OpenBSD 4.7 Released 143
An anonymous reader writes "The release of OpenBSD 4.7 was announced today. Included in this release are support for more wireless cards, the loongson platform, pf improvements, many midlayer filesystem improvements including a new dynamic buffer cache, dynamic VFS name cache rewrite and NFS client stability fixes, routing daemon improvements including the new MPLS label distribution protocol daemon (ldpd) and over 5,800 packages. Please help support the project by ordering your copy today!"
The Insecurity of OpenBSD (Score:1, Interesting)
The insecurity of OpenBSD [osnews.com]
A criticism of the OpenBSD security philosophy is performed, along with an examination of the claims made regarding the project. In particular their rejection of any advanced access control framework is examined. A well researched and well written article, followed by over 200 comments that are also worth reading.
Re: (Score:1)
Re: (Score:1)
That article has been posted several times on *BSD mailing lists and is hardly relevant to the release of a new version.
I wonder if an article criticizing the security of Slashdot's darling OS, Linux, would receive such positive moderation on a release story.
Re: (Score:1)
For some reason they refused to run this one, so I thought it would be good to draw attention to it on a related story.
Re: (Score:2)
Slashdot regularly runs stories criticizing Linux's security,
So they regularly run such stories and yet not a single one appears after going back more than a month through the Linux section?
Re: (Score:2)
Most of us have been reading slashdot long enough that "several times a year" qualifies as sufficiently regular.
In other words: get off my fucking lawn.
Re: (Score:3, Interesting)
Most of us have been reading slashdot long enough that "several times a year" qualifies as sufficiently regular.
And yet going back even farther to more than 6 months I've yet to see a single one of those supposed articles that criticize Linux security. Care to actually link to even a single article that isn't more than a year old?
Re: (Score:2)
I have no idea why this is modded troll, as the AC kindly provided a link to such an article, as the GP requested...
Re: (Score:2, Interesting)
Maybe if the article had any real merit, instead of making stupid statements that aren't true.
It's a shame the author's love affair with MAC can't help him write a decent article.
I wonder how many installations of Linux have SELinux disabled because it broke something.
Re: (Score:1)
Re: (Score:1)
That MAC is anything but bloated a waste of time.
The notion that adding security as an afterthought is a good idea.
Re: (Score:1)
The archaic UNIX security model is exactly that, archaic. There are needs it cannot meet, and something like MAC is needed.
When operating system code is security audited, what needs can the *NIX security model not meet?
Re: (Score:1)
2. An example from a commenter on the blog is that he needed to prevent root from reading users files. OpenBSD is almost the only OS left that can't meet this requirement.
3. Auditing, along the lines of what OpenBSM provides. This isn't related to MAC, yet the team still doesn't impleme
Re: (Score:2, Insightful)
The fact that the OS code is audited is nice, but can't protect against other insecure software. If you run postfix which isn't audited, and it has a hole and the attacker gets root, then there is nothing to stop them.
Maybe I'm wrong, but if the mail server isn't crap it should give up root privileges as soon as possible. So, to get root you need to do two things.
1) Exploit a bug in the mail server
2) Exploit a bug in the operating system to gain root privileges
If MAC is part of the operating system, and can therefore contain operating system bugs, how does it mitigate step 2? How does it mitigate it any more than an operating system without MAC?
An example from a commenter on the blog is that he needed to prevent root from reading users files. OpenBSD is almost the only OS left that can't meet this requirement.
Are you serious? The root user has ultimate power by definition. That's b
Re: (Score:2, Insightful)
The mailserver is just an example. There is plenty of insecure software running as root.
FTFY
MAC cannot prevent the exploit as such, but it can make the attacker completely limitless. You can take away execute permission, write permission (allowing just append), no file creation, absolutely nothing except the very minimal that the program actually needs.
This sounds a lot like what securelevel(7) [openbsd.org] already does.
There is absolutely no reason to have a user with absolute power when we have the technology to segregate power and duties, there by significantly reducing the attack surface.
There is absolutely no reason to put up walls so the sysadmin can't do anything, rather than fix the bugs that let an attacker gain root in the first place.
