GPL at the same time.

Re:Question

[OnTheMoney]

Watch while this OpenBSD discussion somehow turns into a Windows vs. Linux flame war.

I was at least hoping for some intelligent flames from FreeBSD people instead.

--
Healthy Info [health-issue-books.com]

Re:Question

[Rick the Red]

Cause it's dead?

No, 3.3 and earlier are dead. [openbsd.org] 3.4 and 3.5 are doing fine, so it's only mostly dead.

Re:Question

[Nasarius]

Linux is totally appropriate for a secure desktop system. OpenBSD is for insanely secure servers. The BSDs tend to lack the hardware support of Linux too and other things that just make Linux nicer for desktops.

Re:Question

[NanoGator]

"Linux is totally appropriate for a secure desktop system."

Well I don't know how to write this so it doesn't sound trollish. For that, I apologize in advance.

Is what you're saying that a little less security is okay if it's more usable? If so, why isn't Windows given a little more credit?

Re:Question

[Nasarius]

Windows isn't given more credit because it's crap. To put it in perspective, if Windows is a 1 in terms of security, Linux is a 10 and OpenBSD is a 12.
See dh003i's post.

Re:Question

[Anonvmous Coward]

"Windows isn't given more credit because it's crap. To put it in perspective, if Windows is a 1 in terms of security, Linux is a 10 and OpenBSD is a 12.
"

A lot of Linux users out there are kidding themselves. Arugably, Linux is more secure than Windows. However, most of the Windows vulnerabilities we've seen lately were actually vulnerabilitys on apps running on top of Windows, i.e. I.E.. (Yes, I know it's part of the OS, but that's not to say that Mozilla or Opera couldn't have been developed to be dangerous. Hence the 'more' in my secure commment earlier.) Install and run an insecure app on Linux, then you're just about as vulnerable to outside attack. Not as vulnerable given Linux's excellent permissions system, but it's still more than enough to do damage.

My point is not to say that Windows should be held in a better light, but rather to say that more secure is not secure. You still have to install updates, you still have to watch what you run on it, and you still need to back up/protect your data. If you're already doing that, then usability is of greater interest, and for a lot of people, Linux still has catching up to do.

Ng's got a point. The security reason for people to switch to Microsoft is not the 1 vs. 10 reason it's made out to be here. (at least when talking about personal use, I wouldn't say the same if we were talking about deploying corporate workstations.)

Re:Question

[curious.corn]

UNIX security model is much more easy to grasp and implement than whatever MS kludged together in the various pro versions of their environment. There's no such thing as chroot/jail in windows isn't it? I'm perfectly aware that an XP registry is rife with cryptic and mulply overridden account policy keys that only a specialized enterprise admin might make something out of it (that's probably why SPs often FSCK up deployed servers...). When a security hole exposes a 'nobody' or 'www' jailed server I can patc

Re:Question

[Anonymous Coward]

Yes, you can have a very simplistic deployment that uses a Jail to serve pron pics, and Linux/BSD works very well at that.

However, in enterprise deployments, the "byzantine security model" blows away the Unix equivalents, in terms of pure, needed, functionality.

We're talking about a crowd that still uses NFS, which hasn't even the concept of passwords! It's like super-intelligent space aliens attempting to communicate with cavemen. No wonder they can't understand and think their "Good-um Head-Smash Bone"

Re:Question

[curious.corn]

If you're talking workgroup management I agree with you. NFS isn't a viable solution and until recently cifs:// was pretty difficult to implement correcly. Mind you, it works splendidly on an ldap backend, and supports mutual certificate authentication (on server AND on client)... What I was talking about isn't pr0n servers you little flamebait smuck but enterprise web frontends... (and BTW, I've yet to see a properly and reliably funcional corporate desktop installation...)

Re:Question

[Foolhardy]

UNIX security model is much more easy to grasp and implement than whatever MS kludged together in the various pro versions of their environment.

