OpenBSD 4.7 Released 143
An anonymous reader writes "The release of OpenBSD 4.7 was announced today. Included in this release are support for more wireless cards, the loongson platform, pf improvements, many midlayer filesystem improvements including a new dynamic buffer cache, dynamic VFS name cache rewrite and NFS client stability fixes, routing daemon improvements including the new MPLS label distribution protocol daemon (ldpd) and over 5,800 packages. Please help support the project by ordering your copy today!"
Re:The Insecurity of OpenBSD (Score:5, Insightful)
Re:The Insecurity of OpenBSD (Score:2, Insightful)
The fact that the OS code is audited is nice, but can't protect against other insecure software. If you run postfix which isn't audited, and it has a hole and the attacker gets root, then there is nothing to stop them.
Maybe I'm wrong, but if the mail server isn't crap it should give up root privileges as soon as possible. So, to get root you need to do two things.
1) Exploit a bug in the mail server
2) Exploit a bug in the operating system to gain root privileges
If MAC is part of the operating system, and can therefore contain operating system bugs, how does it mitigate step 2? How does it mitigate it any more than an operating system without MAC?
An example from a commenter on the blog is that he needed to prevent root from reading users files. OpenBSD is almost the only OS left that can't meet this requirement.
Are you serious? The root user has ultimate power by definition. That's been the case with *NIX for decades.
Re:Got my CD in the mail a few days ago (Score:2, Insightful)
OpenBSD doesn't want to take over the world, see the project goals [openbsd.org]. This doesn't stop their work becoming used on a large scale, but this happens because of the software's features and technical superiority.
On the other hand, many Linux advocates seem to be obsessed with the idea of world domination. I've seen these people choose Ubuntu for reinstall/upgrade jobs when their friends and family would genuinely be more comfortable, and better off, with Windows or OS X.
Decide for yourself which is the more noble goal.
Re:The Insecurity of OpenBSD (Score:3, Insightful)
While I consider your comment as 'Interesting', if not 'Insightful', I still can't approve of your
This is the story Slashdot should have included to run.
The story is about the release of the most recent OpenBSD, 4.7; its availability, funding, etc. The discussion about its 'lack of security' is surely of a very different nature.
Having read the article mentioned by you (I saw 43 comments,?), I can only agree - and I knew that for long - that OpenBSD has no access control systems on top of the Unix-permissions. If they should be there, and how their lack renders OpenBSD less secure than Linux, is quite another topic. Actually, I was kind of disappointed when reading the article, because it focuses solely on access control to crack OpenBSD. So even the title was badly chosen: the article talks about a perceived 'lack of a security feature' or something to that behalf; not about an 'insecure' OS. And yes, there is a difference, and the article is clear about it: If, and only if, the system is broken into (already), can additional access controls eventually contain damage.
Nothing can beat Apple (Score:3, Insightful)
IMHO if someone has problem with OpenBSD community/leader, he should hang at Mac community/websites/mags and especially IRC channels for a while.
I also think OpenBSD theocratic leader and hostile community could be the reason why OpenBSD has its unique and prestigious position today... We all heard how many users got banned for questioning inclusion of Mono to a "user friendly" Linux OS distro which has democratic leadership right?
Re:The Insecurity of OpenBSD (Score:2, Insightful)
The mailserver is just an example. There is plenty of insecure software running as root.
FTFY
MAC cannot prevent the exploit as such, but it can make the attacker completely limitless. You can take away execute permission, write permission (allowing just append), no file creation, absolutely nothing except the very minimal that the program actually needs.
This sounds a lot like what securelevel(7) [openbsd.org] already does.
There is absolutely no reason to have a user with absolute power when we have the technology to segregate power and duties, there by significantly reducing the attack surface.
There is absolutely no reason to put up walls so the sysadmin can't do anything, rather than fix the bugs that let an attacker gain root in the first place.
Re:Nothing can beat Apple (Score:4, Insightful)
OpenBSD has fewer kernel panics than 2.6.xx.xx and for network tasks has better performance for us.
Again, kudos to the OpenBSD team for another release.
Re:I can't actually get anything done on OpenBSD. (Score:4, Insightful)
Uhm... Yeah.
Why use a cheap arm toaster that can be set up in 5 minutes when you can give CISCO a few thousand dollars for a piece of shit?
Because that toaster doesn't provide real support and next-day RMA service. You might work in a small shop, but for people who run multiple datacenters, 100s or 1000s of network devices, and whose jobs rely on uptime this is a no-brainer. I'll take the appliance with the service guarantee, replacements, and track record over a few Dells with *nix running on them.
You are not allowed to replace a $10000 router with a $100 redundant array of consumer hardware because it would make your boss look bad.
I can see why you posted AC. You're out of your depth. Cisco may churn out some real crapware ancillary platforms sometimes, but when it comes to core routing and switching on the big chassis, they're pretty damned reliable.