Re: (Score:1)
This sounds a lot like what securelevel(7) [openbsd.org] already does.
Nope. Not at all similar in terms of capabilites. Securelevels are a pale imitation of what you can do with MAC, not even close.
If you really think securelevls are at all close to MAC, then you really don't understand MAC.
There is absolutely no reason to put up walls so the sysadmin can't do anything, rather than fix the bugs that let an attacker gain root in the first place.
It's not putting up walls, it's enforcing secure policy and good practice, and sometimes the law.
Sepeartion of duty, read up on it.
Re:The Insecurity of OpenBSD (Score:4, Funny)
Re: (Score:1)
Re: (Score:3, Interesting)
I wonder how many installations of Linux have SELinux disabled because it broke something.
The overwhelming majority, in my experience.
Re:The Insecurity of OpenBSD (Score:5, Insightful)
Re: (Score:1)
Re: (Score:1)
No, Ubuntu isn't unusable because of omitting features. It's unusable because what they start with is unusable, and they have nowhere to go from there.
Much like security. You can't bolt on features after the fact and suddenly have a secure product.
Re: (Score:1)
Re: (Score:2)
No, it's unusable because it doesn't support my wireless on my Dell laptop at all. My choices are crap NDIS wrappers or the reverse engineered Broadcom drivers, both of which drop the connection at least twice a minute which makes doing any actual network transfer nigh impossible.
It's unusable because the goddamn thing can't remember the way I arranged my panel from one boot to another without moving shit all over the place regardless of whether I lock it or not.
It's unusable because the power management sl
Re: (Score:3, Insightful)
While I consider your comment as 'Interesting', if not 'Insightful', I still can't approve of your
This is the story Slashdot should have included to run.
The story is about the release of the most recent OpenBSD, 4.7; its availability, funding, etc. The discussion about its 'lack of security' is surely of a very different nature.
Having read the article mentioned by you (I saw 43 comments,?), I can only agree - and I knew that for long - that OpenBSD has no access control systems on top of the Unix-permission
Re: (Score:1)
The original author's argument consists entirely of pillorying OpenBSD for its lack of any Extended ACL framework as a second line defense against security breaches. Posters in the comments section rightly point out that OpenBSD does indeed include other second line defenses like PID randomization, ASLR, and extensive support for chroots - some of which are still not supported by default in Linux distributions today. The OpenBSD maintainers' choice to focus on ensuring the quality of the first line applicat
Re:The Insecurity of OpenBSD (Score:5, Informative)
Oh come on now... The title is inflammatory and tone is combative. Unsurprisingly the discussion at guy's blog degenerates pretty quickly.
I don't really disagree with most of his central points: Secure by default isn't really useful to most people; OpenBSD needs more security features than older UNIX ones; and the OpenBSD team does themselves a huge disservice with their "not invented here" syndrome... But really the whole thing could be been written with a more professional tone and fostered a lot more constructive discussion.
Re: (Score:2, Interesting)
He is talking about what prevents OpenBSD from being a secure system for the points you mention.
I found the discussion on the blog quite interesting aside from the insults, which are a minority
"not invented here" syndrome (Score:2, Interesting)
The things that are pioneered by OpenBSD, often make their way to everywhere else.
So, ahem, it IS invented in OpenBSD.
Re: (Score:1)
Isn't giving a critique the definition of critisism ?
Re: (Score:2)
With respect, a name server is about the easiest thing to secure. It runs one application plus (maybe) ssh. The only vulnerabilities will be in BIND and they are not considered OS issues by OpenBSD anyway. Try securing a system with 100 untrusted interactive users. Or running a dodgy webhosting control panel, then see how you go.
Does anyone know if ldpd is available in Linux? (Score:1)
Re: (Score:1, Informative)
No, not without removing a lot of OpenBSD'isms from it.
Re: (Score:2)
Good (Score:1)
Darn, FAILED.
Bad timing... (Score:2)
I just downloaded the old version 2 days ago!
On a serious note; Can a BSD client read/write/use a Debian NFS share?