I don't find the NT security model to be hard to understand; what don't you understand? It hasn't changed much since the first version.

There's no such thing as chroot/jail in windows isn't it?

Yes, they are called sessions. Each session has a set of symbolic links in the Object Manager [sysinternals.com] that connect devices to a session's namespace. The Object Manager is like Linux's

Re:Question

[curious.corn]

Fine, I'm not an expert NT admin but the link you provided on object manager somehow proves my point. The linked page begins by enumerating the bugs of the system provider interface to such a crucial security feature. Now, let's not fool ourself, enforcing chroot and namespace isolation isn't rocket science. Trouble is, MS just provides a useless and buggy handle for it and this I find unacceptable. They claim to provide low TCO but I'm still required to google around the damn web for some freeware (oh the

Re:Question

[Creepy Crawler]

---Is what you're saying that a little less security is okay if it's more usable? If so, why isn't Windows given a little more credit?

Hmmmm, interesting question. Let me present you problems that Ive not found Windows to handle.

1: Allowing graphical interface but NOT allowing 3D graphic card operations used (Simple with X, deny access to DRI)

2: Allowing programs from remote TRUSTED computers to have their graphical output displayed locally. (X was made for this exact purpose)

3: Making user accounts with almost no permission to the local computer (remote mounted directory trees)

4: The ability of an extremly fine grained system security model (NSA patches, now in the 2.6 kernel)

5: Being able to fix terminal (as in bad) errors within your servers woithout having to rely on external help (Domain Admin accts either locked out or scrambled in Win2k3- no known way to harvest other than full reinstall)

6: Does not need a desktop environment to run. Just instead open the Xserver and have onload the program needed for work.

7: Can be done on a Xterminal or bare-bones PC with network connection. I know of no Windows OS that this can be said for.

Im sure there's more... but Oh well ;)

Re:Question

[Matthias Wiesmann]

1: Allowing graphical interface but NOT allowing 3D graphic card operations used (Simple with X, deny access to DRI)

Could you explain why you would like to do this? I mean what security gain you get by doing this? I cannot imagine a scenario were a person should be allowed use of the display, but should not use high-speed 3D operations, or where using those operations would be damageable to the system.

Re:Question

[Creepy Crawler]

Exactly. I dont people playing Quake or Unreal Tournament during working hours..

That allows your workers to use XWindows with 3D accelerated hardware without letting the worker have acces to it.

After all, to keep productivity good, I'd allow on Fridays (afternoon) a good lan tournament on a game.

Re:Question

[Matthias Wiesmann]

Can that actually be done? I have never seen any controlls in the panel that refer to turning DX off.

I dont think there is a control panel to disable DX on windows, but then again, I never saw a control panel in Gnome to disable 3D operations in the X server.

I would be astonished if you could not cripple DX by changing the permissions of the DLLs and thus prevent the execution of games. For me this is the same kind of operations than disabling DRI in the X11 server.

All in all, I'm simply no convinced

Re:Question

[Creepy Crawler]

Ive tried to disable/criple DirectX.

My best attempt sent Windows (2000) into a repetitive blue-screen, desktop, bluescreen, desktop... Circulating error. Reboots didnt work. Changing accounts to admin didnt work either.

My early disgnosis is that removing/disabling DirectX from Windows is nigh impossible. It could be possible, but I see no real way of doing it. DX seems to be tightly interwound with the Kernel.

---All in all, I'm simply no convinced that the whole 'we can cripple the X server' is really a

Re:Question

[Foolhardy]

DirectX is implemented in win32k.sys. This file also implements the win32 subsystem, GDI and the window manager (USER). You can't remove DirectX because GDI uses it to do drawing and map device surfaces; they are integrated [microsoft.com]; not with the kernel, but with win32.

If you want to control the software that your users run, Software Restriction Policies [microsoft.com] will work much better, as they are designed for that. Create a whitelist of allowed program hashes. All others will be denied.