Re:Bad timing... (Score:4, Informative)
Re:Bad timing... (Score:5, Informative)
Be careful with the settings of the no-df bit in TCP fragments, which Linux NFS generates and expects, while PF rightly blocks when scrubbing. The PF FAQ is your friend there.
Where are the screenshots? (Score:5, Funny)
If I can't see examples of OpenBSD running Gnome with transparent Conky over a red Lamborghini Murcielago wallpaper and maybe some cascading green character columns like the Matrix, I'm going back to Ubuntu.
Re:Where are the screenshots? (Score:5, Funny)
yes, have some.
http://tinypic.com/r/2yoo29t/6 [tinypic.com]
on a Toshiba laptop too (all devices work)
Re: (Score:3)
so I didn't want to use my bandwidth for my fun and used a free hosting service instead for my photo, big deal. It'll be accessible for at least a year. And even then by context anyone can deduce my point that OpenBSD runs GNOME and Conky with effects just dandily, even on laptops.
the concerns of that "link shortener" article are laughable. Author is warning of a doomsday when archives of posts from Twitter and other social networking sites become a tangle pile of broken links because of "short URL use"
Got my CD in the mail a few days ago (Score:5, Interesting)
Yeah, I use OpenBSD. My firewall's named linksys and the SSID is default, both for sheer entertainment value. OpenBSD like anything else has its flaws: namely a insular and hostile user community and theocratic leader with a vision. On the other hand it's people like that who get things done.
It would be nice to do more with OpenBSD than I can now, but last I checked ports didn't have the latest asterisk, getting the latest Java running is a pita, the latest Apache has an incompatible license or something, ZFS will never be supported, etc, etc, etc. But staying up with the latest software isn't really a design goal for Theo & crew. It's sort of the PVP UNIX - no care bears welcome. Their targeted approach to security over features makes it the best OS out there for targeted uses, but who knows if they'll make it to 5.7 - decreasing relevance and due to narrowing mainstream software support definitely also narrows interest.
Regardless, congrats on another great release.
Re: (Score:3, Interesting)
Yeah, I use OpenBSD. My firewall's named linksys and the SSID is default, both for sheer entertainment value.
I guess you could describe that as "What's the sound of one-hand clapping?" or "An inside joke of the nth degree". ;-) Entertainment aside, pf users and fans should note the pf syntax changes [marc.info].
Re: (Score:2)
Rule #0x0a: Nothing on Slashdot is obscure.
Re: (Score:2)
"Entertainment value"?
I've got to party with you, sometime.
Re: (Score:2)
I'll bring the sparkling apple beverage.
I've got a couple openBSD boxes myself. One is on httpd duty, the other doesn't do much, just sort of general purpose - I'm planning on making this one into some sort of automatics control for the house (turn the lights on, report temperature, I don't know, a bunch of lame stuff like this).
Re: (Score:3, Interesting)
"I'm planning on making this one into some sort of automatics control for the house (turn the lights on, report temperature, I don't know, a bunch of lame stuff like this)."
OBSD has support for the 20 pin gpio header on a Soekris net4801 board out-of-the-box. With that you can easily make either digital or transistor switches to control things. The shell command is gpioctl which you may want to grab the source and mod it so its not reading command line arguments and can be put in your code without an os s
Re: (Score:2)
Cool. I've got an AVR32 [atmel.com] (not ARM or MIPS, something completely different) powered board that I've played with a bit, similar idea I suppose. Although I don't believe there is an openbsd port for it... I should pick up something ARM sometime, here..
I've got a sort of hate for the gpio subsystem in linux, and I've never played with the one in openBSD - I'll have to look into that.
Luckily the board I have in mind has a full PC/104 bus (essentially ISA, with a different connector), so I can inb/outb to my heart
Re: (Score:2)
I'll bring the sparkling apple beverage.
I've got a couple openBSD boxes myself. One is on httpd duty, the other doesn't do much, just sort of general purpose - I'm planning on making this one into some sort of automatics control for the house (turn the lights on, report temperature, I don't know, a bunch of lame stuff like this).
For that I would use a microcontroller. An atmel atmage8 draws 5mA running at 20MHz. It has better low level IO capabilities than a PC and it can talk to a PC through a serial port. The idea would be to use the microcontroller for day to day control and start the expensive (in power) PC when you have new instructions for it.
Re: (Score:2)
I've done some work with AVR's, and they're great. But I want to be able to SSH into this thing and see what's going on from work :)
(this is a low power centaur board anyways, I think it uses 15w full tilt..)
Re: (Score:3, Funny)
Heh, glad I made you laugh. Why are there no slashdot meetups? Oh yeah, because that would require getting dressed and leaving the house.
Re: (Score:1, Funny)
Why are there no slashdot meetups?
What's that? I think it's the sound of thousands upon thousands of buffet restaurants slamming and locking their doors at the thought.
Re: (Score:3, Funny)
theocratic leader
Yeah, he can really de ratchet up the abrasiveness when he wants to.
Re: (Score:2)
/rimshot
Re: (Score:2)
Targeting a small specialized market is never good for your longevity, regardless how good you do it.
Re: (Score:2)
now that's funny, considering openbsd has been around since 1995, three years after the first real linux distro.
Re: (Score:2)
15 years is a blip. When it hits 30 we can talk.
Re: (Score:2)
bullshit, for software project 15 years with tens of thousands of users worldwide is smashing success and proven endurance. There are multi-million dollar commercial software success stories that have risen and fallen in a shorter time and are no longer used.
Re: (Score:2, Insightful)
OpenBSD doesn't want to take over the world, see the project goals [openbsd.org]. This doesn't stop their work becoming used on a large scale, but this happens because of the software's features and technical superiority.
On the other hand, many Linux advocates seem to be obsessed with the idea of world domination. I've seen these people choose Ubuntu for reinstall/upgrade jobs when their friends and family would genuinely be more comfortable, and better off, with Windows or OS X.
Decide for yourself which is the more no
Re: (Score:3, Interesting)
I'm not sure that it has decreasing relevance. For something like a firewall or other networked appliance (where you don't actually have users logging on and interactively using it), OpenBSD is way ahead of the game. Auditing the kernel and securing that is actually a good strategy for such devices, whereas mandatory access controls would be more of a cycle-hog. For reasons I don't entirely understand - or agree with - the world is slowly moving away from desktops and towards appliance-based computing. Look
Re: (Score:2)
OpenBSD like anything else has its flaws: namely a insular and hostile user community and theocratic leader with a vision.
I see what you did there.
Re: (Score:2)
and theocratic leader
Nicely done.
Re: (Score:1)
...hostile user community and theocratic leader...
I've observed the OpenBSD attitude as being anything but religious in most cases, at least compared to FSF/GNU folk, and far closer to the laudable `shut up and hack'. The community may appear hostile, but successful users need to have initiative rather than being spoon fed. `RTFM', or a milder equivalent, is often the best way to encourage that.
Re: (Score:2)
As others have noted, this was a double entendre if not downright pun. OpenBSD users are not by and large welcoming if someone trips across the wrong e-mail list. As I stated - it's the PVP OS: come prepared to defend yourself. In the case of OpenBSD that means reading the FAQs, trolling the list history and submitting a dmesg when you do ask a question. Failing to do that is the EVE Online equivalent of flying your pod through 0.0 space.
Re: (Score:1)
I'm surprised you have time to investigate other operating systems if you're thinking in MMORPG analogies. :)
Nothing can beat Apple (Score:3, Insightful)
IMHO if someone has problem with OpenBSD community/leader, he should hang at Mac community/websites/mags and especially IRC channels for a while.
I also think OpenBSD theocratic leader and hostile community could be the reason why OpenBSD has its unique and prestigious position today... We all heard how many users got banned for questioning inclusion of Mono to a "user friendly" Linux OS distro which has democratic leadership right?
Re:Nothing can beat Apple (Score:4, Insightful)
OpenBSD has fewer kernel panics than 2.6.xx.xx and for network tasks has better performance for us.
Again, kudos to the OpenBSD team for another release.