Re:Question

[a1englishman]

So you don't trust your employees?
Do they complete their tasks in good time?
Do you get acceptable results?
If your employees are driven to playing games, have you taken time to examine whether you have an engaging environment, and make your employees' input welcome?
Seems like the problem comes from higher up.

Re:Question

[Creepy Crawler]

Very valid questions.. But Im a consultant.

I service mainly Small Business Owners with IT advice, equipment, installation, and integration of said equipment.

When a business owner says they're having a problem with a User on a Linux desktop playing 3d games on work computers, I respond with the correct way to deal with it. I do not lecture how good/bad the owner is handling business, or other "moral" concerns.

And yes, it doesnt stop Flash games, or other nuisance games.. Just stopping 3d based hardware ac

Re:Question

[Foolhardy]

1. Move the video acceleration level to zero. (Display->Settings->Advanced->Troubleshoo t) This will implicitly disable direct draw and direct3d.
Or, use dxdiag.exe to disable them more directly. Only local admins can change those settings.

2. Connecting to a single window remotely isn't natively supported but Citrix supports it. There is some kind of deal between MS and Citrix to prevent MS from including it standard.
Oh and what happens when the X server dies unexpectedly, takes your server (X cli

Re:Question

[Anonymous Coward]

"The BSDs tend to lack the hardware support of Linux too and other things that just make Linux
nicer for desktops."

Let me think of how to put this in a nice way...

BZZZZZZZZT! Try again. BSD usually the hardware before Linux has it, off the top of my head I can think of USB2 and FireWire.

Happy trolling!

Re:Question

[N8w8]

It's not that simple, a lot of my hardware at some point wasn't supported by {Free,Open}BSD but was by Linux, such as the Hauppauge WinTV PVR350 TV capture card (right now), Aureal Vortex 2 sound card, OnStream DI30 tape streamer, VIA Nehemiah's CPU frequency scaling.

Because of that I switched my server/MythTV box to Linux, though I was perfectly happy with FreeBSD on my server before it had to run MythTV on a PVR350.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Question

[HaloZero]

Because BSD is dead, obviously.

It might have something to do with the fact that security isn't actually worth being secure unless you have to do it yourself, and as such, with most BSDs being rather secure out-of-the-box, doing it that way is a pussy way out. </SARCASM>

different solutions for different problems

[dh003i]

If you are running a server, and security is extremely important, there is nothing better than OpenBSD. Period, end of discussion. Banks and financial institutions should not be using Windows, Linux, or even FreeBSD servers: they should be using OpenBSD servers. Likewise for any website online trafficking in sensitive financial information and private information.

For websites that don't deal in such sensitive information, OS' that are less secure are acceptable, such as FreeBSD and various Linux' suitable for servers (Slackware, Debian, Gentoo).

For Desktop users, security isn't as paramount. However, it is still important, especially if you store any sensitive information on your computer. Some people store their private financial information on their computers. This is why Windows creates problems. Other Windows security problems are just obvious: the plethora of virus', exploits, worms, etc etc etc. These are areas where Linux is better (if not misconfigured so as to be insecure). The reason for Linux and not OpenBSD is because computer's are not an end in themselves. They exist to do certain functions; many of the daily things which people want to do on their computers just aren't possible to do on OpenBSD, or are a real pain, but are possible to do in Linux.

Stating people should use Windows, MacOS, Linux, or xBSD is over-general. Do you know precisely what every users' needs/desires are? No. Then how can you possibly say what OS they should use? The answer is you can't.

Of course, I haven't really responded to your question "if security's such a BFD, why isn't BSD more popular around here?" The answer is that security isn't considered paramount, above all else. If you wanted to be completely secure with your computer, you could unplug it from the internet and never plug it back in, and lock it up in a vault-room, with finger-print protection. People here probably consider other things important as well...

Re:different solutions for different problems

[Anonymous Coward]

Too bad those aren't in any modern distros, and are limited about what they protect. Instead of fixing apps that cause problems with their security measures, they simply disable them. Hell, PaX breaks damn near any useful app you would want to run, so wtf is the point of it?

Re:different solutions for different problems

[Anonymous Coward]

Actually, you are completely wrong. OpenBSD's performance is on par with netbsd, linux and freebsd 4 (freebsd 5 is still noticably slower than the others), benchmark it for yourself.

And openbsd is more secure than another OS doing the same job, wether it be serving webpages or whatever. Apart from code audits, theres stuff like removal of most setuid root apps, priviledge seperation in everything from syslogd to tcpdump, W^X, propolice, non-executable stack and heap, malloc and mmap randomization, strict

Re:Question

[tiger99]

Yes, in many ways, but to a typical Windoze user who has never used a command line they might appear very different indeed.

There is one big difference, you don't get so mauch feature and application bloat with OpenBSD as you get with a typical Linux distro. True, you don't need to install it all, and FreeBSD seems to have even more......

Packaged up properly, OpenBSD could be the basis of a decent desktop OS, but Theo, who mostly runs the show, is fully occupied, and rightly so IMHO, with security issues, an

Re:Question

[Anonymous Coward]

> But if security's such a BFD, why isn't BSD more
> popular around here?

Because for many (most?) in the Linux community
it's not about correctness or quality of the OS,
it's about licensing (GPL), bringing down the evil
empire (Microsoft), and revolution (down with Cap-
italism).

Re:*BSD is dying

[nusratt]

"bombshell", "complete disarray", "bleak future", "river of blood", "endangered", "abysmal", "corpse", "charnel house", "dim", "decay", "Nothing short of a miracle could save it"

so, um, how do you like its chances?

p.s. -- nothing wrong with that parrot, it's just sleeping.

Re:Newbie trouble with OpenBSD

[Gilk180]

Sounds like it's not the server, but the browser. Some javascript in a page is upsetting it.

More info would be helpful, unless of course this is a joke I'm not getting.

Re:Newbie trouble with OpenBSD

[Anonymous Coward]

This problem can be avoided by just not going to any pages which end in ".php". That way you can ensure that the pages were crafted by professional programmers and nobody will try to exploit your uber-secure OpenBSD Javascript debugger.

Re:Most Secure OS?

[swamp boy]

Could you provide examples of "real operating systems designed to be secure from the ground up"? I'd like to know.

Re:Most Secure OS?

[AKnightCowboy]

Could you provide examples of "real operating systems designed to be secure from the ground up"? I'd like to know.

Trusted Solaris [sun.com] from Sun and SecureOS [securecomputing.com] from Secure Computing used in their Sidewinder firewall are just two off the top of my head.

It doesn't necessarily need to be commercial either since there's TrustedBSD [trustedbsd.org] for instance. I guess I shouldn't say "designed from scratch" since many of them build on original BSD or System V code as a starting point, but there are certainly MAC based systems

Re:Most Secure OS?

[holysin]

Having one user (root) with the ability to do anything (s)he wants to the system is a security fault if only because it means *1* password will allow a person unfiltered access to your system. (there's more downsides, but it's almost 2:30 in the morning, and I'm farging tired) That's a single point of failure, which is not a great thing in the real world. It is to me, tolerable, but it is still a security fault.

Re:Most Secure OS?

[Nimrangul]

Yet you first need to be using a user that is in the wheel group to make use of this *1* password, if the user you are already logged in as is not in wheel you cannot become root. So instead it is that you need *2* passwords and that *1* of them must be to a user with specific permisssions.

Even then, you need to know the name of the first user that is in wheel before you can get in and try to become root.

I am not seeing a security problem, because it is not a single point of failure as you describe.

Re:Most Secure OS?

[tiger99]

Yes, and some methods of security can turn into unmitigated disasters when something goes wrong and you dont have a root capability to get access to fix it. It is always necessary to balance security against reliability and maintainability, and ideally maximise them all, a tall order with present-day technology.