Re: (Score:2)
The article I linked to above is a good discussion of this. Given how they flat out reject MAC, and the reasons they give for doing so, it seems they know very little about actual security.
Re: (Score:2)
Their definition of security goes far beyond pre-emptive bug fixing, but the author of that article is ignorant of OpenBSD security, and Unix security in general, and moreover thinks MAC will save him from the common exploits that bring down real machines (which any experienced Unix admin knows is total B.S.)
Re: (Score:2)
No, a MAC won't keep an exploit from destroying data files for which a user or application is already allowed access. Suppose a buffer overrun exploit is used to gain control and corrupt the application's database which is allowed by ACL. What is your MAC going to do? Nothing, that's what.
On the other hand, other features of OpenBSD *do* come into play against such a problem.
Re: (Score:2)
Re: (Score:1)
Lets say a user exploits Firefox...you would think the exploit would have full access to the users files right? Nope, not so. With MAC, there could be only write access to a downloads directory, no execute access except for a whitelist of files, and only append access for the rest. If the exploit tryied to delete anything, it would fail. Can
Re: (Score:1)
With due respect, I think both you and the author of the "insecure" article have some fundamental misunderstandings about OpenBSD and the way the project works.
Just to note I don't speak for the project here, this is just my impressions from being involved for a short time.
Firstly, jokes about theocracy aside, OpenBSD is not a dictatorship. There are a lot of developers, and they don't all agree about everything.
So, even if some OpenBSD developers say they are skeptical about MAC, it doesn't mean all are, o
Re: (Score:1)
I understand your point, and that OpenBSD is not a dictatorship and that there are some interested in MAC, but just skeptical, and I have to disagree.
I am quite sure without exception, on the mailing lists on the big debate in 2007 and that insecure article that without exception every lead developer stated that MAC is at best does not offer any additional security, and at worse is false security actually making things worse.
It is such a poor understanding
Re: (Score:1)
The problem is not a lack of an implementation, but not any implementation will do. It has to be suitable, and meet the OpenBSD project goals.
AppArmour and RSBAC are GPL. Trusted BSD is rather large, relies on some FreeBSDisms, and IMO is overengineered, I think it would be quite a hard sell, but there may be useful ideas. The fact is that even if something useful can be pulled out of Trusted BSD, someone is going to have to put in the time and do it. The reason they might do this, thankless or not, is beca
Re: (Score:1)
Until that is resolved, no one in their right mind would try and write anything MAC related for OpenBSD. I suspect the developers don't wish to resolve it however, and are happy with their stance.
I agree there may be FUD on both sides, but having too
Re: (Score:2)
Your beef about asterisk might be a bad assumption. I build asterisk systems as part of my job. The 1.6 series asterisk has all manner of issues, you'll be wanting to use 1.4.x (1.4.25 or above) if you intend to do production stable system. As it happens, OpenBSD even has binary 1.4.25 package ready to install at a single command.....
And, in the ports (scripting-based system), you have 1.6.0.25. which is considered a more stable of the 1.6.x series, such as it is.
Loongson Support (Score:1)
Is GNU/Linux networking as poor as it was before? (Score:3, Informative)
When it came to things like OSPF, BGP, routing, filtering (pf failover) and that sort of networking things, Linux hasn't been the best (though queuing and protocols have had some innovations and dev work).
Anyone have an opinion on this?
For example, Zebra was basically abandoned (it sucked anyway), which now became quagga -- if I wanted a Cisco, I'd get a Cisco. Stop trying to make it a damn emulator.
BGP? I don't even know if there is anything.
iptables is cool, but it just doesn't have failover like pf has (I want people with real-word experience, don't tell me "it's supported" when it's crap.)
Re:Is GNU/Linux networking as poor as it was befor (Score:1)
YHBT (Score:2)
Check that user's name a bit more carefully. :)
Re: (Score:2)
There's rumours that iptables might be going away eventually for this instead [lwn.net].
Now I'll admit I've never used *BSD, but even I can see iptables is *fucking awful* for anything more than the most basic IP/port matching. Hopefully this'll happen sooner rather than later.
Up2Date Mirror List (Score:1)
I love OpenBSD (Score:4, Informative)
I started using OpenBSD at version 2.7 after a few years using various versions of Redhat linux and Mandrake.
I was hooked right away.. It was a lot of things. Maybe the first was the really easy installation process... In my opinion it still might be the simplest out there. There is the well written man pages.. And the simple 'full' installation. It was easy to understand where everything was and it mostly stayed that way from release to release. The config files seemed easy to read and the firewall was really snazzy!
They do some good work! I enjoy using it, even if all I am really doing is small scale hobby work.
Re: (Score:1, Flamebait)
Bullshit. Looking at the release folder, I can't even figure out what I'm supposed to download to install without reading the documentation.
Re: (Score:1)
Maybe the first was the really easy installation process...
The trouble with BSD people in general is that you can't tell if they're trolling (Theo), being trolled (80% of the BSD community are responding to obvious trolls at any one time which is why they advance so slowly,) or they actually believe what they're saying.
Maybe you're the same guy that said he was running the Linux Quake 3 under OpenBSD's Linux emulation and getting a higher framerate? This was on Slashdot quite a few years ago. It was soon pointed out that it really, really, wasn't possible to run th
Tagged "beastie" (Score:2)
why has no one tagged the article "Beastie?"
Re: (Score:2)
Re: (Score:2)
openBSD used to have the beastie until 2.x, I think.
I've got a shirt with him and "openBSD" on it :-)
I still think the "greasy cop" mascot from 2.5 was the best though. picture [openbsd.org]
What happened to the music? (Score:3, Interesting)
Used to be that the Plaid Tongued Devils provided a new song for every release - this is the first song I've seen by someone else.
Best way to get my feet wet? (Score:2)
Re: (Score:2)
I run it on an HP T5135 thin client to which I've added usb microdrive, I use it as a domain server (apache and postfix) and also irc client under "screen" to a couple tech channels. Got that thin client used on eBay for $25.
Only pulls 16W of power according to kill-a-watt meter, the only machine at home I leave on constantly.
UTF-8 in console/ssh (Score:1)
"NFS client stability fixes" (Score:2)
NFS still doesn't effing work right? Wow.
Re: (Score:2)
uh, you do realize every effing OS on planet earth that can run NFS has "NFS stability Fixes" in their patch sets.
you don't do anything serious with computers, do you?
Two complaints (Score:1)
Risking to be modded troll:
1. No proper ACPI support. This is what kept me away from OpenBSD already in 2004 and still I can not put my laptop to sleep
2. Only secure if you have time to compile by yourself... no binary updates!!
Otherwise i really like OpenBSD and I would switch at any moment!
Re: (Score:2)
most would consider openBSD mainly a server OS, though it has the main common desktop wares available as binary packages there are plenty of other open source OS that have more creature comforts for desktop and laptop use (though I carry USB drive with obsd that does work well with my Toshiba Satellite and for any other thing I need to quickly turn into temporary OBSD appliance).
cvs update, patching, compiling doesn't take too long on modern normal GHz hardware though, minutes. On the other hand, doing it
Maybe... (Score:2)
Cool story, brah.
Re: (Score:1)
It's entirely possible that a piece of hardware you buy contains portions of *BSD code.
So maybe at some point you will use it, if you don't already, just not how you'd expect.
Re:I can't actually get anything done on OpenBSD. (Score:4, Insightful)
Uhm... Yeah.
Why use a cheap arm toaster that can be set up in 5 minutes when you can give CISCO a few thousand dollars for a piece of shit?
Because that toaster doesn't provide real support and next-day RMA service. You might work in a small shop, but for people who run multiple datacenters, 100s or 1000s of network devices, and whose jobs rely on uptime this is a no-brainer. I'll take the appliance with the service guarantee, replacements, and track record over a few Dells with *nix running on them.
You are not allowed to replace a $10000 router with a $100 redundant array of consumer hardware because it would make your boss look bad.
I can see why you posted AC. You're out of your depth. Cisco may churn out some real crapware ancillary platforms sometimes, but when it comes to core routing and switching on the big chassis, they're pretty damned reliable.