Re:Most Secure OS?

[holysin]

My mistake (considering the time, that's hardly surprising) I meant you just need physical access (not hard) + 1 password for most locations, or on the other hand one good exploit.

That's one point of failure. Also of course "good" exploits on *nix tend to give the user root access, without a root to be given access to, there's not as much of a problem.

A third possible security situation with root would be if you work with the government, or for *SOME* banks that do not like the idea of a superuser.

Re:Most Secure OS?

[Nimrangul]

As we were discussing OpenBSD in this article, the good exploit you refer to is a buffer overflow, I will point out that such buffer overflows don't work on OpenBSD. They just kill the daemon off. That's what the stack protection in OpenBSD is for.

Re:Most Secure OS?

[sydsavage]

A properly secured system would only allow root to log in from the console, and physical security should prevent the malicious user from gaining console access.

Delegating administrative privileges can be controlled with extremely fine granularity using sudo, as this excellent series of articles [onlamp.com] point out.

Here is a relevant quote from the first article:
Once you have sudo configured correctly, you can change the root password and not give it to anyone. Nobody should need the root password if they have t

Re:Most Secure OS?

[Anonymous Coward]

How can you call something "the most secure OS" when there is still a concept of a root user that has access to the entire system?

How can you secure, and be sure something is secure if the system can deny you from making sure it is so? Isn't that sort of a catch 22?

Re:Most Secure OS?

[kiltedtaco]

A very Gödelian problem.

Re:Most Secure OS?

[burns210]

"real secure operating system"

What would you consider to fall into this category.

PS: Mac, and I believe Linux with the NSA patches(maybe, not?!) gets rid of the 'root' concept, and just uses sudo/su for doing former root-only tasks... Very good design, in my opinion.

Re:Most Secure OS?

[endx7]

PS: Mac, and I believe Linux with the NSA patches(maybe, not?!) gets rid of the 'root' concept, and just uses sudo/su for doing former root-only tasks... Very good design, in my opinion.

root never really goes away. su and sudo work by switching to user id 0, which is the user id of root. What you can do however, is remove root from existing as a user. The kernel/whatnot still grants specials priviledges to user id 0, but you can't actually login or use any user with that id because root doesn't exist

Re:Most Secure OS?

[c13v3rm0nk3y]

How can you call something "the most secure OS" when there is still a concept of a root user that has access to the entire system?

Well, my understanding is that the most common exploits are simply bugs in userland and kernel code.

Even if one of these exploits leads to a remote or local privilege escalation, arguably it is the original exploit that is the real problem, since it led to the privilege escalation in the first place.

Furthermore, there is a fair amount of work being done to place all daemons

Re:Most Secure OS?

[aluser]

Furthermore, there is a fair amount of work being done to place all daemons on OpenBSD in a chroot jail, basically making running things like a mail server or http server no less secure than running without

From the chroot(2) man page (okay, this is on debian but the same applies to obsd):

Note that this call does not change the current working directory, so that `.' can be outside the tree rooted at `/'. In particular, the super-user can escape from a `chroot jail' by doing

automatic package dependencies

[straycheck]

It's not true that OpenBSD does not support network installation of packages with automatic dependency handling.

Try this (assuming a Bourne-style shell):

PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/3.5/pac kages/i386/
export PKG_PATH
pkg_add p5-DBD-mysql-2.90.03

All dependencies are discovered, downloaded, and installed as necessary. The only real downside is that you need to know the version of the package.

Check pkg_add(1) for the details.

Re:automatic package dependencies

[tiger99]

True, but all the BSDs and for that matter Linux urgently need a package management system that works, and what is more can be made to work over a modem link with 2 hour time limit. Neither Xandros nor SuSE have had the decency to respond to bug reports about this from a paying customer, it is not possible in Fedora either (some packages like the kernel tend to be upwards of 130MB), and while most of the world still has to use modems, security patches can simply not be applied.

Time for a well thought out sy